The Nuclear Regulatory Commission’s Forthcoming Cyber

Security Rule: Application to Emergency Preparedness

Systems at Nuclear FacilitiesPrepared by:

Cliff Glantz, Phil Craig, and Guy LandinePacific Northwest National Laboratory

Richland, WA

Presentation Overview

Overview of cyber securityReview the cyber threat landscape A brief history of cyber security requirements and guidance for the nuclear power IndustryThe new draft Nuclear Regulatory Commission (NRC) Cyber Security Rule -- 10 CFR 73.54Current/future cyber security guidance The implication of new requirements for meteorology and emergency preparedness programs

Overview of Cyber Security for the Nuclear Power Industry

The licensees will need to have a comprehensive program in place to protect digital and computing assets and processes This program will need to provide a high level of assurance that intentional or unintentional events (i.e., cyber attacks) do not adversely impact nuclear critical assets and processes.NRC’s focus is on systems and networks associated with:

Safety and Security

Emergency preparedness, including meteorology and offsite communications

Systems and networks which, if compromised, could adversely impact safety, security or emergency preparedness functions.

Licensees also need to be concerned about other systems and networks (e.g., continuity of power)

What is a Cyber Attack?

A cyber attack can include a wide variety of computer-based events that could impact:

Confidentiality: violate the security of data or software. Unauthorized access (internal or external) by those without appropriate authorization and “need to know”. Integrity: modify, destroy, or compromise data or software. This can involve the insertion of erroneous or misleading data or the unauthorized take-over of a systemAvailability: deny access to systems, networks, services, or data.

Cyber Threat Landscape

Potential “Threat Agents”Hackers/crackersInsiders Organized crimeTerroristsEspionage & cyber warfare

Types of Threats

Targeted/UntargetedTargeted threats are directed at a specific control system or facilityUntargeted are focused on any computer with a given operating systems or commonly used software (e.g., Windows XP, Excel)

Direct/IndirectDirect involves an exploit on the targeted systemIndirect involves exploiting a support system (e.g., power, cooling)

Malicious/InadvertentMalicious -- intending to do harmInadvertent -- an accidental outcome

Insider/OutsiderInsider can be someone employed at the facility or a vendorOutsider can have no direct connection to the target, but may still have considerable knowledge Outsiders can exploit insiders with or without their explicit cooperation

Examples of Potential Cyber Attacks

“Company”-labeled USB memory sticks are left at a nearby shopping center, train station, or ball field. They contain malware that will be installed on a company computer if someone plugs in the “lost” stick to see who it belongs to… (Direct/Malacious/Targeted/Outsider+Insider)

A freeware program is downloaded to a business computer for legitimate purpose. It contains malware. The program is copied to a laptop used to adjust settings on an environmental control system. (Indirect/Malacious/Untargeted/Outsider+Insider)

A worker installs updated software on a non-critical, testing-platform control system and reboots the system. The operational control system is synchronized with the test system and it is shutdown by the reboot process. (Direct/Inadvertent/Targeted/Insider)

Let’s Pause for a Second and Consider Global Warming and the Nuclear Renaissance

Basic lesson for college freshmen: (1) CO2 is a greenhouse gas. (2) The more CO2 you have in the atmosphere, the higher the mean temperature…CO2 has been going up since the beginning of the industrial age and an astounding 25% just in my lifetimeConcern over global warming has been a boon for the nuclear power industry.What can kill this renaissance? Safety issues

History of Cyber Security Guidance

NRC Order EA-02-026, Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants in February 2002 NRC Order EA-03-086, Design Basis Threat for Radiological Sabotage, was released in April 2003 NUREG/CR-6847, Cyber Security Self-Assessment Method for U.S. Nuclear Power Plants NEI 04-04 Rev. 1, Cyber Security Program for Power Reactors (November 2005) Regulatory Guide (RG) 1.152 Rev. 2, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants. Branch Technical Position (BTP) 7-14 Rev. 5, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems.

On the Immediate Horizon…

Awaiting release:

10 CFR 73.54, “Protection of Digital Computer and Communication Systems and Networks.”

Draft Regulatory Guide DG-5022 “Cyber Security Programs for Nuclear Facilities”

Key Concepts in the Draft Cyber Security Rule

Key concepts of the new Cyber Security Rule: The licensee shall provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks.This ranges from simple attacks to those defined in the design basis threat (see Title 10 of the Code of Federal Regulations (10 CFR) Part 73, Section 73.1.)

Key Concepts in the Rule (cont)…

Covers safety, security, and emergency preparedness systems (including other systems that can impact their performance)Assets shall be protected from attacks that could adversely impact the CCIIAA and operation of systems, networks, and associated equipment. This shall include employing state-of-the-art defense-in-depth protective strategies to detect, protect, respond to, and mitigate cyber attacks.

Key Concepts in the Rule (cont)…

Implement appropriate security controls to protect assets. This includes management, operational and technical security controls

Defensive Strategies

Security Controls

Management Operational Technical

with families of security controls within each class

Policies, Procedures, Practices, & Technologies

Key Concepts in the Rule (cont)…

Two prong approach to defense-in-depth:Use multiple-layered security controls

have appropriate detection, mitigation, response, and recovery capabilities in place if your security controls fail. In other words, if an attack penetrates your defenses, be prepared to prevent adverse impacts from the attack

Ensure the functionality of critical systems is maintained!Systematically evaluate cyber security risks for all critical systems. Consider cyber security implications before making any system modifications.

Key Concepts in the Rule (cont)…

Provide appropriate, position-specific cyber security training. Licensees shall submit a formal cyber security plan to the NRCLicensees shall implement a formal cyber security program that is part of their physical security program

Guidance: Current and FutureCurrently, cyber security guidance is provided to the industry by NEI 04-04. Gives a “30,000 ft” level look at cyber security (i.e., it provides a framework but doesn’t provide details on how to achieve objectives). The NRC is preparing Draft Regulatory Guide DG-5022 “Cyber Security Programs for Nuclear Facilities”.DG-5022 fully addresses the new Rule and provides a lot more guidance (e.g., a “3,000 ft” perspective) that should help technical folks understand what they need to do for their systems.I can’t talk about details of the draft Reg Guide in this forum, but the draft guidance has been released for industry review.More Reg Guides and NUREGs will be coming…

Guidance for Meteorology and other Emergency Preparedness Systems

Be aware of the cyber security threat environmentAssess the cyber security of your systems and networksAssess the cyber security of your communication pathwaysLook for and eliminate cyber vulnerabilitiesBe pro-active in defending your systems Think about the cyber security risks associated with potential productivity enhancements Don’t be afraid to ask for help from your plant or corporate cyber security specialists Discuss security needs with your management

Questions?Questions?

Cliff GlantzChair of DOE Subcommittee on Consequence Assessment and Protective Actions (SCAPA)

Pacific Northwest National LaboratoryPO Box 999

Richland, WA 99352509-375-2166

cliff.glantz@pnl.gov