nuclear regulatory commission cyber security program · 2015-02-25 · nrc cyber security program...
TRANSCRIPT
Nuclear Regulatory CommissionNuclear Regulatory Commission
Cyber Security ProgramCyber Security Program
Barry WestreichBarry WestreichyyDirectorDirector
Cyber Security DirectorateCyber Security DirectorateOffi f N l S it & I id t ROffi f N l S it & I id t R
1
Office of Nuclear Security & Incident Response Office of Nuclear Security & Incident Response
Nuclear Regulatory Commission
2
The U.S. Nuclear Regulatory Commission (NRC) was created as an independent agency by Congress in 1974 to ensure the safe use of radioactive materials
for beneficial civilian purposes while protecting people and the environment.
3
Commercial Power Reactors, Non Power reactorsreactors
4
Hospitals, Nuclear Fuel Cycle, Fuel StorageStorage
5
NRC Cyber Security Historyy y y• 2002‐2003; NRC included the first cyber
requirements in Physical Security andrequirements in Physical Security and Design Basis Threat Orders
• 2005; NRC supported industry voluntary cyber program (NEI 04‐04)cyber program (NEI 04 04)
• 2009; 10 CFR 73.54, Cyber Security Rule • 2012; Implementation/Oversight of Interim
Cyber Security measuresCyber Security measures• 2014 Endorsed NEI 13‐10 Cyber Security
Control Assessments G d d C B d A h– Graded Consequence Based Approach
6
NRC Power Reactor Cyber Security ProgramSecurity Program
10 CFR 73.54 (2009); Protect digital assets associated with Safety, Security, and Emergency Preparedness (SSEP)Safety, Security, and Emergency Preparedness (SSEP) functions
Required Power Reactors submit a Cyber Security Plan (CSP) for NRC review & Approval
Coordination with NERC/FERC to address potential areas of overlapp
NRC Cyber Security Program 10 CFR 73.54 Basic Requirements
1. Identify Critical Digital Assets (CDAs)
2. Apply & Maintain a Defense-in-Depth Protective Strategy.
3. Address Security Controls for each CDA.
84. Identify, Respond and Mitigate against cyber attacks.
NRC Cyber Security Program 10 CFR 73.54 Basic Requirements
4. Training commensurate with roles and responsibilities to facility personnel
5. Review/Maintain the CSP as a component of the Physical Security PlanPhysical Security Plan
6. Retain records and supporting technical
9
6. Retain records and supporting technical documentation.
Guidance Documents
– Regulatory Guide (RG) 5.71 “Cyber Security Programs for Nuclear Facilities” (Jan 2010)Programs for Nuclear Facilities” (Jan 2010)
– NEI 08-09 Rev. 6 “Cyber Security Plan For PowerNEI 08 09 Rev. 6 Cyber Security Plan For Power Reactors” (April 2010)
Conceptual Approach
C b S it A t TCyber Security Assessment Team
Identify Critical Digital Assets
Apply Defensive Architecture
Address Security Controls
1. Address each control for all CDAs, or
Safety CDAs
Security Site LAN Corporate LAN
11
1. Address each control for all CDAs, or2. Apply alternative measures, or3. Explain why a control is N/A
CDAs
Consequence Based Graded Cyber Risk Management Approach
1:Identify Critical Digital Assets associated with Important Functions
Management Approach
2. Implement basic Cyber program for all CDAs ( milestone 1‐7)
Ensure continued maintenance of basic cyber program and ability to identify and
3. Identify CDAs that have a delayed impact that can be recognized and mitigated prior to the function
and mitigate impacts
4. Identify CDAs that have near term, direct impact on important function
Assess and implement RG 5.71 controls .
NRC Cyber Security Program
I l ti i 2 h hImplementing in 2 phase approach
• 1st phase Milestone compete by 12/2012p p y– Establish Multi-disciplinary Cyber Assessment Team– Identify Critical Digital Assets– Establish Defensive architecture- Isolation of the most critical assets– Control Portable Media and Devices– Enhanced Insider Mitigation– Controls Established for most significant componentsg p
• Full implementation 2016-2017.
C I f iContact Information
Barry WestreichDirector, Cyber Security DirectorateUS Nuclear Regulatory [email protected]
14
301‐287‐3664