An Insider’s Perspective on the NRC’s New Cyber Security Rule and Forthcoming Regulatory Guidance: Potential Impacts on Meteorology and Emergency Preparedness.

Slides:



Advertisements
Similar presentations
The Nuclear Regulatory Commissions Forthcoming Cyber Security Rule: Application to Emergency Preparedness Systems at Nuclear Facilities Prepared by: Cliff.
Advertisements

INPO Update CMBG Meeting June 2013
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
Vermont Yankee Presentation to VSNAP 7/17/13 VY/Entergy Fukushima Response Update Bernard Buteau.
Cyber Security Plans: Potential Impacts for Meteorology Programs
Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20,
NRC Cyber Security Regulatory Program Development Background ANSI Nuclear Energy Standards Coordination Collaborative (NESCC) Meeting November 3, 2014November.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Lindy Hughes Fleet Fire Protection Program Engineer Southern Nuclear Operating Company June 4, 2013 Fire Protection.
Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.
Nuclear Power Plant “Bright-Line” NERC:. Tim Roxey and Jim Hughes NRC:
SEC835 Database and Web application security Information Security Architecture.
The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
Ship Recycling Facility Management System IMO Guideline A.962
Module 3 Develop the Plan Planning for Emergencies – For Small Business –
Information Systems Security Computer System Life Cycle Security.
Commissioning of Fire Protection and Life Safety Systems Presented by: Charles Kilfoil Bechtel National Waste Treatment Plant Richland WA.
Quality Assurance Program National Enrichment Facility Warren Dorman September 19, National Energy and Environmental Conference.
INFORMATION ASSURANCE USING C OBI T MEYCOR C OBI T CSA & MEYCOR C OBI T AG TOOLS.
Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.
הקריה למחקר גרעיני - נגב Nuclear Research Center – Negev (NRCN) Society of Electrical and Electronics Engineers in Israel (SEEEI) 2012 Eran Salfati, Amir.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Georgia Institute of Technology CS 4320 Fall 2003.
New DOE Software Quality Assurance Requirements: Implications for Meteorological Software Cliff Glantz Pacific Northwest National Laboratory
Main Requirements on Different Stages of the Licensing Process for New Nuclear Facilities Module 4.5/1 Design Geoff Vaughan University of Central Lancashire,
Configuration Management of Post-Fukushima Regulations CMBG June 2013 David Gambrell Director, Severe Accident Management Southern Nuclear.
NRC Region I Lessons Learned Steve Barr Senior Emergency Preparedness Inspector Region I US Nuclear Regulatory Commission 2010 NRC Region I Joint Exercise.
CSCE 548 Secure Software Development Security Operations.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Business Continuity Disaster Planning
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Information Security tools for records managers Frank Rankin.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Program Performance Criteria.
Business Continuity Planning 101
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
NRC’s 10 CFR Part 37 Program Review of Radioactive Source Security
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
Team 1 – Incident Response
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Introduction to the Federal Defense Acquisition Regulation
Flooding Walkdown Guidance
NRC Cyber Security Regulatory Overview
NERC Critical Infrastructure Protection Advisory Group (CIP AG)
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
NRC Update Nader Mamish, Director Emergency Preparedness Directorate
1 Stadium Company Network. The Stadium Company Project Is a sports facility management company that manages a stadium. Stadium Company needs to upgrade.
Cybersecurity ATD technical
TRTR Briefing September 2013
Presentation transcript:

An Insider’s Perspective on the NRC’s New Cyber Security Rule and Forthcoming Regulatory Guidance: Potential Impacts on Meteorology and Emergency Preparedness Programs Prepared by: Cliff Glantz, Phil Craig, and Guy Landine Pacific Northwest National Laboratory Richland, WA

Key Presentation Themes Cyber security is a real concern The cyber threat landscape The new Nuclear Regulatory Commission (NRC) Cyber Security Rule -- 10 CFR 73.54 The new cyber security regulatory guide -- RG-5.71

The Concern… Cyber security is an issue of grave national importance. The NRC is concerned that a cyber attack can impact safety, security, and emergency response functions NERC is concerned that a cyber attack can impact the ability of the electric grid “to keep the lights on”. 3

Cyber Threat Landscape Potential “Threat Agents” Hackers/crackers Insiders Organized crime Terrorists Espionage Cyber warfare

