Search Options | ||||
Index | Site Map | FAQ | Facility Info | Reading Rm | New | Help | Glossary | Contact Us |
|
Cyber Security in Digital Instrumentation and ControlsOn this page
BackgroundThe purpose of cyber security assessments is to detect and then eliminate or mitigate vulnerabilities in the digital system that could be exploited either from outside or inside of the digital system protected area. The process of defending against this class of failures is made more challenging by the rapidly evolving “industry” that continues developing new attack methods. Various individuals and undocumented organizations develop viruses, worms, and associated computer programs. Others concentrate on developing methods for gaining access to protected data and systems with the intent to disrupt system operations or illegally obtain information from the systems. NRC Report and Related NEI Guidance on Security Self-AssessmentsTwo security-related NRC orders issued in the wake of the terrorist attacks on September 11, 2001, mandated in part that nuclear power plant licensees enhance the cyber security of their digital systems. In response, through a contract with the Pacific Northwest National Laboratory and in cooperation with the Nuclear Energy Institute (NEI) Cyber Security Task Force, the NRC developed and issued a technical report in the NUREG-series on method for performing a cyber security self-assessment at U.S. nuclear power plants. That report provides guidance that licensees can use to systematically identify cyber vulnerabilities at their facilities, assess their relative (security) risk-significance, and institute cost-effective mitigating measures. Using this NRC report as a foundation, the NEI task force developed comprehensive guidance that nuclear power plant licensees can use to develop and manage an effective cyber security program. In December 2005, the NRC staff endorsed this NEI guidance as an acceptable method for establishing and maintaining a cyber security program at nuclear power plants. Regulatory Guide 1.152, Rev. 2In parallel with the development of the NRC report and NEI guidance, staff revised existing regulatory guidance on use of computers in nuclear digital safety systems. Regulatory Guide 1.152, Rev. 2, “Criteria for Use of Computers in Safety Systems of Nuclear Power Plants,” in parts, states that digital safety system development processes should address potential security vulnerabilities in each phase of digital safety system development lifecycle. Use of the deterministic guidance contained in Regulatory Guide 1.152, in conjunction with NEI guidance, for digital safety system designs would assure security against cyber vulnerabilities. Revisions to 10 CFR Part 73As part of the agency’s ongoing effort to respond to the two security-related NRC orders issued, the Commission will codify the mandated cyber security enhancement requirements in new regulations in 10 CFR Part 73, “Physical Protection of Plants and Materials.” Planned Regulatory GuidanceThe NRC will develop regulatory guidance that relies heavily on the NRC report, which the industry used in its NEI program management guideline. In doing so, the NRC anticipates that research will likely be required to establish inspection review procedures, criteria, and assistance needed to prepare regulatory guidance documents associated with the implementation of NRC report and NEI guidance. Cooperative Agreements and ResearchThe NRC is engaging other Federal agencies, most notably the U.S. Department of Homeland Security and the Federal Energy Regulatory Commission, as well as the North American Electric Reliability Corporation in an effort to leverage related cyber security work that these agencies have completed or are conducting. The NRC is participating in a project sponsored by the intergovernmental Technical Support Working Group to develop a software-based tool that will facilitate the implementation of NUREG and NEI guidance and to develop a device that will provide secure communications for digital safety systems. The tool is expected to use a question-and-answer format to guide security audits of installed networks and digital systems through the NUREG and NEI guidance topic areas. The product of this research may be integrated into the NRC’s cyber security review processes. |
Privacy Policy |
Site Disclaimer |