an insider’s perspective on the nrc’s new cyber security rule and forthcoming regulatory...
TRANSCRIPT
An Insider’s Perspective on the NRC’s New Cyber Security Rule
and Forthcoming Regulatory Guidance: Potential Impacts on
Meteorology and Emergency Preparedness Programs
Prepared by:Cliff Glantz, Phil Craig, and Guy LandinePacific Northwest National Laboratory
Richland, WA
Key Presentation Themes
Cyber security is a real concern
The cyber threat landscape
The new Nuclear Regulatory Commission (NRC) Cyber Security Rule -- 10 CFR 73.54
The new cyber security regulatory guide -- RG-5.71
The Concern…
Cyber security is an issue of grave national importance.The NRC is concerned that a cyber attack can impact safety, security, and emergency response functions NERC is concerned that a cyber attack can impact the ability of the electric grid “to keep the lights on”.
3
Cyber Threat Landscape
Potential “Threat Agents”Hackers/crackersInsiders Organized crimeTerroristsEspionage Cyber warfare
What is a Cyber Attack?
A cyber attack can include a wide variety of computer-based events that could impact:
Confidentiality: violate the security of data or software. Unauthorized access (internal or external) by those without appropriate authorization and “need to know”. Integrity: modify, destroy, or compromise data or software. This can involve the insertion of erroneous or misleading data or the unauthorized take-over of a systemAvailability: deny access to systems, networks, services, or data.
Types of Threats
Targeted/UntargetedTargeted threats are directed at a specific control system or facilityUntargeted are focused on any computer with a given operating systems or commonly used software (e.g., Windows XP, Excel)
Malicious/InadvertentMalicious -- intending to do harmInadvertent -- an accidental outcome
Insider/OutsiderInsider can be someone employed at the facility or a vendorOutsider can have no direct connection to the target, but may still have considerable knowledge Outsiders can exploit insiders with or without their explicit cooperation
Direct/IndirectDirect involves an exploit on the targeted systemIndirect involves exploiting a support system (e.g., power, cooling)
Examples of Potential Cyber Attacks
A USB memory stick labeled as plant property is “dropped” in a parking lot at a local shopping center. It contains malware that would be installed on a company computer if someone good Samaritan plugs in the “lost” stick on a work computer to see who it belongs to.An internet connection (wired or wireless) or modem used to access meteorological data systems is hacked and the intruder gains system administrator control. A freeware meteorological program is downloaded to a business computer for legitimate purpose. It contains malware. The program is downloaded to a laptop used to adjust settings on meteorological and other monitoring instruments and impacts system performance.
History of Cyber Security Guidance 2002
NRC Order EA-02-026, Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants in
2003NRC Order EA-03-086, Design Basis Threat for Radiological Sabotage, was released in April 2003 NUREG/CR-6847, Cyber Security Self-Assessment Method for U.S. Nuclear Power Plants
2005NEI 04-04 Rev. 1, Cyber Security Program for Power Reactors (November 2005)
2006Regulatory Guide (RG) 1.152 Rev. 2, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.
2007Branch Technical Position (BTP) 7-14 Rev. 5, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems.
10 CFR 73.54 - Scope
Each licensee… shall provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat…The licensee shall protect digital computer and communication systems/networks associated with:
Safety-related and important-to safety functions;
Security functions;
Emergency preparedness (EP) functions, including offsite communications; and
Support systems and equipment which, if compromised, would adversely impact safety, security, or EP (SSEP) functions.
9
Protection of Digital Computer and Communication Systems and Networks (2009)
10 CFR 73.54 – Protect Systems
The licensee shall protect SSEP systems and networks from cyber attacks that would:
Adversely impact the integrity or confidentiality of data and/or softwareDeny access to systems, services, and/or dataAdversely impact the operation of systems, networks, and associated equipment.
10
10 CFR 73.54 – First Steps
The licensee shall:Analyze digital computer and communication systems and networks and identify those assets that must be protected against cyber attacks. These are called critical digital assets.Establish, implement, and maintain a cyber security program for the protection of the critical digital assetsIncorporate the cyber security program as a component of the physical protection program.
11
10 CFR 73.54 – Program Design
The cyber security program must be designed to:
Implement security controls to protect the critical digital assets from cyber attacksApply and maintain defense-in depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacksMitigate the adverse affects of cyber attacksEnsure the functions of critical digital assets are not adversely impacted due to cyber attacks.
12
10 CFR 73.54 – More Program Requirements
The licensee shall:Ensure that appropriate facility personnel, including contractors, are aware of cyber security requirements and receive the training necessary to perform their assigned duties and responsibilities.Evaluate and manage cyber risks.Ensure that modifications to critical digital assets are evaluated before implementation to ensure that the cyber security performance objectives are maintained.
