slide1 l.
Skip this Video
Loading SlideShow in 5 Seconds..
The Nuclear Regulatory Commission’s Forthcoming Cyber Security Rule: Application to Emergency Preparedness Systems at Nu PowerPoint Presentation
Download Presentation
The Nuclear Regulatory Commission’s Forthcoming Cyber Security Rule: Application to Emergency Preparedness Systems at Nu

Loading in 2 Seconds...

play fullscreen
1 / 18

The Nuclear Regulatory Commission’s Forthcoming Cyber Security Rule: Application to Emergency Preparedness Systems at Nu - PowerPoint PPT Presentation

  • Uploaded on

The Nuclear Regulatory Commission’s Forthcoming Cyber Security Rule: Application to Emergency Preparedness Systems at Nuclear Facilities. Prepared by: Cliff Glantz, Phil Craig, and Guy Landine Pacific Northwest National Laboratory Richland, WA. Overview of cyber security

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The Nuclear Regulatory Commission’s Forthcoming Cyber Security Rule: Application to Emergency Preparedness Systems at Nu' - stevie

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

The Nuclear Regulatory Commission’s Forthcoming Cyber Security Rule: Application to Emergency Preparedness Systems at Nuclear Facilities

Prepared by:

Cliff Glantz, Phil Craig, and Guy Landine

Pacific Northwest National Laboratory

Richland, WA

presentation overview
Overview of cyber security

Review the cyber threat landscape

A brief history of cyber security requirements and guidance for the nuclear power Industry

The new draft Nuclear Regulatory Commission (NRC) Cyber Security Rule -- 10 CFR 73.54

Current/future cyber security guidance

The implication of new requirements for meteorology and emergency preparedness programs

Presentation Overview
overview of cyber security for the nuclear power industry
The licensees will need to have a comprehensive program in place to protect digital and computing assets and processes

This program will need to provide a high level of assurance that intentional or unintentionalevents (i.e., cyber attacks) do not adversely impact nuclear critical assets and processes.

NRC’s focus is on systems and networks associated with:

Safety and Security

Emergency preparedness, including meteorology and offsite communications

Systems and networks which, if compromised, could adversely impact safety, security or emergency preparedness functions.

Licensees also need to be concerned about other systems and networks (e.g., continuity of power)

Overview of Cyber Security for the Nuclear Power Industry
what is a cyber attack
What is a Cyber Attack?

A cyber attack can include a wide variety of computer-based events that could impact:

Confidentiality: violate the security of data or software. Unauthorized access (internal or external) by those without appropriate authorization and “need to know”.

Integrity: modify, destroy, or compromise data or software. This can involve the insertion of erroneous or misleading data or the unauthorized take-over of a system

Availability: deny access to systems, networks, services, or data.


cyber threat landscape
Cyber Threat Landscape

Potential “Threat Agents”



Organized crime


Espionage & cyber warfare

types of threats
Types of Threats


Targeted threats are directed at a specific control system or facility

Untargeted are focused on any computer with a given operating systems or commonly used software (e.g., Windows XP, Excel)


Direct involves an exploit on the targeted system

Indirect involves exploiting a support system (e.g., power, cooling)


Malicious -- intending to do harm

Inadvertent -- an accidental outcome


Insider can be someone employed at the facility or a vendor

Outsider can have no direct connection to the target, but may still have considerable knowledge

Outsiders can exploit insiders with or without their explicit cooperation

examples of potential cyber attacks
Examples of Potential Cyber Attacks

“Company”-labeled USB memory sticks are left at a nearby shopping center, train station, or ball field. They contain malware that will be installed on a company computer if someone plugs in the “lost” stick to see who it belongs to… (Direct/Malacious/Targeted/Outsider+Insider)

A freeware program is downloaded to a business computer for legitimate purpose. It contains malware. The program is copied to a laptop used to adjust settings on an environmental control system. (Indirect/Malacious/Untargeted/Outsider+Insider)

A worker installs updated software on a non-critical, testing-platform control system and reboots the system. The operational control system is synchronized with the test system and it is shutdown by the reboot process. (Direct/Inadvertent/Targeted/Insider)


let s pause for a second and consider global warming and the nuclear renaissance
Let’s Pause for a Second and Consider Global Warming and the Nuclear Renaissance

Basic lesson for college freshmen: (1) CO2 is a greenhouse gas. (2) The more CO2 you have in the atmosphere, the higher the mean temperature…

CO2 has been going up since the beginning of the industrial age and an astounding 25% just in my lifetime

Concern over global warming has been a boon for the nuclear power industry.

