NRC Cyber Security Regulatory Program Development
Background
ANSI Nuclear Energy Standards Coordination Collaborative (NESCC) Meeting November 3, 2014
Ralph Costello, Security Specialist Cyber Security Directorate
Office of Nuclear Security & Incident Response
Introduction
• Inter-Agency Cooperation
• NRC Cyber Security Requirements
• Consequence-Based Approach
• NRC Inspections
• Cyber Security Reporting
• Next Steps
2
NRC Requirements
March 2009 Cyber Security Rule (10 CFR 73.54) – Requires that nuclear power plant licensees:
• “Provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks . . .”
• “Establish, implement, and maintain a cyber security program” to protect critical digital assets (CDAs).
4
Scope of 10 CFR 73.54
• Safety-related and important-to-safety functions,
• Security functions,• Emergency preparedness functions, including
offsite communications, and• Support systems and equipment important to
safety and security.
5
Phased ImplementationInterim Milestones 1-7 (completed by 12/31/2012)• Cyber Security Plans• Addresses key threat vectorsMilestone 8 (site specific dates through 2017) • Full cyber security program implementation• Procedures and training• Complete all design remediation actions
6
Consequence-Based Approach
• Graded approach– Focus NRC and licensee resources on most
significant issues– Direct vs. Indirect CDAs
• Grouping of CDAs • Development of templates and examples for
efficiency and consistent implementation
7
NRC Oversight• NRC inspections of Milestones 1-7 are ongoing
– 39 inspections completed to date– Completion scheduled for 2015
• NRC inspections of full implementation of cyber security implementation will begin in 2016 (Milestone 8)
8
Cyber Security Event Notification Rule
• Reporting requirements • Proposed rule was issued in 2011• Public engagement
– Public meetings– Public comments
• Final rule scheduled for 2015
9