Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20, 2010 1.

Slides:

Advertisements

Similar presentations

NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.

Advertisements

2004 NERC, NPCC & New England Compliance Programs John Norden Manager, Operations Training, Documentation & Compliance August 31, 2003 RC Meeting.

Course Material Overview of Process Safety Compliance with Standards

Michael Thow Cyber Security Engineering Supervisor

INPO Update CMBG Meeting June 2013

FDA’s Proposed Rule under FSMA for Preventive Controls

Recent NERC Standards Activities RSC – Jan. 5, 2011 NSRS Update Date Meeting Title (optional)

1 Component Design Basis Inspection (CDBI) Graydon Strong 6/17/14.

10 CFR Part 26, Subpart I Managing Fatigue 10 CFR Part 26, Subpart I Managing Fatigue Kamishan O. Martin, Human Factors Engineer Office of Nuclear Reactor.

1 NRC Regulatory Initiatives National Radiological Emergency Preparedness Conference 2009 April 21, 2009 Bill Dean Deputy Director, Office of Nuclear Security.

NRC Cyber Security Regulatory Program Development Background ANSI Nuclear Energy Standards Coordination Collaborative (NESCC) Meeting November 3, 2014November.

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

Cumulative Impacts James Slider November 7, 2013.

BS Information Systems – University of Redlands BS Information Systems – University of Redlands AS Electronic Technology AS Electronic Technology Project.

Licensing of Nuclear Power Plants in Pakistan

1 10 CFR Part 26 Subpart I Managing Fatigue Kamishan Martin Human Factors Engineering June 23, 2010 HPRCT conference.

Physical Security CIP NERC Standing Committees December 9-10, 2014.

1 NRC Plans for NESCC Concrete Specifications, Codes & Standards (SCS) Endorsement NESCC Meeting March 28, 2013 Richard Jervey USNRC Office of Regulatory.

NRC Decommissioning Activities for the San Onofre Nuclear Generating Station Bruce A. Watson, CHP Chief, Reactor Decommissioning Branch Division of Decommissioning,

Oconee RPS/ESPS Digital Upgrade Presented by: Michael Bailey June 3,

Nuclear Power Plant “Bright-Line” NERC:. Tim Roxey and Jim Hughes NRC:

Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security

FY2010 PEMP Notable Outcomes October 15, FRA, LLC Board of Directors 10/15-16/2009 Office of Quality and Best Practices Performance Evaluation Management.

NEI Issues & Current Events George Oliver June 22, th Annual RETS – REMP Workshop South Bend, Indiana.

Federal Energy Regulatory Commission June Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.

Regulatory Affairs Personnel Training and Qualification (RA T&Q) Overview.

1/18/2005Module 41 How the NCSX Project Does Business Work Planning & Design Review Processes.

Nuclear Power Plant/Electric Grid Regulatory Coordination and Cooperation - ERO Perspective David R. Nevius and Michael J. Assante 2009 NRC Regulatory.

Fatigue Management Rule Russell Smith Nuclear Energy Institute (NEI)

Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.

SPP.org 1. EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?

1 Public Hearing to Consider Proposed Amendments to the Emission Inventory Criteria and Guidelines Regulation for the AB 2588 Air Toxics “Hot Spots” Program.

Actions Affecting ERCOT Resulting From The Northeast Blackout ERCOT Board Of Directors Meeting April 20, 2004 Sam Jones, COO.

Overview of WECC and Regulatory Structure

Status Report for Critical Infrastructure Protection Advisory Group

RIC 2009 Rulemaking Process: “NRC and Industry Perspectives on Improving Quality, Timeliness, and Consistency in 10 CFR 50.55a “A New Approach” Jacob Zimmerman.

July 2008 CPS2 Waiver SDT Technical Workshop for Draft BAL-001-TRE-01 Judith A. James Reliability Standards Manager TRE.

SPS policy – Information Presentation Presentation to ROS June 16, 2004.

Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,

RIC 2008 Power Reactor Security Requirements Rule Bonnie Schnetzler Team Leader, Security Rulemaking Team Division of Security Policy Office of Nuclear.

Date CIP Standards Update Chris Humphreys Texas RE CIP Compliance.

Configuration Management of Post-Fukushima Regulations CMBG June 2013 David Gambrell Director, Severe Accident Management Southern Nuclear.

New Reactor Licensing R. William Borchardt Director, Office of New Reactors US NRC February 19, 2008.

ISTOG – NRC Update Winter Meeting 2010 – Clearwater, FL Tony McMurtray Chief, Component Performance & Testing Branch Office of Nuclear Reactor Regulation.

Research and Test Reactor Decommissioning Inspections Gerald A. Schlapper, PhD, PE, CHP Health Physicist Division of Nuclear Materials Safety Region I.

IAEA International Atomic Energy Agency Development of the Basis Document for Periodic Safety Review for Research Reactors William Kennedy Research Reactor.

Pilot Component Design Basis Inspection (CDBI) and Equipment Qualification (EQ) Program Inspection Feedback CONFIGURATION MANAGEMENT BENCHMARKING GROUP.

Response to NRC Information Requests for NTTF Recommendation 9.3 Sue Perkins-Grew Director, Emergency Preparedness NEI.

