Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Insider’s Perspective on the NRC’s New Cyber Security Rule and Forthcoming Regulatory Guidance: Potential Impacts on Meteorology and Emergency Preparedness.

Similar presentations


Presentation on theme: "An Insider’s Perspective on the NRC’s New Cyber Security Rule and Forthcoming Regulatory Guidance: Potential Impacts on Meteorology and Emergency Preparedness."— Presentation transcript:

1 An Insider’s Perspective on the NRC’s New Cyber Security Rule and Forthcoming Regulatory Guidance: Potential Impacts on Meteorology and Emergency Preparedness Programs Prepared by: Cliff Glantz, Phil Craig, and Guy Landine Pacific Northwest National Laboratory Richland, WA

2 Key Presentation Themes
Cyber security is a real concern The cyber threat landscape The new Nuclear Regulatory Commission (NRC) Cyber Security Rule CFR 73.54 The new cyber security regulatory guide -- RG-5.71

3 The Concern… Cyber security is an issue of grave national importance.
The NRC is concerned that a cyber attack can impact safety, security, and emergency response functions NERC is concerned that a cyber attack can impact the ability of the electric grid “to keep the lights on”. 3

4 Cyber Threat Landscape
Potential “Threat Agents” Hackers/crackers Insiders Organized crime Terrorists Espionage Cyber warfare

5 CIA What is a Cyber Attack?
A cyber attack can include a wide variety of computer-based events that could impact: Confidentiality: violate the security of data or software. Unauthorized access (internal or external) by those without appropriate authorization and “need to know”. Integrity: modify, destroy, or compromise data or software. This can involve the insertion of erroneous or misleading data or the unauthorized take-over of a system Availability: deny access to systems, networks, services, or data. CIA

6 Types of Threats Targeted/Untargeted Malicious/Inadvertent
Targeted threats are directed at a specific control system or facility Untargeted are focused on any computer with a given operating systems or commonly used software (e.g., Windows XP, Excel) Malicious/Inadvertent Malicious -- intending to do harm Inadvertent -- an accidental outcome Insider/Outsider Insider can be someone employed at the facility or a vendor Outsider can have no direct connection to the target, but may still have considerable knowledge Outsiders can exploit insiders with or without their explicit cooperation Direct/Indirect Direct involves an exploit on the targeted system Indirect involves exploiting a support system (e.g., power, cooling)

7 Examples of Potential Cyber Attacks
A USB memory stick labeled as plant property is “dropped” in a parking lot at a local shopping center. It contains malware that would be installed on a company computer if someone good Samaritan plugs in the “lost” stick on a work computer to see who it belongs to. An internet connection (wired or wireless) or modem used to access meteorological data systems is hacked and the intruder gains system administrator control. A freeware meteorological program is downloaded to a business computer for legitimate purpose. It contains malware. The program is downloaded to a laptop used to adjust settings on meteorological and other monitoring instruments and impacts system performance. Plant Property

8 History of Cyber Security Guidance
2002 NRC Order EA , Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants in 2003 NRC Order EA , Design Basis Threat for Radiological Sabotage, was released in April 2003 NUREG/CR-6847, Cyber Security Self-Assessment Method for U.S. Nuclear Power Plants 2005 NEI 04-04 Rev. 1, Cyber Security Program for Power Reactors (November 2005) 2006 Regulatory Guide (RG) Rev. 2, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants. 2007 Branch Technical Position (BTP) 7-14 Rev. 5, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems.

9 10 CFR Scope Protection of Digital Computer and Communication Systems and Networks (2009) Each licensee… shall provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat… The licensee shall protect digital computer and communication systems/networks associated with: Safety-related and important-to safety functions; Security functions; Emergency preparedness (EP) functions, including offsite communications; and Support systems and equipment which, if compromised, would adversely impact safety, security, or EP (SSEP) functions. 9

10 10 CFR – Protect Systems The licensee shall protect SSEP systems and networks from cyber attacks that would: Adversely impact the integrity or confidentiality of data and/or software Deny access to systems, services, and/or data Adversely impact the operation of systems, networks, and associated equipment. 10

11 10 CFR 73.54 – First Steps The licensee shall:
Analyze digital computer and communication systems and networks and identify those assets that must be protected against cyber attacks. These are called critical digital assets. Establish, implement, and maintain a cyber security program for the protection of the critical digital assets Incorporate the cyber security program as a component of the physical protection program. 11

12 10 CFR – Program Design The cyber security program must be designed to: Implement security controls to protect the critical digital assets from cyber attacks Apply and maintain defense-in depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks Mitigate the adverse affects of cyber attacks Ensure the functions of critical digital assets are not adversely impacted due to cyber attacks. 12

13 10 CFR 73.54 – More Program Requirements
The licensee shall: Ensure that appropriate facility personnel, including contractors, are aware of cyber security requirements and receive the training necessary to perform their assigned duties and responsibilities. Evaluate and manage cyber risks. Ensure that modifications to critical digital assets are evaluated before implementation to ensure that the cyber security performance objectives are maintained. 13

