Nuclear Regulatory Commission Nuclear Regulatory Commission Cyber - - PowerPoint PPT Presentation

nuclear regulatory commission nuclear regulatory
SMART_READER_LITE
LIVE PREVIEW

Nuclear Regulatory Commission Nuclear Regulatory Commission Cyber - - PowerPoint PPT Presentation

Feb 07, 2023 38 likes •178 views

Nuclear Regulatory Commission Nuclear Regulatory Commission Cyber Security Program Cyber Security Program Barry Westreich Barry Westreich y Director Director Cyber Security Directorate Cyber Security Directorate Office of Nuclear Security

slide-1
SLIDE 1

Nuclear Regulatory Commission Nuclear Regulatory Commission Cyber Security Program Cyber Security Program

Barry Westreich Barry Westreich y

Director Director Cyber Security Directorate Cyber Security Directorate Offi f N l S it & I id t R Offi f N l S it & I id t R

1

Office of Nuclear Security & Incident Response Office of Nuclear Security & Incident Response

slide-2
SLIDE 2

Nuclear Regulatory Commission

2

slide-3
SLIDE 3

The U.S. Nuclear Regulatory Commission (NRC) was created as an independent agency by Congress in 1974 to ensure the safe use of radioactive materials for beneficial civilian purposes while protecting people and the environment.

3

slide-4
SLIDE 4

Commercial Power Reactors, Non Power reactors reactors

4

slide-5
SLIDE 5

Hospitals, Nuclear Fuel Cycle, Fuel Storage Storage

5

slide-6
SLIDE 6

NRC Cyber Security History y y y

  • 2002‐2003; NRC included the first cyber

requirements in Physical Security and requirements in Physical Security and Design Basis Threat Orders

  • 2005; NRC supported industry voluntary

cyber program (NEI 04‐04) cyber program (NEI 04 04)

  • 2009; 10 CFR 73.54, Cyber Security Rule
  • 2012; Implementation/Oversight of Interim

Cyber Security measures Cyber Security measures

  • 2014 Endorsed NEI 13‐10 Cyber Security

Control Assessments

G d d C B d A h – Graded Consequence Based Approach

6

slide-7
SLIDE 7

NRC Power Reactor Cyber Security Program Security Program

10 CFR 73.54 (2009); Protect digital assets associated with Safety, Security, and Emergency Preparedness (SSEP) Safety, Security, and Emergency Preparedness (SSEP) functions

Required Power Reactors submit a Cyber Security Plan (CSP) for NRC review & Approval

Coordination with NERC/FERC to address potential areas of

  • verlap
slide-8
SLIDE 8

NRC Cyber Security Program

10 CFR 73.54 Basic Requirements

  • 1. Identify Critical Digital Assets (CDAs)
  • 2. Apply & Maintain a Defense-in-Depth Protective

Strategy.

  • 3. Address Security Controls for each CDA.

8

  • 4. Identify, Respond and Mitigate against cyber attacks.
slide-9
SLIDE 9

NRC Cyber Security Program

10 CFR 73.54 Basic Requirements

  • 4. Training commensurate with roles and responsibilities

to facility personnel

  • 5. Review/Maintain the CSP as a component of the

Physical Security Plan Physical Security Plan

  • 6. Retain records and supporting technical

9

  • 6. Retain records and supporting technical

documentation.

slide-10
SLIDE 10

Guidance Documents

– Regulatory Guide (RG) 5.71 “Cyber Security Programs for Nuclear Facilities” (Jan 2010) Programs for Nuclear Facilities” (Jan 2010) – NEI 08-09 Rev. 6 “Cyber Security Plan For Power NEI 08 09 Rev. 6 Cyber Security Plan For Power Reactors” (April 2010)

slide-11
SLIDE 11

Conceptual Approach

C b S it A t T Cyber Security Assessment Team Identify Critical Digital Assets Apply Defensive Architecture Address Security Controls

1. Address each control for all CDAs, or

Safety CDAs

Security Site LAN Corporate LAN 11

1. Address each control for all CDAs, or 2. Apply alternative measures, or 3. Explain why a control is N/A

CDAs

slide-12
SLIDE 12

Consequence Based Graded Cyber Risk Management Approach

1:Identify Critical Digital Assets associated with Important Functions

Management Approach

  • 2. Implement basic Cyber program for all

CDAs ( milestone 1‐7) Ensure continued maintenance of basic cyber program and ability to identify and

  • 3. Identify CDAs that have a delayed impact

that can be recognized and mitigated prior to the function and mitigate impacts

  • 4. Identify CDAs that have near term,

direct impact on important function Assess and implement RG 5.71 controls .

slide-13
SLIDE 13

NRC Cyber Security Program

I l ti i 2 h h Implementing in 2 phase approach

  • 1st phase Milestone compete by 12/2012

p p y

– Establish Multi-disciplinary Cyber Assessment Team – Identify Critical Digital Assets – Establish Defensive architecture- Isolation of the most critical assets – Control Portable Media and Devices – Enhanced Insider Mitigation – Controls Established for most significant components g p

  • Full implementation 2016-2017.
slide-14
SLIDE 14

C I f i Contact Information

Barry Westreich Director, Cyber Security Directorate US Nuclear Regulatory Commission barry.westreich@nrc.gov

14

301‐287‐3664