180 likes | 463 Views
Cyber Security Plan Implementation Presentation to CMBG. Glen Frix, Duke Energy June 20, 2010. Cyber Security. Overview NRC NERC. Overview. NRC 10 CFR 73.54 and NERC CIP 002 - 009 Both large projects with significant assessment and documentation required.
E N D
Cyber Security Plan ImplementationPresentation to CMBG Glen Frix, Duke Energy June 20, 2010
Cyber Security • Overview • NRC • NERC
Overview • NRC 10 CFR 73.54 and NERC CIP 002 - 009 • Both large projects with significant assessment and documentation required. • In some cases, modifications may be required to bring digital components into compliance. • Scope: • NRC: Safety, Important to Safety, Security, EP • NERC: Bulk Electric System (Balance of Plant)
NRC • All 104 US licensed nuclear units submitted CS Plan to NRC for their approval November, 2009. • All used NEI 08-09 as guidance. • Nuclear Energy Institute & industry team responded to ~71 Requests for Additional Information questions from NRC staff. • Updated NEI 08-09 as a result. Rev. 6 has been approved by NRC Staff by letter in early May. • Licensees will need to re-submit LAR based on NEI 08-09 Rev. 6 in ~July/August 2010.
NRC • Technical Challenges • ~140 cyber security controls w/ multiple bullets • Numerous “Critical Digital Assets (CDAs)” per site. • Each control has to be “addressed:” • Implement the control • Implement an alternate control, with justification • Justify why control is not needed. • Controls based on National Institute of Standards & Technology (NIST) SP 800-53 & 82. • Not written in “nuclear speak.” • Thus, training is required.
NRC • Schedule • 10 CFR 73.54 did not specify a schedule. • Sites submitted “draft” implementation schedule with original submittal in November 2009. • ~ 60 % of industry submitted 36/48/60 months after approval by NRC Staff. • NRC now wants new schedule with supplement • Milestones as “commitments” • Final END DATE as condition of the License
NRC • Project Overview • Cyber security assessment • Cyber Security Assessment Team (CSAT) – (similar to MR Expert Panel) • ~35 CDAs per site (average) x ~140 controls x ~5 bullets per control • Walkdown/validation • Cross site fleet QV&V & industry benchmarks • Training • CSAT • Ongoing • Procedures/Directives • NSD 803, NSD 804, NSD 807, EDM 801 • Implementing procedures • Records • Documentation of assessment • Documentation of controls • Assessment team records • Etc.
NRC • Ongoing Program • Periodic assessment • weekly/monthly/quarterly/yearly surveillances • Independent oversight • Linkage to physical security plan • Will require permanent, dedicated resources • Estimated ~ 2+ per site, dedicated, cyber security specialists • System engineers & IAE resources impactedon a case by case basis. • OPS, EP, Security resources impacted ongoing by CSAT
NRC • Configuration Management • ONGOING MONITORING AND ASSESSMENT • …The ongoing monitoring program includes: • Configuration management of CDAs; • Numerous assessment & verification activities
NRC • Configuration Management • 4.4 ONGOING MONITORING AND ASSESSMENT • …The ongoing monitoring program includes: • Configuration management of CDAs; • Numerous assessment & verification activities
NRC • Configuration Management • 4.4.1 Configuration Management and Change Control • CDA cyber security and configuration management documentation is updated or created using the site configuration management program or other configuration management procedure or process. • This documentation includes the bases for not implementing one or more of the technical cyber security controls specified in Appendix D of NEI 08-09, Revision 6.
NRC • Configuration Management • Appendix E, Section 10 Configuration Management • 10.2 Configuration Management Policy and Procedures • 10.3 Baseline Configuration – document configuration of various cyber security related settings. • 10.4 Security Change Control – authorize & document changes. • 10.5 Security Impact Analysis prior to making changes • 10.6 Access restrictions – physical and electronic access • 10.7 Configuration Settings • 10.8 Least functionality – eliminate unnecessary ports, services, etc. • 10.9 Component Inventory
NERC • FERC Order 706-B clarified the exemption for “facilities” regulated by the NRC. • “Facilities” to Nuclear meant “Oconee Nuclear Station.” • Facilities to FERC meant the Reactor Protection System at Oconee Nuclear Station. • FERC “hired” NERC to implement the cyber security rules, thus the NERC CIP cyber security standards. • Great desire by industry to only have one regulator per system. • “bright line” divides NERC scope from NRC scope • NERC “survey” of systems due to NERC by 7-23-10.
NERC • Presently per NERC CIP 002, many nuclear stations are not in scope. • Not “critical assets” to the Bulk Electric System. • Few nuclear stations are critical. • Nor are the large Duke SE fossil stations. • Revision 4 of NERC CIPs likely to be approved in December 2010. If the current draft is approved, many generation sites are likely to be in scope. • Revision 4 of the standards are out for comment right now. • Implementing NRC and NERC concurrently will be significantly difficult.
“My job is to tell you things you don’t want to hear, asking you to spend money you don’t have, to prepare for something you don’t believe will ever happen.” (Mike Selves, Director of Emergency Management and Homeland Security, Johnson County, Kansas)