13
10 CFR 73.54 – Cyber Security Plan
Establish, implement, and maintain an effective cyber security plan that:
describes how the cyber security program will implement the Rule
Describes how the licensee will account for site-specific conditions that affect implementation
includes measures for incident response and recovery during and after a cyber attack. The plan must describe how the licensee will:
maintain the capability for timely detection and response to cyber attacks
mitigate the consequences of cyber attacks
correct exploited vulnerabilities
restore affected systems, networks, and/or equipment affected by cyber attacks.
14
10 CFR 73.54 – Policies, Records, Etc.
The licensee shall:develop and maintain written policies and implementing procedures to implement the cyber security plan. make policies, implementing procedures, site-specific analysis, and other supporting technical information available upon request for NRC inspectionreview the cyber security program as a component of the physical security programretain all records and supporting technical documentation required to satisfy the requirements
15
RG-5.71Cyber Security Programs for Nuclear Facilities
16
Evolution of the Reg Guide•2007 - work on DG-5022 begins in the fall•2008 - DG-5022 provided to industry in May
1st stakeholder meeting conducted in July Revised DG-5022 provided to industry in
November 2nd stakeholder meeting in December
•2009 - RG-5.71 presented to the ACRS in February Revised RG-5.71 provided to industry in June 3rd stakeholder meeting conducted in July
Coming Soon•Revised RG-5.71 to be presented to the ACRS in Nov. 2009•Final RG-5.71 to be released sometime after the ACRS gives its approval.
RG-5.71 Contents
Current size – about 120 pagesContent:
A. Introduction
B. Discussion
C. Regulatory Position
D. Implementation
Glossary
Bibliography
References
Appendix A Generic Cyber Security Plan Template
Appendix B Technical Security Controls
Appendix C Operational and Management Security Controls
Appendix D Reporting of Attacks and Incidents17
RG-5.71 Focus
18
Provide cyber security throughout the system lifecycle:•Concept phase •Requirements phase•Design Phase•Implementation Phase•Test Phase•Installation, Checkout and Acceptance Testing Phase•Operations Phase•Maintenance Phase•Retirement Phase
RG-5.71 – Cyber Security Team
Form a Cyber Security TeamSenior Plant Manager will be designated as the “Cyber Security Program Sponsor”
Cyber Security Program Manager will oversee the Cyber Security Program
Cyber Security Specialists
Cyber Security Incident Response Team that will include representatives from physical security, operations, engineering, IT and other organizations
Other plant staff will also have cyber security roles
Provide staff training
19
RG-5.71 – Identify Critical Digital Assets
Identify critical digital systems and networks (critical systems) that provide a safety, security, or emergency preparedness functionIdentify the critical digital assets that are part of, or are connected to critical systems
20
RG-5.71 – Cyber Security Assessment
Perform a cyber security assessment. This is a follow-up to the NEI 04-04 assessment Assessment consists of:
Tabletop reviewPhysical InspectionElectronic verification
Conduct assessment on all critical digital assets and it extends out through all connection pathways (i.e., a “pull the wire” assessment).
21
RG-5.71 – Defensive Architecture
Part of Defense in Depth Protective Strategy
22
Level 4: Vital AreaLevel 3: Protected AreaLevel 2: Owner-Controlled AreaLevel 1: Corporate Accessible AreaLevel 0: Public Accessible Area
RG-5.71 – Security ControlsImplement a comprehensive set of security controls based on the guidance provided in NIST SP 800-53 “Recommended Security Controls for Federal Information Systems”
23
RG-5.71 – Security Controls (cont)
A commitment by the licensee to implement a cyber security program with rigorous security controls will be specified in the Cyber Security Plan required by 10 CFR 73.54.Details on the security controls are provided in the Appendices A, B, and C of RG-5.71 A twist -- licensees are preparing their cyber security plans by following NEI 08-09 and not Appendix A of RG-5.71A counter twist – the NRC must approve the licensees cyber security plans.
24
RG-5.71 – Additional Guidance
The RG-5.71 also provides guidance on:Continuous Monitoring and Assessment Configuration Management Security Impact Analysis of Changes and EnvironmentEffectiveness Analysis Ongoing Assessment of Security ControlsVulnerability Scans/Assessments Change Control Security Program Review
25
Summary Guidance for Meteorology and other EP Program Managers
Be aware of the cyber security threat environmentAssess the cyber security of your systems and networksAssess the cyber security of your communication pathwaysLook for and eliminate cyber vulnerabilitiesBe pro-active in defending your systems Don’t be afraid to ask for help from your plant or corporate cyber security specialists Discuss cyber security needs with your management
On the Horizon…
Cyber Security NUREG/CRsIndustry Cyber Security WorkshopsRevised GuidanceNRC cyber security inspectionsFrom NERC/FERC revised Critical Infrastructure Protection Standards (CIPS)NERC audits
Questions?Questions?
Cliff GlantzPacific Northwest National Laboratory
PO Box 999Richland, WA 99352