An Insider’s Perspective on the NRC’s New Cyber Security Rule

and Forthcoming Regulatory Guidance: Potential Impacts on

Meteorology and Emergency Preparedness Programs

Prepared by:Cliff Glantz, Phil Craig, and Guy LandinePacific Northwest National Laboratory

Richland, WA

Key Presentation Themes

Cyber security is a real concern

The cyber threat landscape

The new Nuclear Regulatory Commission (NRC) Cyber Security Rule -- 10 CFR 73.54

The new cyber security regulatory guide -- RG-5.71

The Concern…

Cyber security is an issue of grave national importance.The NRC is concerned that a cyber attack can impact safety, security, and emergency response functions NERC is concerned that a cyber attack can impact the ability of the electric grid “to keep the lights on”.

3

Cyber Threat Landscape

Potential “Threat Agents”Hackers/crackersInsiders Organized crimeTerroristsEspionage Cyber warfare

What is a Cyber Attack?

A cyber attack can include a wide variety of computer-based events that could impact:

Confidentiality: violate the security of data or software. Unauthorized access (internal or external) by those without appropriate authorization and “need to know”. Integrity: modify, destroy, or compromise data or software. This can involve the insertion of erroneous or misleading data or the unauthorized take-over of a systemAvailability: deny access to systems, networks, services, or data.

Types of Threats

Targeted/UntargetedTargeted threats are directed at a specific control system or facilityUntargeted are focused on any computer with a given operating systems or commonly used software (e.g., Windows XP, Excel)

Malicious/InadvertentMalicious -- intending to do harmInadvertent -- an accidental outcome

Insider/OutsiderInsider can be someone employed at the facility or a vendorOutsider can have no direct connection to the target, but may still have considerable knowledge Outsiders can exploit insiders with or without their explicit cooperation

Direct/IndirectDirect involves an exploit on the targeted systemIndirect involves exploiting a support system (e.g., power, cooling)

Examples of Potential Cyber Attacks

A USB memory stick labeled as plant property is “dropped” in a parking lot at a local shopping center. It contains malware that would be installed on a company computer if someone good Samaritan plugs in the “lost” stick on a work computer to see who it belongs to.An internet connection (wired or wireless) or modem used to access meteorological data systems is hacked and the intruder gains system administrator control. A freeware meteorological program is downloaded to a business computer for legitimate purpose. It contains malware. The program is downloaded to a laptop used to adjust settings on meteorological and other monitoring instruments and impacts system performance.

History of Cyber Security Guidance 2002

NRC Order EA-02-026, Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants in

2003NRC Order EA-03-086, Design Basis Threat for Radiological Sabotage, was released in April 2003 NUREG/CR-6847, Cyber Security Self-Assessment Method for U.S. Nuclear Power Plants

2005NEI 04-04 Rev. 1, Cyber Security Program for Power Reactors (November 2005)

2006Regulatory Guide (RG) 1.152 Rev. 2, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.

2007Branch Technical Position (BTP) 7-14 Rev. 5, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems.

10 CFR 73.54 - Scope

Each licensee… shall provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat…The licensee shall protect digital computer and communication systems/networks associated with:

Safety-related and important-to safety functions;

Security functions;

Emergency preparedness (EP) functions, including offsite communications; and

Support systems and equipment which, if compromised, would adversely impact safety, security, or EP (SSEP) functions.

9

Protection of Digital Computer and Communication Systems and Networks (2009)

10 CFR 73.54 – Protect Systems

The licensee shall protect SSEP systems and networks from cyber attacks that would:

Adversely impact the integrity or confidentiality of data and/or softwareDeny access to systems, services, and/or dataAdversely impact the operation of systems, networks, and associated equipment.

10

10 CFR 73.54 – First Steps

The licensee shall:Analyze digital computer and communication systems and networks and identify those assets that must be protected against cyber attacks. These are called critical digital assets.Establish, implement, and maintain a cyber security program for the protection of the critical digital assetsIncorporate the cyber security program as a component of the physical protection program.

11

10 CFR 73.54 – Program Design

The cyber security program must be designed to:

Implement security controls to protect the critical digital assets from cyber attacksApply and maintain defense-in depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacksMitigate the adverse affects of cyber attacksEnsure the functions of critical digital assets are not adversely impacted due to cyber attacks.

12

10 CFR 73.54 – More Program Requirements

The licensee shall:Ensure that appropriate facility personnel, including contractors, are aware of cyber security requirements and receive the training necessary to perform their assigned duties and responsibilities.Evaluate and manage cyber risks.Ensure that modifications to critical digital assets are evaluated before implementation to ensure that the cyber security performance objectives are maintained.