14 10 CFR 73.54 – Cyber Security Plan
Establish, implement, and maintain an effective cyber security plan that: describes how the cyber security program will implement the Rule Describes how the licensee will account for site-specific conditions that affect implementation includes measures for incident response and recovery during and after a cyber attack. The plan must describe how the licensee will: maintain the capability for timely detection and response to cyber attacks mitigate the consequences of cyber attacks correct exploited vulnerabilities restore affected systems, networks, and/or equipment affected by cyber attacks. 14

15 10 CFR 73.54 – Policies, Records, Etc.
The licensee shall: develop and maintain written policies and implementing procedures to implement the cyber security plan. make policies, implementing procedures, site-specific analysis, and other supporting technical information available upon request for NRC inspection review the cyber security program as a component of the physical security program retain all records and supporting technical documentation required to satisfy the requirements 15

16 RG-5.71 Cyber Security Programs for Nuclear Facilities
Evolution of the Reg Guide work on DG-5022 begins in the fall DG-5022 provided to industry in May 1st stakeholder meeting conducted in July Revised DG-5022 provided to industry in November 2nd stakeholder meeting in December RG-5.71 presented to the ACRS in February Revised RG-5.71 provided to industry in June 3rd stakeholder meeting conducted in July Coming Soon Revised RG-5.71 to be presented to the ACRS in Nov. 2009 Final RG-5.71 to be released sometime after the ACRS gives its approval. 16

17 RG-5.71 Contents Current size – about 120 pages Content:
A. Introduction B. Discussion C. Regulatory Position D. Implementation Glossary Bibliography References Appendix A Generic Cyber Security Plan Template Appendix B Technical Security Controls Appendix C Operational and Management Security Controls Appendix D Reporting of Attacks and Incidents 17

18 RG-5.71 Focus Provide cyber security throughout the system lifecycle:
Concept phase Requirements phase Design Phase Implementation Phase Test Phase Installation, Checkout and Acceptance Testing Phase Operations Phase Maintenance Phase Retirement Phase 18

19 RG-5.71 – Cyber Security Team
Form a Cyber Security Team Senior Plant Manager will be designated as the “Cyber Security Program Sponsor” Cyber Security Program Manager will oversee the Cyber Security Program Cyber Security Specialists Cyber Security Incident Response Team that will include representatives from physical security, operations, engineering, IT and other organizations Other plant staff will also have cyber security roles Provide staff training 19

20 RG-5.71 – Identify Critical Digital Assets
Identify critical digital systems and networks (critical systems) that provide a safety, security, or emergency preparedness function Identify the critical digital assets that are part of, or are connected to critical systems 20

21 RG-5.71 – Cyber Security Assessment
Perform a cyber security assessment. This is a follow-up to the NEI assessment Assessment consists of: Tabletop review Physical Inspection Electronic verification Conduct assessment on all critical digital assets and it extends out through all connection pathways (i.e., a “pull the wire” assessment). 21

22 RG-5.71 – Defensive Architecture Part of Defense in Depth Protective Strategy
Level 4: Vital Area Level 3: Protected Area Level 2: Owner-Controlled Area Level 1: Corporate Accessible Area Level 0: Public Accessible Area 22

23 RG-5.71 – Security Controls
Implement a comprehensive set of security controls based on the guidance provided in NIST SP “Recommended Security Controls for Federal Information Systems” 23

24 RG-5.71 – Security Controls (cont)
A commitment by the licensee to implement a cyber security program with rigorous security controls will be specified in the Cyber Security Plan required by 10 CFR Details on the security controls are provided in the Appendices A, B, and C of RG-5.71 A twist -- licensees are preparing their cyber security plans by following NEI and not Appendix A of RG-5.71 A counter twist – the NRC must approve the licensees cyber security plans. 24

25 RG-5.71 – Additional Guidance
The RG-5.71 also provides guidance on: Continuous Monitoring and Assessment Configuration Management Security Impact Analysis of Changes and Environment Effectiveness Analysis Ongoing Assessment of Security Controls Vulnerability Scans/Assessments Change Control Security Program Review 25

26 Summary Guidance for Meteorology and other EP Program Managers
Be aware of the cyber security threat environment Assess the cyber security of your systems and networks Assess the cyber security of your communication pathways Look for and eliminate cyber vulnerabilities Be pro-active in defending your systems Don’t be afraid to ask for help from your plant or corporate cyber security specialists Discuss cyber security needs with your management

27 On the Horizon… Cyber Security NUREG/CRs
Industry Cyber Security Workshops Revised Guidance NRC cyber security inspections From NERC/FERC revised Critical Infrastructure Protection Standards (CIPS) NERC audits

28 Pacific Northwest National Laboratory
Questions? Cliff Glantz Pacific Northwest National Laboratory PO Box 999 Richland, WA


Download ppt "An Insider’s Perspective on the NRC’s New Cyber Security Rule and Forthcoming Regulatory Guidance: Potential Impacts on Meteorology and Emergency Preparedness."

Similar presentations


Ads by Google