Janet R. Schlueter Senior Director, Radiation and Materials Safety

Office of Nuclear Material Safety and Safeguards (NMSS)

Industry Guidance on Part 21 Evaluation and Reporting

Updating the NRC’s Alternative Disposal Request Guidance Document

LLW Forum Meeting October 16, 2017 Alexandria, Virginia

Flooding Walkdown Guidance

Mitigation of Beyond Design Basis Events (MBDBE) Rule Implementation

NRC’s LLW Regulatory Program: Update of Emerging Issues

CR3 and Crystal River Energy Complex

NERC Cyber Security Standards Pre-Ballot Review

NRC Cyber Security Regulatory Overview

CIPC Relationships & Roles

Background (history, process to date) Status of CANs

Overview of NRC Low-Level Waste Activities and Initiatives

Presenter: Peter Heidrich, FRCC – BES Drafting Team Chair

Moving Forward From Fukushima Near-Term Task Force EP Recommendations

Adding Nuclear Power to the Grid

Decommissioning Rulemaking

Nuclear Power Plant “Bright-Line” NERC:. Tim Roxey and Jim Hughes NRC:

Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005

TRTR Briefing September 2013

RESOLUTION OF GENERIC SAFETY ISSUE 191

Presentation transcript:

Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20,

Cyber Security Overview NRC NERC 2

Overview NRC 10 CFR and NERC CIP Both large projects with significant assessment and documentation required. In some cases, modifications may be required to bring digital components into compliance. Scope: ◦ NRC: Safety, Important to Safety, Security, EP ◦ NERC: Bulk Electric System (Balance of Plant) 3

NRC 4

NRC All 104 US licensed nuclear units submitted CS Plan to NRC for their approval November, All used NEI as guidance. Nuclear Energy Institute & industry team responded to ~71 Requests for Additional Information questions from NRC staff. Updated NEI as a result. Rev. 6 has been approved by NRC Staff by letter in early May. Licensees will need to re-submit LAR based on NEI Rev. 6 in ~July/August

NRC Technical Challenges ◦ ~140 cyber security controls w/ multiple bullets ◦ Numerous “Critical Digital Assets (CDAs)” per site. ◦ Each control has to be “addressed:”  Implement the control  Implement an alternate control, with justification  Justify why control is not needed. ◦ Controls based on National Institute of Standards & Technology (NIST) SP & 82.  Not written in “nuclear speak.”  Thus, training is required. 6

NRC Schedule ◦ 10 CFR did not specify a schedule. ◦ Sites submitted “draft” implementation schedule with original submittal in November  ~ 60 % of industry submitted 36/48/60 months after approval by NRC Staff. ◦ NRC now wants new schedule with supplement  Milestones as “commitments”  Final END DATE as condition of the License 7

NRC Project Overview ◦ Cyber security assessment  Cyber Security Assessment Team (CSAT) – (similar to MR Expert Panel)  ~35 CDAs per site (average) x ~140 controls x ~5 bullets per control  Walkdown/validation  Cross site fleet QV&V & industry benchmarks ◦ Training  CSAT  Ongoing ◦ Procedures/Directives  NSD 803, NSD 804, NSD 807, EDM 801  Implementing procedures ◦ Records  Documentation of assessment  Documentation of controls  Assessment team records ◦ Etc. 8

NRC Ongoing Program ◦ Periodic assessment ◦ weekly/monthly/quarterly/yearly surveillances ◦ Independent oversight ◦ Linkage to physical security plan ◦ Will require permanent, dedicated resources  Estimated ~ 2+ per site, dedicated, cyber security specialists  System engineers & IAE resources impacted on a case by case basis.  OPS, EP, Security resources impacted ongoing by CSAT 9

NRC Configuration Management ◦ ONGOING MONITORING AND ASSESSMENT  …The ongoing monitoring program includes:  Configuration management of CDAs;  Numerous assessment & verification activities 10

NRC Configuration Management ◦ 4.4 ONGOING MONITORING AND ASSESSMENT  …The ongoing monitoring program includes:  Configuration management of CDAs;  Numerous assessment & verification activities 11

NRC Configuration Management ◦ Configuration Management and Change Control  CDA cyber security and configuration management documentation is updated or created using the site configuration management program or other configuration management procedure or process.  This documentation includes the bases for not implementing one or more of the technical cyber security controls specified in Appendix D of NEI , Revision 6. 12

NRC Configuration Management ◦ Appendix E, Section 10 Configuration Management  10.2 Configuration Management Policy and Procedures  10.3 Baseline Configuration – document configuration of various cyber security related settings.  10.4 Security Change Control – authorize & document changes.  10.5 Security Impact Analysis prior to making changes  10.6 Access restrictions – physical and electronic access  10.7 Configuration Settings  10.8 Least functionality – eliminate unnecessary ports, services, etc.  10.9 Component Inventory 13

NERC 14

NERC FERC Order 706-B clarified the exemption for “facilities” regulated by the NRC. “Facilities” to Nuclear meant “Oconee Nuclear Station.” Facilities to FERC meant the Reactor Protection System at Oconee Nuclear Station. FERC “hired” NERC to implement the cyber security rules, thus the NERC CIP cyber security standards. Great desire by industry to only have one regulator per system. ◦ “bright line” divides NERC scope from NRC scope ◦ NERC “survey” of systems due to NERC by

NERC Presently per NERC CIP 002, many nuclear stations are not in scope. ◦ Not “critical assets” to the Bulk Electric System. ◦ Few nuclear stations are critical. ◦ Nor are the large Duke SE fossil stations. Revision 4 of NERC CIPs likely to be approved in December If the current draft is approved, many generation sites are likely to be in scope. Revision 4 of the standards are out for comment right now. Implementing NRC and NERC concurrently will be significantly difficult. 16

17 “My job is to tell you things you don’t want to hear, asking you to spend money you don’t have, to prepare for something you don’t believe will ever happen.” (Mike Selves, Director of Emergency Management and Homeland Security, Johnson County, Kansas)

COMMENTS/QUESTIONS? 18