Loading in 2 Seconds...
Loading in 2 Seconds...
The Nuclear Regulatory Commission’s Forthcoming Cyber Security Rule: Application to Emergency Preparedness Systems at Nuclear Facilities. Prepared by: Cliff Glantz, Phil Craig, and Guy Landine Pacific Northwest National Laboratory Richland, WA. Overview of cyber security
Cliff Glantz, Phil Craig, and Guy Landine
Pacific Northwest National Laboratory
Review the cyber threat landscape
A brief history of cyber security requirements and guidance for the nuclear power Industry
The new draft Nuclear Regulatory Commission (NRC) Cyber Security Rule -- 10 CFR 73.54
Current/future cyber security guidance
The implication of new requirements for meteorology and emergency preparedness programsPresentation Overview
This program will need to provide a high level of assurance that intentional or unintentionalevents (i.e., cyber attacks) do not adversely impact nuclear critical assets and processes.
NRC’s focus is on systems and networks associated with:
Safety and Security
Emergency preparedness, including meteorology and offsite communications
Systems and networks which, if compromised, could adversely impact safety, security or emergency preparedness functions.
Licensees also need to be concerned about other systems and networks (e.g., continuity of power)Overview of Cyber Security for the Nuclear Power Industry
A cyber attack can include a wide variety of computer-based events that could impact:
Confidentiality: violate the security of data or software. Unauthorized access (internal or external) by those without appropriate authorization and “need to know”.
Integrity: modify, destroy, or compromise data or software. This can involve the insertion of erroneous or misleading data or the unauthorized take-over of a system
Availability: deny access to systems, networks, services, or data.
Potential “Threat Agents”
Espionage & cyber warfare
Targeted threats are directed at a specific control system or facility
Untargeted are focused on any computer with a given operating systems or commonly used software (e.g., Windows XP, Excel)
Direct involves an exploit on the targeted system
Indirect involves exploiting a support system (e.g., power, cooling)
Malicious -- intending to do harm
Inadvertent -- an accidental outcome
Insider can be someone employed at the facility or a vendor
Outsider can have no direct connection to the target, but may still have considerable knowledge
Outsiders can exploit insiders with or without their explicit cooperation
“Company”-labeled USB memory sticks are left at a nearby shopping center, train station, or ball field. They contain malware that will be installed on a company computer if someone plugs in the “lost” stick to see who it belongs to… (Direct/Malacious/Targeted/Outsider+Insider)
A freeware program is downloaded to a business computer for legitimate purpose. It contains malware. The program is copied to a laptop used to adjust settings on an environmental control system. (Indirect/Malacious/Untargeted/Outsider+Insider)
A worker installs updated software on a non-critical, testing-platform control system and reboots the system. The operational control system is synchronized with the test system and it is shutdown by the reboot process. (Direct/Inadvertent/Targeted/Insider)
PNNL -- OUO
Basic lesson for college freshmen: (1) CO2 is a greenhouse gas. (2) The more CO2 you have in the atmosphere, the higher the mean temperature…
CO2 has been going up since the beginning of the industrial age and an astounding 25% just in my lifetime
Concern over global warming has been a boon for the nuclear power industry.
What can kill this renaissance? Safety issues
NRC Order EA-02-026, Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants in February 2002
NRC Order EA-03-086, Design Basis Threat for Radiological Sabotage, was released in April 2003
NUREG/CR-6847, Cyber Security Self-Assessment Method for U.S. Nuclear Power Plants
NEI 04-04 Rev. 1, Cyber Security Program for Power Reactors (November 2005)
Regulatory Guide (RG) 1.152 Rev. 2, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.
Branch Technical Position (BTP) 7-14 Rev. 5, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems.
10 CFR 73.54, “Protection of Digital Computer and Communication Systems and Networks.”
Draft Regulatory Guide DG-5022 “Cyber Security Programs for Nuclear Facilities”
Key concepts of the new Cyber Security Rule:
The licensee shall provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks.
This ranges from simple attacks to those defined in the design basis threat (see Title 10 of the Code of Federal Regulations (10 CFR) Part 73, Section 73.1.)
Covers safety, security, and emergency preparedness systems (including other systems that can impact their performance)
Assets shall be protected from attacks that could adversely impact the CIA and operation of systems, networks, and associated equipment.
This shall include employing state-of-the-art defense-in-depth protective strategies to detect, protect, respond to, and mitigate cyber attacks.
Implement appropriate security controls to protect assets. This includes management, operational and technical security controls
Management Operational Technical
with families of security controls within each class
Policies, Procedures, Practices, & Technologies
Two prong approach to defense-in-depth:
Use multiple-layered security controls
have appropriate detection, mitigation, response, and recovery capabilities in place if your security controls fail. In other words, if an attack penetrates your defenses, be prepared to prevent adverse impacts from the attack
Ensure the functionality of critical systems is maintained!
Systematically evaluate cyber security risks for all critical systems.
Consider cyber security implications before making any system modifications.
Provide appropriate, position-specific cyber security training.
Licensees shall submit a formal cyber security plan to the NRC
Licensees shall implement a formal cyber security program that is part of their physical security program
Currently, cyber security guidance is provided to the industry by NEI 04-04. Gives a “30,000 ft” level look at cyber security (i.e., it provides a framework but doesn’t provide details on how to achieve objectives).
The NRC is preparing Draft Regulatory Guide DG-5022 “Cyber Security Programs for Nuclear Facilities”.
DG-5022 fully addresses the new Rule and provides a lot more guidance (e.g., a “3,000 ft” perspective) that should help technical folks understand what they need to do for their systems.
I can’t talk about details of the draft Reg Guide in this forum, but the draft guidance has been released for industry review.
More Reg Guides and NUREGs will be coming…
Be aware of the cyber security threat environment
Assess the cyber security of your systems and networks
Assess the cyber security of your communication pathways
Look for and eliminate cyber vulnerabilities
Be pro-active in defending your systems
Think about the cyber security risks associated with potential productivity enhancements
Don’t be afraid to ask for help from your plant or corporate cyber security specialists
Discuss security needs with your management
Chair of DOE Subcommittee on Consequence Assessment and Protective Actions (SCAPA)
Pacific Northwest National Laboratory
PO Box 999
Richland, WA 99352