Transcript Cyber Security Plan Implementation Presentation to RES BEST

Cyber Security Plan
Implementation
Presentation to CMBG
Glen Frix, Duke Energy
June 20, 2010
1
Cyber Security
Overview
 NRC
 NERC

2
Overview
NRC 10 CFR 73.54 and NERC CIP 002 009
 Both large projects with significant
assessment and documentation required.
 In some cases, modifications may be
required to bring digital components into
compliance.
 Scope:

◦ NRC: Safety, Important to Safety, Security, EP
◦ NERC: Bulk Electric System (Balance of Plant)
3
NRC
4
NRC





All 104 US licensed nuclear units submitted CS
Plan to NRC for their approval November, 2009.
All used NEI 08-09 as guidance.
Nuclear Energy Institute & industry team
responded to ~71 Requests for Additional
Information questions from NRC staff.
Updated NEI 08-09 as a result. Rev. 6 has been
approved by NRC Staff by letter in early May.
Licensees will need to re-submit LAR based on
NEI 08-09 Rev. 6 in ~July/August 2010.
5
NRC

Technical Challenges
◦ ~140 cyber security controls w/ multiple bullets
◦ Numerous “Critical Digital Assets (CDAs)” per
site.
◦ Each control has to be “addressed:”
 Implement the control
 Implement an alternate control, with justification
 Justify why control is not needed.
◦ Controls based on National Institute of Standards
& Technology (NIST) SP 800-53 & 82.
 Not written in “nuclear speak.”
 Thus, training is required.
6
NRC

Schedule
◦ 10 CFR 73.54 did not specify a schedule.
◦ Sites submitted “draft” implementation
schedule with original submittal in November
2009.
 ~ 60 % of industry submitted 36/48/60 months after
approval by NRC Staff.
◦ NRC now wants new schedule with
supplement
 Milestones as “commitments”
 Final END DATE as condition of the License
7
NRC

Project Overview
◦ Cyber security assessment




Cyber Security Assessment Team (CSAT) – (similar to MR Expert Panel)
~35 CDAs per site (average) x ~140 controls x ~5 bullets per control
Walkdown/validation
Cross site fleet QV&V & industry benchmarks
◦ Training
 CSAT
 Ongoing
◦ Procedures/Directives
 NSD 803, NSD 804, NSD 807, EDM 801
 Implementing procedures
◦ Records
 Documentation of assessment
 Documentation of controls
 Assessment team records
◦ Etc.
8
NRC

Ongoing Program
◦
◦
◦
◦
◦
Periodic assessment
weekly/monthly/quarterly/yearly surveillances
Independent oversight
Linkage to physical security plan
Will require permanent, dedicated resources
 Estimated ~ 2+ per site, dedicated, cyber security
specialists
 System engineers & IAE resources impacted on a case by
case basis.
 OPS, EP, Security resources impacted ongoing by CSAT
9
NRC

Configuration Management
◦ ONGOING MONITORING AND ASSESSMENT
 …The ongoing monitoring program
includes:
 Configuration management of CDAs;
 Numerous assessment & verification
activities
10
NRC

Configuration Management
◦ 4.4 ONGOING MONITORING AND
ASSESSMENT
 …The ongoing monitoring program
includes:
 Configuration management of CDAs;
 Numerous assessment & verification
activities
11
NRC

Configuration Management
◦ 4.4.1 Configuration Management and Change
Control
 CDA cyber security and configuration management
documentation is updated or created using the site
configuration management program or other
configuration management procedure or process.
 This documentation includes the bases for not
implementing one or more of the technical cyber
security controls specified in Appendix D of NEI 0809, Revision 6.
12
NRC

Configuration Management
◦ Appendix E, Section 10 Configuration Management
 10.2 Configuration Management Policy and Procedures
 10.3 Baseline Configuration – document configuration of
various cyber security related settings.
 10.4 Security Change Control – authorize & document
changes.
 10.5 Security Impact Analysis prior to making changes
 10.6 Access restrictions – physical and electronic access
 10.7 Configuration Settings
 10.8 Least functionality – eliminate unnecessary ports,
services, etc.
 10.9 Component Inventory
13
NERC
14
NERC





FERC Order 706-B clarified the exemption for
“facilities” regulated by the NRC.
“Facilities” to Nuclear meant “Oconee Nuclear
Station.”
Facilities to FERC meant the Reactor Protection
System at Oconee Nuclear Station.
FERC “hired” NERC to implement the cyber
security rules, thus the NERC CIP cyber security
standards.
Great desire by industry to only have one regulator
per system.
◦ “bright line” divides NERC scope from NRC scope
◦ NERC “survey” of systems due to NERC by 7-23-10.
15
NERC

Presently per NERC CIP 002, many nuclear stations
are not in scope.
◦ Not “critical assets” to the Bulk Electric System.
◦ Few nuclear stations are critical.
◦ Nor are the large Duke SE fossil stations.
Revision 4 of NERC CIPs likely to be approved in
December 2010. If the current draft is approved,
many generation sites are likely to be in scope.
 Revision 4 of the standards are out for comment
right now.
 Implementing NRC and NERC concurrently will be
significantly difficult.

16
“My job is to tell you things you
don’t want to hear, asking you to
spend money you don’t have, to
prepare for something you don’t
believe will ever happen.”
(Mike Selves, Director of Emergency
Management and Homeland Security,
Johnson County, Kansas)
17
COMMENTS/QUESTIONS?
18