skip navigation links 
 
 Search Options 
Index | Site Map | FAQ | Facility Info | Reading Rm | New | Help | Glossary | Contact Us blue spacer  
secondary page banner Return to NRC Home Page
Digital I&C Key Issues
Diversity & Defense in Depth
Control Room Communication Systems
Control Room Human Factors
Cyber Security
Risk-Informed Regulation

Home > About NRC > How We Regulate > Research Activities > Digital I&C > Key Issues > Cyber Security

Cyber Security in Digital Instrumentation and Controls

On this page

To top of page

Background

The purpose of cyber security assessments is to detect and then eliminate or mitigate vulnerabilities in the digital system that could be exploited either from outside or inside of the digital system protected area. The process of defending against this class of failures is made more challenging by the rapidly evolving “industry” that continues developing new attack methods. Various individuals and undocumented organizations develop viruses, worms, and associated computer programs. Others concentrate on developing methods for gaining access to protected data and systems with the intent to disrupt system operations or illegally obtain information from the systems.

To top of page

NRC Report and Related NEI Guidance on Security Self-Assessments

Two security-related NRC orders issued in the wake of the terrorist attacks on September 11, 2001, mandated in part that nuclear power plant licensees enhance the cyber security of their digital systems.

In response, through a contract with the Pacific Northwest National Laboratory and in cooperation with the Nuclear Energy Institute (NEI) Cyber Security Task Force, the NRC developed and issued a technical report in the NUREG-series on method for performing a cyber security self-assessment at U.S. nuclear power plants. That report provides guidance that licensees can use to systematically identify cyber vulnerabilities at their facilities, assess their relative (security) risk-significance, and institute cost-effective mitigating measures.

Using this NRC report as a foundation, the NEI task force developed comprehensive guidance that nuclear power plant licensees can use to develop and manage an effective cyber security program. In December 2005, the NRC staff endorsed this NEI guidance as an acceptable method for establishing and maintaining a cyber security program at nuclear power plants.

To top of page

Regulatory Guide 1.152, Rev. 2

In parallel with the development of the NRC report and NEI guidance, staff revised existing regulatory guidance on use of computers in nuclear digital safety systems. Regulatory Guide 1.152, Rev. 2, “Criteria for Use of Computers in Safety Systems of Nuclear Power Plants,” in parts, states that digital safety system development processes should address potential security vulnerabilities in each phase of digital safety system development lifecycle. Use of the deterministic guidance contained in Regulatory Guide 1.152, in conjunction with NEI guidance, for digital safety system designs would assure security against cyber vulnerabilities.

To top of page

Revisions to 10 CFR Part 73

As part of the agency’s ongoing effort to respond to the two security-related NRC orders issued, the Commission will codify the mandated cyber security enhancement requirements in new regulations in 10 CFR Part 73, “Physical Protection of Plants and Materials.”

To top of page

Planned Regulatory Guidance

The NRC will develop regulatory guidance that relies heavily on the NRC report, which the industry used in its NEI program management guideline. In doing so, the NRC anticipates that research will likely be required to establish inspection review procedures, criteria, and assistance needed to prepare regulatory guidance documents associated with the implementation of NRC report and NEI guidance.

To top of page

Cooperative Agreements and Research

The NRC is engaging other Federal agencies, most notably the U.S. Department of Homeland Security and the Federal Energy Regulatory Commission, as well as the North American Electric Reliability Corporation in an effort to leverage related cyber security work that these agencies have completed or are conducting.

The NRC is participating in a project sponsored by the intergovernmental Technical Support Working Group to develop a software-based tool that will facilitate the implementation of NUREG and NEI guidance and to develop a device that will provide secure communications for digital safety systems. The tool is expected to use a question-and-answer format to guide security audits of installed networks and digital systems through the NUREG and NEI guidance topic areas. The product of this research may be integrated into the NRC’s cyber security review processes.

To top of page


Privacy Policy | Site Disclaimer
Wednesday, July 11, 2007