Cyber Security Roadmap Presentation. · 2017-06-15 · Cyber Security Roadmap Paper •Originally...
Transcript of Cyber Security Roadmap Presentation. · 2017-06-15 · Cyber Security Roadmap Paper •Originally...
Cyber Security Roadmap
Jim BeardsleyChief, Cyber Security Branch
Division of Physical & Cyber Security PolicyOffice of Nuclear Security and Incident Response
16/13/2017
Cyber Security Roadmap Paper
• Originally Issued June 25, 2012.– Power Reactors & COL Holders– Fuel Cycle Facilities– Non Power Reactors– ISFSIs & Materials
• Updated Feb 2017 to reflect program changes and progress in cyber implementation.– Added Decommissioning Reactors– ML16354A258
26/13/2017
Power Reactors & COL Holders
• Milestone 1-7 Completed in 2012; inspected 2013-2015.
• Milestone 8 (Full Cyber Implementation) Complete by December 2017
• Full Implementation Inspections 2017-2020– The NRC and Licensees have learned a lot of
lessons through the implementation process.– Graded approach to CDA control application
through NEI 13-10.36/13/2017
Fuel Cycle Facilities
• Completed the supporting offices concurrences on the draft proposed rule package – January 2017
• OGC gave NLO on the draft proposed rule package –April 2017
• Draft proposed rule package due to the Commission – September 30, 2017
• Upcoming rule related activities:– June 8, 2017 – ACRS full committee meeting– June 27, 2017 – Brief the CRGR– July 2017 – Response due to working group from ACRS and
CRGR46/13/2017
Non Power Reactors
• Staff assessed the wide variety of licensees through self-assessments and site visits.– The staff concluded that NPR licensees have
implemented an adequate level of cyber security at their facilities.
• The staff published guidance with effective practices for cyber at NPRs based on the assessment– ML 15252A236
56/13/2017
Independent Spent Fuel Storage Installations (ISFSIs)
• The staff conducted an assessment of cybersecurity at ISFSIs in 2012 and determined, at that time, that the licensee’s cyber security efforts adequately protect from a cyber attack.
• The staff plans to re-evaluate the physical security protections at ISFSIs in 2020 to determine if rulemaking is warranted, and cyber will be included in that assessment.
66/13/2017
Decommissioning Reactors
• In a COMSECY dated Dec 5, 2016, staff noted that the cyber security rule (10 CFR 73.54) no longer applies to reactor licensees following termination of their license.
• Cyber security for decommission is included in the ongoing decommissioning rulemaking effort.
76/13/2017
Byproduct Materials
• Very complex due to the wide variety of licensees.
• Staff plans documented in a Commission memorandum on April 29, 2016– ML 15246A306
• The staff is developing a Commission notation vote paper that will provide the working groups recommendations - due to the EDO September 29, 2017
86/13/2017
Questions
9
Backup Slides
106/13/2017
Background
11
• 2002-2003: NRC included the first cyber requirements in Physical Security and Design Basis Threat Orders
• 2005: NRC supported industry voluntary cyber program (NEI 04-04)
• 2009: 10 CFR 73.54, Cyber Security Rule
• 2010: NRC Regulatory Guidance 5.71 was released.
• 2012: Implementation/Oversight of Interim Cyber Security Milestones.
• 2013-2015: Milestone 1-7 Inspections
• 2016-2017: Cyber PI&R Samples at Operating Sites
Full Implementation Cybersecurity Inspections
• Staff have developed the following in support of the inspection program.– New Inspection Procedure (IP 71130.10)
• With NRR for publishing• 2 week inspection. 2 inspectors, 2 contractors, 1 NSIR
– Updated SDP (IMC 0609 Appendix E, Part IV)• In 30 day review by the regions
– Enforcement Guidance Memorandum (EGM)• With OE for processing• The Cyber EGM will provide the inspectors with a
process for Enforcement Discretion 12
Full Implementation Cybersecurity Inspections
• Joint tabletop exercises and workshops to exercise guidance and exchange experience– Next one at Diablo Canyon (May 2017)
• Full implementation inspections start in 2017:• South Texas - July/ August• Monticello - September
• Cyber Inspection “Time Out” October-December• Assess lessons learned, both industry & staff• Cyber Inspector Counterpart/Training, Nov 2017
• Full inspection program starts in January 2018• The program is expected to take ~3 years.
13
Cyber for New Construction
• RII, NRO & NSIR have conducted joint vendor inspections at WEC to look at the AP-1000 cyber implementation.
• RII is developing a phased cyber inspection program for the AP-1000s.
• The cybersecurity program is required before fuel is brought onsite.
14