What can kill this renaissance? Safety issues

history of cyber security guidance
History of Cyber Security Guidance

NRC Order EA-02-026, Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants in February 2002

NRC Order EA-03-086, Design Basis Threat for Radiological Sabotage, was released in April 2003

NUREG/CR-6847, Cyber Security Self-Assessment Method for U.S. Nuclear Power Plants

NEI 04-04 Rev. 1, Cyber Security Program for Power Reactors (November 2005)

Regulatory Guide (RG) 1.152 Rev. 2, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.

Branch Technical Position (BTP) 7-14 Rev. 5, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems.

on the immediate horizon
On the Immediate Horizon…

Awaiting release:

10 CFR 73.54, “Protection of Digital Computer and Communication Systems and Networks.”

Draft Regulatory Guide DG-5022 “Cyber Security Programs for Nuclear Facilities”

key concepts in the draft cyber security rule
Key Concepts in the Draft Cyber Security Rule

Key concepts of the new Cyber Security Rule:

The licensee shall provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks.

This ranges from simple attacks to those defined in the design basis threat (see Title 10 of the Code of Federal Regulations (10 CFR) Part 73, Section 73.1.)

key concepts in the rule cont
Key Concepts in the Rule (cont)…

Covers safety, security, and emergency preparedness systems (including other systems that can impact their performance)

Assets shall be protected from attacks that could adversely impact the CIA and operation of systems, networks, and associated equipment.

This shall include employing state-of-the-art defense-in-depth protective strategies to detect, protect, respond to, and mitigate cyber attacks.

key concepts in the rule cont13
Key Concepts in the Rule (cont)…

Implement appropriate security controls to protect assets. This includes management, operational and technical security controls



Security Controls

Management Operational Technical

with families of security controls within each class

Policies, Procedures, Practices, & Technologies

key concepts in the rule cont14
Key Concepts in the Rule (cont)…

Two prong approach to defense-in-depth:

Use multiple-layered security controls

have appropriate detection, mitigation, response, and recovery capabilities in place if your security controls fail. In other words, if an attack penetrates your defenses, be prepared to prevent adverse impacts from the attack

Ensure the functionality of critical systems is maintained!

Systematically evaluate cyber security risks for all critical systems.

Consider cyber security implications before making any system modifications.

key concepts in the rule cont15
Key Concepts in the Rule (cont)…

Provide appropriate, position-specific cyber security training.

Licensees shall submit a formal cyber security plan to the NRC

Licensees shall implement a formal cyber security program that is part of their physical security program

guidance current and future
Guidance: Current and Future

Currently, cyber security guidance is provided to the industry by NEI 04-04. Gives a “30,000 ft” level look at cyber security (i.e., it provides a framework but doesn’t provide details on how to achieve objectives).

The NRC is preparing Draft Regulatory Guide DG-5022 “Cyber Security Programs for Nuclear Facilities”.

DG-5022 fully addresses the new Rule and provides a lot more guidance (e.g., a “3,000 ft” perspective) that should help technical folks understand what they need to do for their systems.

I can’t talk about details of the draft Reg Guide in this forum, but the draft guidance has been released for industry review.

More Reg Guides and NUREGs will be coming…

guidance for meteorology and other emergency preparedness systems
Guidance for Meteorology and other Emergency Preparedness Systems

Be aware of the cyber security threat environment

Assess the cyber security of your systems and networks

Assess the cyber security of your communication pathways

Look for and eliminate cyber vulnerabilities

Be pro-active in defending your systems

Think about the cyber security risks associated with potential productivity enhancements

Don’t be afraid to ask for help from your plant or corporate cyber security specialists

Discuss security needs with your management


Cliff Glantz

Chair of DOE Subcommittee on Consequence Assessment and Protective Actions (SCAPA)

Pacific Northwest National Laboratory

PO Box 999

Richland, WA 99352