Cyb

erSe

curit

yfo

rNuc

lear

Faci

litie

s:C

yber

Sec

urity

for N

ucle

ar F

acili

ties:

A

n O

verv

iew

of t

he N

RC

Reg

ulat

ory

Fram

ewor

k

Cra

ig E

rlang

erG

eorg

e S

imon

dsG

eoge

So

dsC

yber

Sec

urity

and

Inte

grat

ed R

espo

nse

Bra

nch

Offi

ce o

f Nuc

lear

Sec

urity

and

Inci

dent

Res

pons

e

1

U.S

. Nuc

lear

Reg

ulat

ory

Com

mis

sion

Sep

tem

ber 2

6, 2

012

Cyb

erS

ecur

ityC

yber

Sec

urity

Toda

y’s

Ove

rvie

w:

•W

hy–

Thre

at a

nd C

onse

quen

ce•

Wha

t–M

odes

ofP

rote

ctio

nW

hat

Mod

es o

f Pro

tect

ion

•H

ow–

Per

form

ance

-Bas

ed R

egul

atio

n

2

Why

–Th

reat

and

Con

sequ

ence

3

Why

-Thr

eat

Why

Thre

at

4

Why

-Thr

eat

Why

Thre

at

•W

hat i

s an

Adv

ance

d A

ttack

?

•W

hat W

e K

now

/D

on’t

Kno

w

•A

ttack

Vect

ors

Atta

ck V

ecto

rs

•In

tern

al/E

xter

nal

5

•In

tern

al/E

xter

nal

Why

-Thr

eat

Why

Thre

at

Pas

tTo

day

Pas

tTo

day

6

Why

–C

onse

quen

ceW

hy

Con

sequ

ence

•N

ot th

e S

ame

for A

ll Li

cens

ees’

Fac

ilitie

s

•P

erce

ived

and

Rea

l Con

sequ

ence

s

•S

ecur

ity is

a P

roce

ss

Not

aS

tate

Not

a S

tate

•Th

ink

Mal

icio

usly

•Th

ink

Mal

icio

usly

7

Wh

tM

dfP

tti

Wha

t–M

odes

of P

rote

ctio

n

8

Wha

t –M

odes

of P

rote

ctio

n

•C

omm

on T

axon

omy

–N

IST

Spe

cial

Pub

licat

ion

800-

82, “

Gui

de to

C

S(C

S)S

”In

dust

rial C

ontro

l Sys

tem

(IC

S) S

ecur

ity”

ICS

Not

Des

igne

dw

ithS

ecur

ityin

Min

d•

ICS

Not

Des

igne

d w

ith S

ecur

ity in

Min

d

Pti

•P

rogr

amm

atic

–S

tand

ards

Tai

lore

d fo

r Fle

xibi

lity

& E

ffect

iven

ess

RG

571

&N

EI0

809

(R6)

–R

G 5

.71

& N

EI 0

8-09

(R6)

9

10

HP

fB

dH

ow–

Per

form

ance

-Bas

ed

Reg

ulat

ion

Reg

ulat

ion

11

How

–P

erfo

rman

ce-B

ased

Reg

ulat

ion

•N

RC

Cyb

er S

ecur

ity R

ule

(10

CFR

73.

54)

–P

erfo

rman

ce-B

ased

, Pro

gram

mat

icFO

CU

SH

ih

AfAd

tP

tti

–FO

CU

S: H

igh

Ass

uran

ce o

f Adequate

Pro

tect

ion

–G

ener

ic (i

.e.,

not r

eact

or-s

peci

fic)

–C

onsi

sten

twith

regu

lato

ryap

proa

chfo

rphy

sica

l–

Con

sist

ent w

ith re

gula

tory

app

roac

h fo

r phy

sica

l se

curit

y–

Dig

ital S

yste

ms

and

Equ

ipm

ent A

ssoc

iate

d w

ith

Crit

ical

Fun

ctio

ns–

Lice

nsee

s P

erfo

rm A

naly

sis

to D

eter

min

e W

hat

Nee

dsP

rote

ctio

n

12

Nee

ds P

rote

ctio

n

How

–P

erfo

rman

ce-B

ased

Reg

ulat

ion

•B

asic

Req

uire

men

ts◦

Dig

ital a

sset

s th

at m

ust b

e pr

otec

ted

◦D

efen

se-in

-dep

th p

rote

ctiv

e st

rate

gy◦

App

licat

ion

of s

ecur

ity c

ontro

ls to

dig

ital a

sset

s◦

Impl

emen

tatio

n de

tails

mai

ntai

ned

on s

ite◦

Sub

mis

sion

of C

yber

Sec

urity

Pla

ns to

NR

C fo

r l

appr

oval

•B

alan

ceof

Pla

ntS

yste

ms

13

Bal

ance

of P

lant

Sys

tem

s

How

–P

erfo

rman

ce-B

ased

Reg

ulat

ion

•R

egul

ator

y G

uida

nce

–A

lign

with

Pro

gram

mat

ic,

Per

form

ance

Bas

edR

ule

•NIS

T•D

HS

• IEE

E

Sta

ndar

ds-B

ased

Per

form

ance

-Bas

ed R

ule

–In

tegr

atio

n W

ith E

xist

ing

NR

C P

rogr

ams

(Phy

sica

l

IEEE

•NEI

Col

labo

ratio

n

Sec

urity

, etc

.)–

Tem

plat

e fo

r Lic

ensi

ngC

berS

ecrit

Pla

n

•Ind

ustr

y•N

atio

nal L

abs

•Priv

ate

Sect

or

Fili

•C

yber

Sec

urity

Pla

n•C

oncu

rren

ce•A

CR

S A

ppro

val

•Pub

licly

Ava

ilabl

e

Fina

lize

14

y

How

–P

erfo

rman

ce-B

ased

Reg

ulat

ion

•C

halle

nges

–S

cope

of C

yber

Sec

urity

–B

read

th o

f Pro

gram

s (P

hysi

cal S

ecur

ity,

Mai

nten

ance

, Dig

ital I

&C

Dev

elop

men

t, et

c.)

Mon

itorin

gth

eTh

reat

scap

e–

Mon

itorin

g th

e Th

reat

-sca

pe–

Wor

kfor

ce T

rain

ing

and

Dev

elop

men

t

15

How

–P

erfo

rman

ce-B

ased

Pat

hFo

rwar

dfo

rRTR

s

Reg

ulat

ion

•P

ath

Forw

ard

for R

TRs

–S

elf-A

sses

smen

ts–

NR

C E

valu

atio

n of

Sel

f-Ass

essm

ents

–S

ite V

isits

–D

eter

min

e N

ext S

teps

•A

dditi

onal

Con

side

ratio

ns fo

r Cyb

er S

ecur

ity–

Cyb

er S

ecur

ity R

oadm

ap–

Gui

danc

e D

evel

opm

ent

–C

yber

Sec

urity

Tra

inin

g–

Inte

rage

ncy

and

Inte

rnat

iona

lSup

port

16

Inte

rage

ncy

and

Inte

rnat

iona

l Sup

port

Que

stio

ns?

17