CIA What is a Cyber Attack? A cyber attack can include a wide variety of computer-based events that could impact: Confidentiality: violate the security of data or software. Unauthorized access (internal or external) by those without appropriate authorization and “need to know”. Integrity: modify, destroy, or compromise data or software. This can involve the insertion of erroneous or misleading data or the unauthorized take-over of a system Availability: deny access to systems, networks, services, or data. CIA

Types of Threats Targeted/Untargeted Malicious/Inadvertent Targeted threats are directed at a specific control system or facility Untargeted are focused on any computer with a given operating systems or commonly used software (e.g., Windows XP, Excel) Malicious/Inadvertent Malicious -- intending to do harm Inadvertent -- an accidental outcome Insider/Outsider Insider can be someone employed at the facility or a vendor Outsider can have no direct connection to the target, but may still have considerable knowledge Outsiders can exploit insiders with or without their explicit cooperation Direct/Indirect Direct involves an exploit on the targeted system Indirect involves exploiting a support system (e.g., power, cooling)

Examples of Potential Cyber Attacks A USB memory stick labeled as plant property is “dropped” in a parking lot at a local shopping center. It contains malware that would be installed on a company computer if someone good Samaritan plugs in the “lost” stick on a work computer to see who it belongs to. An internet connection (wired or wireless) or modem used to access meteorological data systems is hacked and the intruder gains system administrator control. A freeware meteorological program is downloaded to a business computer for legitimate purpose. It contains malware. The program is downloaded to a laptop used to adjust settings on meteorological and other monitoring instruments and impacts system performance. Plant Property

History of Cyber Security Guidance 2002 NRC Order EA-02-026, Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants in 2003 NRC Order EA-03-086, Design Basis Threat for Radiological Sabotage, was released in April 2003 NUREG/CR-6847, Cyber Security Self-Assessment Method for U.S. Nuclear Power Plants 2005 NEI 04-04 Rev. 1, Cyber Security Program for Power Reactors (November 2005) 2006 Regulatory Guide (RG) 1.152 Rev. 2, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants. 2007 Branch Technical Position (BTP) 7-14 Rev. 5, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems.

10 CFR 73.54 - Scope Protection of Digital Computer and Communication Systems and Networks (2009) Each licensee… shall provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat… The licensee shall protect digital computer and communication systems/networks associated with: Safety-related and important-to safety functions; Security functions; Emergency preparedness (EP) functions, including offsite communications; and Support systems and equipment which, if compromised, would adversely impact safety, security, or EP (SSEP) functions. 9

10 CFR 73.54 – Protect Systems The licensee shall protect SSEP systems and networks from cyber attacks that would: Adversely impact the integrity or confidentiality of data and/or software Deny access to systems, services, and/or data Adversely impact the operation of systems, networks, and associated equipment. 10

10 CFR 73.54 – First Steps The licensee shall: Analyze digital computer and communication systems and networks and identify those assets that must be protected against cyber attacks. These are called critical digital assets. Establish, implement, and maintain a cyber security program for the protection of the critical digital assets Incorporate the cyber security program as a component of the physical protection program. 11

10 CFR 73.54 – Program Design The cyber security program must be designed to: Implement security controls to protect the critical digital assets from cyber attacks Apply and maintain defense-in depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks Mitigate the adverse affects of cyber attacks Ensure the functions of critical digital assets are not adversely impacted due to cyber attacks. 12

10 CFR 73.54 – More Program Requirements The licensee shall: Ensure that appropriate facility personnel, including contractors, are aware of cyber security requirements and receive the training necessary to perform their assigned duties and responsibilities. Evaluate and manage cyber risks. Ensure that modifications to critical digital assets are evaluated before implementation to ensure that the cyber security performance objectives are maintained. 13

10 CFR 73.54 – Cyber Security Plan Establish, implement, and maintain an effective cyber security plan that: describes how the cyber security program will implement the Rule Describes how the licensee will account for site-specific conditions that affect implementation includes measures for incident response and recovery during and after a cyber attack. The plan must describe how the licensee will: maintain the capability for timely detection and response to cyber attacks mitigate the consequences of cyber attacks correct exploited vulnerabilities restore affected systems, networks, and/or equipment affected by cyber attacks. 14

