280 likes | 687 Views
An Insider’s Perspective on the NRC’s New Cyber Security Rule and Forthcoming Regulatory Guidance: Potential Impacts on Meteorology and Emergency Preparedness Programs. Prepared by: Cliff Glantz, Phil Craig, and Guy Landine Pacific Northwest National Laboratory Richland, WA.
E N D
An Insider’s Perspective on the NRC’s New Cyber Security Rule and Forthcoming Regulatory Guidance: Potential Impacts on Meteorology and Emergency Preparedness Programs Prepared by: Cliff Glantz, Phil Craig, and Guy Landine Pacific Northwest National Laboratory Richland, WA
Cyber security is a real concern The cyber threat landscape The new Nuclear Regulatory Commission (NRC) Cyber Security Rule -- 10 CFR 73.54 The new cyber security regulatory guide -- RG-5.71 Key Presentation Themes
The Concern… • Cyber security is an issue of grave national importance. • The NRC is concerned that a cyber attack can impact safety, security, and emergency response functions • NERC is concerned that a cyber attack can impact the ability of the electric grid “to keep the lights on”. 3
Cyber Threat Landscape Potential “Threat Agents” Hackers/crackers Insiders Organized crime Terrorists Espionage Cyber warfare
What is a Cyber Attack? A cyber attack can include a wide variety of computer-based events that could impact: Confidentiality: violate the security of data or software. Unauthorized access (internal or external) by those without appropriate authorization and “need to know”. Integrity: modify, destroy, or compromise data or software. This can involve the insertion of erroneous or misleading data or the unauthorized take-over of a system Availability: deny access to systems, networks, services, or data. CIA
Types of Threats Targeted/Untargeted Targeted threats are directed at a specific control system or facility Untargeted are focused on any computer with a given operating systems or commonly used software (e.g., Windows XP, Excel) Malicious/Inadvertent Malicious -- intending to do harm Inadvertent -- an accidental outcome Insider/Outsider Insider can be someone employed at the facility or a vendor Outsider can have no direct connection to the target, but may still have considerable knowledge Outsiders can exploit insiders with or without their explicit cooperation Direct/Indirect Direct involves an exploit on the targeted system Indirect involves exploiting a support system (e.g., power, cooling)
Examples of Potential Cyber Attacks A USB memory stick labeled as plant property is “dropped” in a parking lot at a local shopping center. It contains malware that would be installed on a company computer if someone good Samaritan plugs in the “lost” stick on a work computer to see who it belongs to. An internet connection (wired or wireless) or modem used to access meteorological data systems is hacked and the intruder gains system administrator control. A freeware meteorological program is downloaded to a business computer for legitimate purpose. It contains malware. The program is downloaded to a laptop used to adjust settings on meteorological and other monitoring instruments and impacts system performance. Plant Property
History of Cyber Security Guidance 2002 NRC Order EA-02-026, Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants in 2003 NRC Order EA-03-086, Design Basis Threat for Radiological Sabotage, was released in April 2003 NUREG/CR-6847, Cyber Security Self-Assessment Method for U.S. Nuclear Power Plants 2005 NEI 04-04 Rev. 1, Cyber Security Program for Power Reactors (November 2005) 2006 Regulatory Guide (RG) 1.152 Rev. 2, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants. 2007 Branch Technical Position (BTP) 7-14 Rev. 5, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems.
10 CFR 73.54 - Scope Protection of Digital Computer and Communication Systems and Networks (2009) • Each licensee… shall provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat… • The licensee shall protect digital computer and communication systems/networks associated with: • Safety-related and important-to safety functions; • Security functions; • Emergency preparedness (EP) functions, including offsite communications; and • Support systems and equipment which, if compromised, would adversely impact safety, security, orEP (SSEP) functions. 9
10 CFR 73.54 – Protect Systems • The licensee shall protect SSEP systems and networks from cyber attacks that would: • Adversely impact the integrity or confidentiality of data and/or software • Deny access to systems, services, and/or data • Adversely impact the operation of systems, networks, and associated equipment. 10
10 CFR 73.54 – First Steps • The licensee shall: • Analyze digital computer and communication systems and networks and identify those assets that must be protected against cyber attacks. These are called critical digital assets. • Establish, implement, and maintain a cyber security program for the protection of the critical digital assets • Incorporate the cyber security program as a component of the physical protection program. 11
10 CFR 73.54 – Program Design • The cyber security program must be designed to: • Implement security controls to protect the critical digital assets from cyber attacks • Apply and maintain defense-in depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks • Mitigate the adverse affects of cyber attacks • Ensure the functions of critical digital assets are not adversely impacted due to cyber attacks. 12
10 CFR 73.54 – More Program Requirements • The licensee shall: • Ensure that appropriate facility personnel, including contractors, are aware of cyber security requirements and receive the training necessary to perform their assigned duties and responsibilities. • Evaluate and manage cyber risks. • Ensure that modifications to critical digital assets are evaluated before implementation to ensure that the cyber security performance objectives are maintained. 13
