Post on 31-Dec-2015
description
NRC Cyber Security Regulatory Program Development
Background
ANSI Nuclear Energy Standards Coordination Collaborative (NESCC) Meeting November 3, 2014
Ralph Costello, Security Specialist Cyber Security Directorate
Office of Nuclear Security & Incident Response
Introduction
• Inter-Agency Cooperation
• NRC Cyber Security Requirements
• Consequence-Based Approach
• NRC Inspections
• Cyber Security Reporting
• Next Steps
2
NRC Requirements
March 2009 Cyber Security Rule (10 CFR 73.54) – Requires that nuclear power plant licensees:
• “Provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks . . .”
• “Establish, implement, and maintain a cyber security program” to protect critical digital assets (CDAs).
4
Scope of 10 CFR 73.54
• Safety-related and important-to-safety functions,
• Security functions,• Emergency preparedness functions, including
offsite communications, and• Support systems and equipment important to
safety and security.
5
Phased ImplementationInterim Milestones 1-7 (completed by 12/31/2012)• Cyber Security Plans• Addresses key threat vectorsMilestone 8 (site specific dates through 2017) • Full cyber security program implementation• Procedures and training• Complete all design remediation actions
6
Consequence-Based Approach
• Graded approach– Focus NRC and licensee resources on most
significant issues– Direct vs. Indirect CDAs
• Grouping of CDAs • Development of templates and examples for
efficiency and consistent implementation
7
NRC Oversight• NRC inspections of Milestones 1-7 are ongoing
– 39 inspections completed to date– Completion scheduled for 2015
• NRC inspections of full implementation of cyber security implementation will begin in 2016 (Milestone 8)
8
Cyber Security Event Notification Rule
• Reporting requirements • Proposed rule was issued in 2011• Public engagement
– Public meetings– Public comments
• Final rule scheduled for 2015
9