Nuclear Regulatory Commission Nuclear Regulatory Commission Cyber Security Program Cyber Security Program Barry Westreich Barry Westreich y Director Director Cyber Security Directorate Cyber Security Directorate Office of Nuclear Security & Incident Response Offi Office of Nuclear Security & Incident Response Offi f N f N l l S S it & I it & I id id t R t R 1
Nuclear Regulatory Commission 2
The U.S. Nuclear Regulatory Commission (NRC) was created as an independent agency by Congress in 1974 to ensure the safe use of radioactive materials for beneficial civilian purposes while protecting people and the environment. 3
Commercial Power Reactors, Non Power reactors reactors 4
Hospitals, Nuclear Fuel Cycle, Fuel Storage Storage 5
NRC Cyber Security History y y y • 2002 ‐ 2003 ; NRC included the first cyber requirements in Physical Security and requirements in Physical Security and Design Basis Threat Orders • 2005 ; NRC supported industry voluntary cyber program (NEI 04 ‐ 04) cyber program (NEI 04 04) • 2009; 10 CFR 73.54, Cyber Security Rule • 2012 ; Implementation/Oversight of Interim Cyber Security measures Cyber Security measures • 2014 Endorsed NEI 13 ‐ 10 Cyber Security Control Assessments – Graded Consequence Based Approach G d d C B d A h 6
NRC Power Reactor Cyber Security Program Security Program 10 CFR 73.54 (2009); Protect digital assets associated with Safety, Security, and Emergency Preparedness (SSEP) Safety, Security, and Emergency Preparedness (SSEP) functions Required Power Reactors submit a Cyber Security Plan (CSP) for NRC review & Approval Coordination with NERC/FERC to address potential areas of overlap
NRC Cyber Security Program 10 CFR 73.54 Basic Requirements 1. Identify Critical Digital Assets (CDAs) 2. Apply & Maintain a Defense-in-Depth Protective Strategy. 3. Address Security Controls for each CDA. 4. Identify, Respond and Mitigate against cyber attacks. 8
NRC Cyber Security Program 10 CFR 73.54 Basic Requirements 4. Training commensurate with roles and responsibilities to facility personnel 5. Review/Maintain the CSP as a component of the Physical Security Plan Physical Security Plan 6. Retain records and supporting technical 6. Retain records and supporting technical documentation. 9
Guidance Documents – Regulatory Guide (RG) 5.71 “Cyber Security Programs for Nuclear Facilities” (Jan 2010) Programs for Nuclear Facilities” (Jan 2010) – NEI 08-09 Rev. 6 “Cyber Security Plan For Power NEI 08 09 Rev. 6 Cyber Security Plan For Power Reactors” (April 2010)
Conceptual Approach Cyber Security Assessment Team C b S it A t T Identify Critical Digital Assets Apply Defensive Architecture Safety Address Security Controls CDAs Corporate LAN Site LAN Security 1. 1. Address each control for all CDAs, or Address each control for all CDAs, or CDAs 2. Apply alternative measures, or 3. Explain why a control is N/A 11
Consequence Based Graded Cyber Risk Management Approach Management Approach 1:Identify Critical Digital Assets associated with Important Functions 2. Implement basic Cyber program for all CDAs ( milestone 1 ‐ 7) Ensure continued 3. Identify CDAs that have a delayed impact maintenance of basic that can be recognized and mitigated prior cyber program and to the function ability to identify and and mitigate impacts 4. Identify CDAs that have near term, direct impact on important function Assess and implement RG 5.71 controls .
NRC Cyber Security Program I Implementing in 2 phase approach l ti i 2 h h • 1 st phase Milestone compete by 12/2012 p p y – Establish Multi-disciplinary Cyber Assessment Team – Identify Critical Digital Assets – Establish Defensive architecture- Isolation of the most critical assets – Control Portable Media and Devices – Enhanced Insider Mitigation – Controls Established for most significant components g p • Full implementation 2016-2017 .
C Contact Information I f i Barry Westreich Director, Cyber Security Directorate US Nuclear Regulatory Commission barry.westreich@nrc.gov 301 ‐ 287 ‐ 3664 14
Recommend
More recommend