10 CFR 73.54 – Cyber Security Plan • Establish, implement, and maintain an effective cyber security plan that: • describes how the cyber security program will implement the Rule • Describes how the licensee will account for site-specific conditions that affect implementation • includes measures for incident response and recovery during and after a cyber attack. The plan must describe how the licensee will: • maintain the capability for timely detection and response to cyber attacks • mitigate the consequences of cyber attacks • correct exploited vulnerabilities • restore affected systems, networks, and/or equipment affected by cyber attacks. 14
10 CFR 73.54 – Policies, Records, Etc. • The licensee shall: • develop and maintain written policies and implementing procedures to implement the cyber security plan. • make policies, implementing procedures, site-specific analysis, and other supporting technical information available upon request for NRC inspection • review the cyber security program as a component of the physical security program • retain all records and supporting technical documentation required to satisfy the requirements 15
RG-5.71Cyber Security Programs for Nuclear Facilities • Evolution of the Reg Guide • 2007 - work on DG-5022 begins in the fall • 2008 - DG-5022 provided to industry in May • 1st stakeholder meeting conducted in July • Revised DG-5022 provided to industry in November • 2nd stakeholder meeting in December • 2009 - RG-5.71 presented to the ACRS in February • Revised RG-5.71 provided to industry in June • 3rd stakeholder meeting conducted in July • Coming Soon • Revised RG-5.71 to be presented to the ACRS in Nov. 2009 • Final RG-5.71 to be released sometime after the ACRS gives its approval. 16
RG-5.71 Contents • Current size – about 120 pages • Content: • A. Introduction • B. Discussion • C. Regulatory Position • D. Implementation • Glossary • Bibliography • References • Appendix A Generic Cyber Security Plan Template • Appendix B Technical Security Controls • Appendix C Operational and Management Security Controls • Appendix D Reporting of Attacks and Incidents 17
RG-5.71 Focus • Provide cyber security throughout the system lifecycle: • Concept phase • Requirements phase • Design Phase • Implementation Phase • Test Phase • Installation, Checkout and Acceptance Testing Phase • Operations Phase • Maintenance Phase • Retirement Phase 18
RG-5.71 – Cyber Security Team • Form a Cyber Security Team • Senior Plant Manager will be designated as the “Cyber Security Program Sponsor” • Cyber Security Program Manager will oversee the Cyber Security Program • Cyber Security Specialists • Cyber Security Incident Response Team that will include representatives from physical security, operations, engineering, IT and other organizations • Other plant staff will also have cyber security roles • Provide staff training 19
RG-5.71 – Identify Critical Digital Assets • Identify critical digital systems and networks (critical systems) that provide a safety, security, or emergency preparedness function • Identify the critical digital assets that are part of, or are connected to critical systems 20
RG-5.71 – Cyber Security Assessment • Perform a cyber security assessment. This is a follow-up to the NEI 04-04 assessment • Assessment consists of: • Tabletop review • Physical Inspection • Electronic verification • Conduct assessment on all critical digital assets and it extends out through all connection pathways (i.e., a “pull the wire” assessment). 21
RG-5.71 – Defensive ArchitecturePart of Defense in Depth Protective Strategy Level 4: Vital Area Level 3: Protected Area Level 2: Owner-Controlled Area Level 1: Corporate Accessible Area Level 0: Public Accessible Area 22
RG-5.71 – Security Controls • Implement a comprehensive set of security controls based on the guidance provided in NIST SP 800-53 “Recommended Security Controls for Federal Information Systems” 23
RG-5.71 – Security Controls (cont) • A commitment by the licensee to implement a cyber security program with rigorous security controls will be specified in the Cyber Security Plan required by 10 CFR 73.54. • Details on the security controls are provided in the Appendices A, B, and C of RG-5.71 • A twist -- licensees are preparing their cyber security plans by following NEI 08-09 and not Appendix A of RG-5.71 • A counter twist – the NRC must approve the licensees cyber security plans. 24
RG-5.71 – Additional Guidance • The RG-5.71 also provides guidance on: • Continuous Monitoring and Assessment • Configuration Management • Security Impact Analysis of Changes and Environment • Effectiveness Analysis • Ongoing Assessment of Security Controls • Vulnerability Scans/Assessments • Change Control • Security Program Review 25
Summary Guidance for Meteorology and other EP Program Managers Be aware of the cyber security threat environment Assess the cyber security of your systems and networks Assess the cyber security of your communication pathways Look for and eliminate cyber vulnerabilities Be pro-active in defending your systems Don’t be afraid to ask for help from your plant or corporate cyber security specialists Discuss cyber security needs with your management
On the Horizon… Cyber Security NUREG/CRs Industry Cyber Security Workshops Revised Guidance NRC cyber security inspections From NERC/FERC revised Critical Infrastructure Protection Standards (CIPS) NERC audits
Questions? Cliff Glantz Pacific Northwest National Laboratory PO Box 999 Richland, WA 99352 509-375-2166 cliff.glantz@pnl.gov