Most organizations with industrial control systems (ICS) fall into one of two categories: regulated and non-regulated. For those subject to government imposed regulatory requirements, the selection of a cybersecurity framework is obviously compelling. Such is the case with the nuclear energy industry and NEI 08-09.
The nuclear energy industry is one of the safest industries. It is protected by multiple back-up safety systems, robust physical defenses and plant security forces with rigorous training. Since the September 11 terrorist attacks, the industry has continued to improve its safety systems to prepare for emerging threats such as the impact from a wide-bodied commercial airliner and cyber attacks on critical operational systems. Each U.S. nuclear power plant is equipped with extensive security measures to protect the facility from intruders and to protect the public from the possibility of exposure to radioactive releases caused by acts of sabotage. The U.S. Nuclear Regulatory Commission (NRC) calls nuclear power plants “among the best-protected private sector facilities in the nation.”
The Rule: 10 CFR 73.54
The Nuclear Sector has a long history of addressing cybersecurity issues. In 1997, through the Nuclear Energy Institute (NEI), the industry began looking at potential issues associated with the increasing use of digital technologies at power reactors. At this time, there was a concern regarding the potential impacts associated with the change in millennia—referred to at that time as the “Y2K” issue.
In response to the increasing threat of cyber-related attacks, the NRC amended its design basis threat requirements in 2007 to include a cyber attack as an attribute of the adversary. The NRC describes a cyber attack as:
The capability to exploit site computer and communications system vulnerabilities to modify or destroy data and programming code, deny access to systems, and prevent the operation of the computer system and the equipment it controls.
In March 2009, the NRC issued revised security requirements that included comprehensive programmatic cybersecurity requirements, principally codified in Title 10 of the Code of Federal Regulations (CFR), Section 10 CFR 73.54, “Protection of Digital Computer and Communication Systems and Networks” (Rule).
The Rule requires that licensees provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks. Further, licensees are required to protect digital computer and communications systems and networks performing mission critical functions from those cyber attacks that would act to modify, destroy or compromise the integrity or confidentiality of data and/or software; deny access to systems, services and/or data; and impact the operation of systems, networks and associated equipment.
Finally, the Rule requires power plants to submit a cybersecurity plan and implementation schedule for NRC review and approval. According to the Rule, the cybersecurity plan should describe how the security requirements would be implemented and should account for the site-specific conditions that affect implementation. In addition, the cybersecurity plan should include measures for incident response and recovery for cyber attacks. The cybersecurity plan must describe how the licensee will:
- Maintain the capability for timely detection and response to cyber attacks;
- Mitigate the consequences of cyber attacks;
- Correct exploited vulnerabilities; and
- Restore affected systems, networks and/or equipment affected by cyber attacks.
To support uniform implementation, the industry developed a template for the cybersecurity plan and the implementation schedule. In May 2010, the NRC endorsed NEI 08-09, “Cyber Security Plan for Nuclear Power Reactors,” Revision 6.
What is NEI 08-09?
The intent of the Cyber Security Plan is to protect the health and safety of the public from radiological sabotage as a result of a cyber attack. NEI 08-09 describes a defensive strategy that consists of a defensive architecture and set of security controls that are based on the NIST SP 800-82, “Guide to Industrial Control System Security,” and NIST SP 800-53, “Recommended Security Controls for Federal Information Systems,” standards.
NRC worked with industry to develop seven interim milestones for licensee Cyber Security Plan implementation, known as Milestones 1 through 7. These seven milestones are designed to address the most prominent threats to the plant’s most important systems. Through the milestones, a licensee would deploy the planned defensive strategy supported by important program elements. Each milestone focused on a subset of systems and requirements to address specific technical and organizational controls required by the Cyber Security Plan:
- Establishment of a Cyber Security Assessment Team (CSAT), which has the authority of performing a security assessment, evaluating the assessment conclusions in order to identify the required cybersecurity controls and estimating the cybersecurity risk levels.
- Identification of Critical Systems (CSs) and the Critical Digital Assets (CDAs) within each CS, resources which need to be protected in accordance with the guidelines of the Rule. The identification aims at providing knowledge on how a device performs a function and on the hardware, software and firmware that could potentially be used as an attack surface if threat actors exploited vulnerabilities in the device.
- Hardware-based segmentation by installing protective devices between lower and higher security levels in the Security Defensive Architecture. The defensive architecture protects CDAs that have similar risk significance from other devices, systems or equipment by establishing the logical and physical boundaries to control the data transfer between boundaries. These boundaries denote levels entailing security control requirements rather than networks of devices. Defensive levels with the highest cybersecurity risk significance are separated from other levels by one-way deterministic devices that limit data flow to one direction.
- Portable media and mobile device protections, in order to restrict usage of these devices, control the device access to CDAs, ensure device security at a level consistent to the CDA they support and establish procedures for secure data transfer from a vendor to portable media that would be inserted into a CDA
- Enhancement of existing insider threat mitigation so that access is granted to those individuals who have a need to obtain or have received training that includes both basic awareness and job-function-specific training.
- Apply cybersecurity controls to a select group of CDAs that could impact key safety systems
- Ongoing monitoring and assessments of applied cybersecurity controls
In January 2013, the NRC began inspecting power plant cybersecurity program implementation of the initial seven milestones and completed inspections at each power plant at the end of 2015.
The eighth milestone includes the completion of policy and procedural revisions that enhance existing capabilities, the completion of any remaining design-related modifications necessary to implement the cybersecurity plan and the institution of protective measures for lower consequence assets. More specifically, the additional focus areas will include detection and response, supply chain, data integrity, program monitoring and change management, attack mitigation, incident response and contingency planning. Licensees completed Milestone 8 in December 2017, and in January 2019, NRC initiated the assessment.
Further, the U.S. Department of Homeland Security (DHS), as the Nuclear Reactors, Materials, and Waste Sector-Specific Agency, worked with the Nuclear Sector Coordinating Council to develop a Cybersecurity Framework Implementation Guidance specifically for nuclear power reactor owners and operators. The Implementation Guidance is informed by the nuclear reactor risk environment and existing physical and cybersecurity programs as well as other risk management tools used within the sector.
The Implementation Guidance is designed to assist nuclear power reactor organizations to:
- Characterize their current and target cybersecurity posture.
- Identify gaps in their existing cybersecurity risk management programs using the Framework as a guide and identify areas where current practices may exceed the Framework.
- Recognize that existing sector tools, standards and guidelines may support Framework implementation.
- Effectively demonstrate and communicate their risk management approach and use of the Framework to both internal and external stakeholders.
How Tripwire Helps
Applying the controls suggested by the NEI 08-09 framework can be an overwhelming task. Tripwire’s ICS Security Suite can help you meet the foundational requirements defined in the standard. Our cyber resiliency suite integrates with the plant network equipment and factory automation systems you already own to help you find, fix and monitor security to prevent and detect cyber incidents.