Nuclear Regulatory CommissionNuclear Regulatory Commission

Cyber Security ProgramCyber Security Program

Barry WestreichBarry WestreichyyDirectorDirector

Cyber Security DirectorateCyber Security DirectorateOffi f N l S it & I id t ROffi f N l S it & I id t R

1

Office of Nuclear Security & Incident Response Office of Nuclear Security & Incident Response

Nuclear Regulatory Commission

2

The U.S. Nuclear Regulatory Commission (NRC) was created as an independent agency by Congress in 1974 to ensure the safe use of radioactive materials 

for beneficial civilian purposes while protecting people and the environment. 

3

Commercial Power Reactors, Non Power reactorsreactors

4

Hospitals, Nuclear Fuel Cycle, Fuel StorageStorage 

5

NRC Cyber Security Historyy y y• 2002‐2003; NRC included the first cyber 

requirements in Physical Security andrequirements in Physical Security and Design Basis Threat Orders

• 2005; NRC supported industry voluntary cyber program (NEI 04‐04)cyber program (NEI 04 04)

• 2009; 10 CFR 73.54, Cyber Security Rule • 2012; Implementation/Oversight of Interim 

Cyber Security measuresCyber Security measures• 2014 Endorsed NEI 13‐10 Cyber Security 

Control Assessments G d d C B d A h– Graded Consequence Based Approach

6

NRC Power Reactor Cyber Security ProgramSecurity Program 

10 CFR 73.54 (2009); Protect digital assets associated with Safety, Security, and Emergency Preparedness (SSEP)Safety, Security, and Emergency Preparedness (SSEP) functions

Required Power Reactors submit a Cyber Security Plan (CSP) for NRC review & Approval

Coordination with NERC/FERC to address potential areas of overlapp

NRC Cyber Security Program 10 CFR 73.54 Basic Requirements

1. Identify Critical Digital Assets (CDAs)

2. Apply & Maintain a Defense-in-Depth Protective Strategy.

3. Address Security Controls for each CDA.

84. Identify, Respond and Mitigate against cyber attacks.

NRC Cyber Security Program 10 CFR 73.54 Basic Requirements

4. Training commensurate with roles and responsibilities to facility personnel

5. Review/Maintain the CSP as a component of the Physical Security PlanPhysical Security Plan

6. Retain records and supporting technical

9

6. Retain records and supporting technical documentation.

Guidance Documents

– Regulatory Guide (RG) 5.71 “Cyber Security Programs for Nuclear Facilities” (Jan 2010)Programs for Nuclear Facilities” (Jan 2010)

– NEI 08-09 Rev. 6 “Cyber Security Plan For PowerNEI 08 09 Rev. 6 Cyber Security Plan For Power Reactors” (April 2010)

Conceptual Approach

C b S it A t TCyber Security Assessment Team

Identify Critical Digital Assets

Apply Defensive Architecture

Address Security Controls

1. Address each control for all CDAs, or

Safety CDAs

Security Site LAN Corporate LAN

11

1. Address each control for all CDAs, or2. Apply alternative measures, or3. Explain why a control is N/A

CDAs

Consequence Based Graded Cyber Risk  Management Approach

1:Identify Critical Digital Assets associated with Important Functions 

Management Approach

2. Implement basic Cyber program for all CDAs ( milestone 1‐7)

Ensure continued  maintenance of basic cyber program and ability to identify and 

3. Identify CDAs that have a delayed impact that can be recognized and mitigated prior to the function 

and mitigate impacts

4. Identify CDAs that have near term, direct impact on important function

Assess and implement RG 5.71 controls .

NRC Cyber Security Program 

I l ti i 2 h hImplementing in 2 phase approach

• 1st phase Milestone compete by 12/2012p p y– Establish Multi-disciplinary Cyber Assessment Team– Identify Critical Digital Assets– Establish Defensive architecture- Isolation of the most critical assets– Control Portable Media and Devices– Enhanced Insider Mitigation– Controls Established for most significant componentsg p

• Full implementation 2016-2017.

C I f iContact Information

Barry WestreichDirector, Cyber Security DirectorateUS Nuclear Regulatory Commissionbarry.westreich@nrc.gov

14

301‐287‐3664