13

10 CFR 73.54 – Cyber Security Plan

Establish, implement, and maintain an effective cyber security plan that:

describes how the cyber security program will implement the Rule

Describes how the licensee will account for site-specific conditions that affect implementation

includes measures for incident response and recovery during and after a cyber attack. The plan must describe how the licensee will:

maintain the capability for timely detection and response to cyber attacks

mitigate the consequences of cyber attacks

correct exploited vulnerabilities

restore affected systems, networks, and/or equipment affected by cyber attacks.

14

10 CFR 73.54 – Policies, Records, Etc.

The licensee shall:develop and maintain written policies and implementing procedures to implement the cyber security plan. make policies, implementing procedures, site-specific analysis, and other supporting technical information available upon request for NRC inspectionreview the cyber security program as a component of the physical security programretain all records and supporting technical documentation required to satisfy the requirements

15

RG-5.71Cyber Security Programs for Nuclear Facilities

16

Evolution of the Reg Guide•2007 - work on DG-5022 begins in the fall•2008 - DG-5022 provided to industry in May

1st stakeholder meeting conducted in July Revised DG-5022 provided to industry in

November 2nd stakeholder meeting in December

•2009 - RG-5.71 presented to the ACRS in February Revised RG-5.71 provided to industry in June 3rd stakeholder meeting conducted in July

Coming Soon•Revised RG-5.71 to be presented to the ACRS in Nov. 2009•Final RG-5.71 to be released sometime after the ACRS gives its approval.

RG-5.71 Contents

Current size – about 120 pagesContent:

A. Introduction

B. Discussion

C. Regulatory Position

D. Implementation

Glossary

Bibliography

References

Appendix A Generic Cyber Security Plan Template

Appendix B Technical Security Controls

Appendix C Operational and Management Security Controls

Appendix D Reporting of Attacks and Incidents17

RG-5.71 Focus

18

Provide cyber security throughout the system lifecycle:•Concept phase •Requirements phase•Design Phase•Implementation Phase•Test Phase•Installation, Checkout and Acceptance Testing Phase•Operations Phase•Maintenance Phase•Retirement Phase

RG-5.71 – Cyber Security Team

Form a Cyber Security TeamSenior Plant Manager will be designated as the “Cyber Security Program Sponsor”

Cyber Security Program Manager will oversee the Cyber Security Program

Cyber Security Specialists

Cyber Security Incident Response Team that will include representatives from physical security, operations, engineering, IT and other organizations

Other plant staff will also have cyber security roles

Provide staff training

19

RG-5.71 – Identify Critical Digital Assets

Identify critical digital systems and networks (critical systems) that provide a safety, security, or emergency preparedness functionIdentify the critical digital assets that are part of, or are connected to critical systems

20

RG-5.71 – Cyber Security Assessment

Perform a cyber security assessment. This is a follow-up to the NEI 04-04 assessment Assessment consists of:

Tabletop reviewPhysical InspectionElectronic verification

Conduct assessment on all critical digital assets and it extends out through all connection pathways (i.e., a “pull the wire” assessment).

21

RG-5.71 – Defensive Architecture

Part of Defense in Depth Protective Strategy

22

Level 4: Vital AreaLevel 3: Protected AreaLevel 2: Owner-Controlled AreaLevel 1: Corporate Accessible AreaLevel 0: Public Accessible Area

RG-5.71 – Security ControlsImplement a comprehensive set of security controls based on the guidance provided in NIST SP 800-53 “Recommended Security Controls for Federal Information Systems”

23

RG-5.71 – Security Controls (cont)

A commitment by the licensee to implement a cyber security program with rigorous security controls will be specified in the Cyber Security Plan required by 10 CFR 73.54.Details on the security controls are provided in the Appendices A, B, and C of RG-5.71 A twist -- licensees are preparing their cyber security plans by following NEI 08-09 and not Appendix A of RG-5.71A counter twist – the NRC must approve the licensees cyber security plans.

24

RG-5.71 – Additional Guidance

The RG-5.71 also provides guidance on:Continuous Monitoring and Assessment Configuration Management Security Impact Analysis of Changes and EnvironmentEffectiveness Analysis Ongoing Assessment of Security ControlsVulnerability Scans/Assessments Change Control Security Program Review

25

Summary Guidance for Meteorology and other EP Program Managers

Be aware of the cyber security threat environmentAssess the cyber security of your systems and networksAssess the cyber security of your communication pathwaysLook for and eliminate cyber vulnerabilitiesBe pro-active in defending your systems Don’t be afraid to ask for help from your plant or corporate cyber security specialists Discuss cyber security needs with your management

On the Horizon…

Cyber Security NUREG/CRsIndustry Cyber Security WorkshopsRevised GuidanceNRC cyber security inspectionsFrom NERC/FERC revised Critical Infrastructure Protection Standards (CIPS)NERC audits

Questions?Questions?

Cliff GlantzPacific Northwest National Laboratory

PO Box 999Richland, WA 99352

509-375-2166cliff.glantz@pnl.gov