10 CFR 73.54 – Policies, Records, Etc. The licensee shall: develop and maintain written policies and implementing procedures to implement the cyber security plan. make policies, implementing procedures, site-specific analysis, and other supporting technical information available upon request for NRC inspection review the cyber security program as a component of the physical security program retain all records and supporting technical documentation required to satisfy the requirements 15

RG-5.71 Cyber Security Programs for Nuclear Facilities Evolution of the Reg Guide 2007 - work on DG-5022 begins in the fall 2008 - DG-5022 provided to industry in May 1st stakeholder meeting conducted in July Revised DG-5022 provided to industry in November 2nd stakeholder meeting in December 2009 - RG-5.71 presented to the ACRS in February Revised RG-5.71 provided to industry in June 3rd stakeholder meeting conducted in July Coming Soon Revised RG-5.71 to be presented to the ACRS in Nov. 2009 Final RG-5.71 to be released sometime after the ACRS gives its approval. 16

RG-5.71 Contents Current size – about 120 pages Content: A. Introduction B. Discussion C. Regulatory Position D. Implementation Glossary Bibliography References Appendix A Generic Cyber Security Plan Template Appendix B Technical Security Controls Appendix C Operational and Management Security Controls Appendix D Reporting of Attacks and Incidents 17

RG-5.71 Focus Provide cyber security throughout the system lifecycle: Concept phase Requirements phase Design Phase Implementation Phase Test Phase Installation, Checkout and Acceptance Testing Phase Operations Phase Maintenance Phase Retirement Phase 18

RG-5.71 – Cyber Security Team Form a Cyber Security Team Senior Plant Manager will be designated as the “Cyber Security Program Sponsor” Cyber Security Program Manager will oversee the Cyber Security Program Cyber Security Specialists Cyber Security Incident Response Team that will include representatives from physical security, operations, engineering, IT and other organizations Other plant staff will also have cyber security roles Provide staff training 19

RG-5.71 – Identify Critical Digital Assets Identify critical digital systems and networks (critical systems) that provide a safety, security, or emergency preparedness function Identify the critical digital assets that are part of, or are connected to critical systems 20

RG-5.71 – Cyber Security Assessment Perform a cyber security assessment. This is a follow-up to the NEI 04-04 assessment Assessment consists of: Tabletop review Physical Inspection Electronic verification Conduct assessment on all critical digital assets and it extends out through all connection pathways (i.e., a “pull the wire” assessment). 21

RG-5.71 – Defensive Architecture Part of Defense in Depth Protective Strategy Level 4: Vital Area Level 3: Protected Area Level 2: Owner-Controlled Area Level 1: Corporate Accessible Area Level 0: Public Accessible Area 22

RG-5.71 – Security Controls Implement a comprehensive set of security controls based on the guidance provided in NIST SP 800-53 “Recommended Security Controls for Federal Information Systems” 23

RG-5.71 – Security Controls (cont) A commitment by the licensee to implement a cyber security program with rigorous security controls will be specified in the Cyber Security Plan required by 10 CFR 73.54. Details on the security controls are provided in the Appendices A, B, and C of RG-5.71 A twist -- licensees are preparing their cyber security plans by following NEI 08-09 and not Appendix A of RG-5.71 A counter twist – the NRC must approve the licensees cyber security plans. 24

RG-5.71 – Additional Guidance The RG-5.71 also provides guidance on: Continuous Monitoring and Assessment Configuration Management Security Impact Analysis of Changes and Environment Effectiveness Analysis Ongoing Assessment of Security Controls Vulnerability Scans/Assessments Change Control Security Program Review 25

Summary Guidance for Meteorology and other EP Program Managers Be aware of the cyber security threat environment Assess the cyber security of your systems and networks Assess the cyber security of your communication pathways Look for and eliminate cyber vulnerabilities Be pro-active in defending your systems Don’t be afraid to ask for help from your plant or corporate cyber security specialists Discuss cyber security needs with your management

On the Horizon… Cyber Security NUREG/CRs Industry Cyber Security Workshops Revised Guidance NRC cyber security inspections From NERC/FERC revised Critical Infrastructure Protection Standards (CIPS) NERC audits

Pacific Northwest National Laboratory Questions? Cliff Glantz Pacific Northwest National Laboratory PO Box 999 Richland, WA 99352 509-375-2166 cliff.glantz@pnl.gov

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.