The Rule: 10 CFR 73.54The Nuclear Sector has a long history of addressing cybersecurity issues. In 1997, through the Nuclear Energy Institute (NEI), the industry began looking at potential issues associated with the increasing use of digital technologies at power reactors. At this time, there was a concern regarding the potential impacts associated with the change in millennia—referred to at that time as the “Y2K” issue. In response to the increasing threat of cyber-related attacks, the NRC amended its design basis threat requirements in 2007 to include a cyber attack as an attribute of the adversary. The NRC describes a cyber attack as:
The capability to exploit site computer and communications system vulnerabilities to modify or destroy data and programming code, deny access to systems, and prevent the operation of the computer system and the equipment it controls.In March 2009, the NRC issued revised security requirements that included comprehensive programmatic cybersecurity requirements, principally codified in Title 10 of the Code of Federal Regulations (CFR), Section 10 CFR 73.54, “Protection of Digital Computer and Communication Systems and Networks” (Rule). The Rule requires that licensees provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks. Further, licensees are required to protect digital computer and communications systems and networks performing mission critical functions from those cyber attacks that would act to modify, destroy or compromise the integrity or confidentiality of data and/or software; deny access to systems, services and/or data; and impact the operation of systems, networks and associated equipment. Finally, the Rule requires power plants to submit a cybersecurity plan and implementation schedule for NRC review and approval. According to the Rule, the cybersecurity plan should describe how the security requirements would be implemented and should account for the site-specific conditions that affect implementation. In addition, the cybersecurity plan should include measures for incident response and recovery for cyber attacks. The cybersecurity plan must describe how the licensee will:
- Maintain the capability for timely detection and response to cyber attacks;
- Mitigate the consequences of cyber attacks;
- Correct exploited vulnerabilities; and
- Restore affected systems, networks and/or equipment affected by cyber attacks.
What is NEI 08-09?The intent of the Cyber Security Plan is to protect the health and safety of the public from radiological sabotage as a result of a cyber attack. NEI 08-09 describes a defensive strategy that consists of a defensive architecture and set of security controls that are based on the NIST SP 800-82, "Guide to Industrial Control System Security," and NIST SP 800-53, "Recommended Security Controls for Federal Information Systems," standards. NRC worked with industry to develop seven interim milestones for licensee Cyber Security Plan implementation, known as Milestones 1 through 7. These seven milestones are designed to address the most prominent threats to the plant’s most important systems. Through the milestones, a licensee would deploy the planned defensive strategy supported by important program elements. Each milestone focused on a subset of systems and requirements to address specific technical and organizational controls required by the Cyber Security Plan:
- Establishment of a Cyber Security Assessment Team (CSAT), which has the authority of performing a security assessment, evaluating the assessment conclusions in order to identify the required cybersecurity controls and estimating the cybersecurity risk levels.
- Identification of Critical Systems (CSs) and the Critical Digital Assets (CDAs) within each CS, resources which need to be protected in accordance with the guidelines of the Rule. The identification aims at providing knowledge on how a device performs a function and on the hardware, software and firmware that could potentially be used as an attack surface if threat actors exploited vulnerabilities in the device.
- Hardware-based segmentation by installing protective devices between lower and higher security levels in the Security Defensive Architecture. The defensive architecture protects CDAs that have similar risk significance from other devices, systems or equipment by establishing the logical and physical boundaries to control the data transfer between boundaries. These boundaries denote levels entailing security control requirements rather than networks of devices. Defensive levels with the highest cybersecurity risk significance are separated from other levels by one-way deterministic devices that limit data flow to one direction.
- Portable media and mobile device protections, in order to restrict usage of these devices, control the device access to CDAs, ensure device security at a level consistent to the CDA they support and establish procedures for secure data transfer from a vendor to portable media that would be inserted into a CDA
- Enhancement of existing insider threat mitigation so that access is granted to those individuals who have a need to obtain or have received training that includes both basic awareness and job-function-specific training.
- Apply cybersecurity controls to a select group of CDAs that could impact key safety systems
- Ongoing monitoring and assessments of applied cybersecurity controls
- Characterize their current and target cybersecurity posture.
- Identify gaps in their existing cybersecurity risk management programs using the Framework as a guide and identify areas where current practices may exceed the Framework.
- Recognize that existing sector tools, standards and guidelines may support Framework implementation.
- Effectively demonstrate and communicate their risk management approach and use of the Framework to both internal and external stakeholders.