U.S. NRC RIC 2019 March 12 - 1
CNSC CYBER SECURITY PROGRAM IMPLEMENTATION AND INSPECTIONS AT
NPPS
Chul Hwan Jung
Technical Specialist
E-doc #5766483
U.S. NRC RIC 2019.3.12 - 2
Content
• Regulatory Requirements for Cyber Security
• Cyber Security Program Implementation
• Cyber Security Program Inspections
• Lessons Learned
U.S. NRC RIC 2019.3.12 - 3
Canadian Nuclear Safety Commission (CNSC)
Regulates the use of nuclear energy and
materials:
• Protect the health, safety and security
of Canadians and the environment;
• Implements Canada's international
commitments on the peaceful use of
nuclear energy; and
• Disseminates objective scientific,
technical and regulatory information to
the public
Canada’s Nuclear Regulator
U.S. NRC RIC 2019.3.12 - 4
CNSC’s Regulatory Framework
The CNSC's Regulatory
Framework consists of:
• Act passed by Parliament that governs the regulation of Canada's nuclear industry
• Regulations
• Licences/conditions
• Regulatory documents used by the CNSC to regulate the nuclear industry
U.S. NRC RIC 2019.3.12 - 5
Cyber Security Requirements
• General Nuclear Safety and Control Regulations
“every licensee shall take reasonable precautions to
maintain the security of nuclear facilities”
• Nuclear Security Regulations
under revision to include cyber security requirements
• Regulatory documents (REGDOCs)
REGDOC-2.5.2, Design of Reactor Facilities: NPP
7.22.4 Cyber Security
• Licence Conditions Handbooks (LCHs)
to clarify the regulatory requirements for each
Licence Condition (LC) in the licence
SCA12: Security; Cyber Security
U.S. NRC RIC 2019.3.12 - 6
Cyber Security Program – Operating NPPs
• Regulatory Framework (current):
Site-specific cyber security programs are in place at
all NPPs by the CNSC action item raised in 2008
Regulatory position statement: Letter to NPP
licensees outlining CNSC expectations and
references
• Regulatory Framework (near future):
Site-specific cyber security programs are currently
being updated at all NPPs
Requirements: CSA N290.7-14, “Cyber Security for
Nuclear Power Plants and Small Reactor Facilities”
U.S. NRC RIC 2019.3.12 - 7
CSA N290.7 Cyber Security Program Scope
• Systems important to Nuclear Safety
• Systems important for Nuclear Security
• Systems used for Emergency Preparedness
• Systems used for International Safeguards (excludes IAEA-owned safeguard equipment)
• Systems used for Production Reliability
• Includes auxiliary systems which, if compromised, could adversely impact the systems (functions) above.
U.S. NRC RIC 2019.3.12 - 8
Cyber Security Program Inspection Guide
Inspection Guide
Purpose:
• To verify that the licensee’s cyber security
program is implemented and maintained in a
manner that is consistent with CNSC regulatory
requirements, licensee’s governance, and that
follows industry guidance and best practices.
• To guide and assist CNSC staff in the conduct
of site inspections
U.S. NRC RIC 2019.3.12 - 9
Typical Inspection Team Composition
• Site Inspector
• Technical Specialists (computer security)
• Technical Specialist (safety-related systems
engineer)
• Security Advisor (physical security)
• An inspection team is formed as needed for a
site specific inspection
U.S. NRC RIC 2019.3.12 - 10
Inspection areas - examples (1/2)
1. Documents for Program Governance
2. Cyber Asset Identification and Vulnerability
Assessments
3. Cyber Security Program Management Controls
• Policies and procedures (e.g., procedure for the
control of portable and mobile devices)
• Roles and responsibilities (e.g., owner, SPOC)
• Information protection
• Engineering change control and configuration
management (e.g., Software Maintenance Plan)
• Procurement control
4. Personnel & Training (e.g., awareness, SPOC, etc.)
U.S. NRC RIC 2019.3.12 - 11
Inspection areas - examples (2/2)
5. Electronic Security Perimeter (e.g., access
points)
6. Physical Security of Cyber Essential Assets
7. Systems Security Management (e.g., security
patch management, access/security logs
review)
8. Incident Reporting and Response Planning
9. Cyber Security Defensive Architecture
10. Laptop and Portable Media Control
11. Periodic Self-assessment and Review of
Cyber Security Program
U.S. NRC RIC 2019.3.12 - 12
Cyber Security Program Inspections at NPPs
• Assessed based on implementation of current cyber security programs
Darlington in 2015
Bruce in 2015
Point Lepreau in 2017
Pickering in 2018
• Will be assessed based on implementation of CSA N290.7-14
Compliance inspections to begin in 2020
U.S. NRC RIC 2019.3.12 - 13
Lessons Learned from Inspections (1/2)
• Request licensee to provide a briefing on their
cyber security program including the specific
areas or systems that the inspection team will
focus on
• Recommend information gathering site visit prior
to field verification
• Select reasonable inspection scope (system vs.
Electronic Security Perimeter)
• Review interfaces with other programs (physical
security, training, configuration, engineering
change, IT, software maintenance, etc.)
U.S. NRC RIC 2019.3.12 - 14
Lessons Learned from Inspections (2/2)
• Need secure and efficient information
management between licensee, site inspector,
inspection team members from headquarters to
access classified information or encrypted
files/emails
• Use a dedicated Secure Key for inspection report
process
• Check security clearance level: Licensee staff
including regulatory affairs, and regulator site staff
U.S. NRC RIC 2019.3.12 - 15
Further Developments
• By completing the implementation of CSA
N290.7-14, the next phase of cyber security
inspections will be rolled out in the near future
• Revise current Inspection Guide for the next
inspections to tune to the requirements of CSA
N290.7-14
U.S. NRC RIC 2019.3.12 - 16
Conclusion
• Cyber security programs have been implemented
at all operating Canadian NPPs, and the programs
are being updated to comply with the new
requirements in CSA N290.7-14
• Cyber security inspections have been performed
at NPPs
• Regulatory oversight through desktop reviews
and site inspections conducted to-date
revealed that all NPP facilities are compliant
with current regulatory requirements
Thank You! Questions?
nuclearsafety.gc.ca