Nuclear Protection
A look at how the Nuclear Regulatory Commission is leading efforts to protect power plants against cyber attacks
- By George Simonds
- Jan 26, 2010
In March 2009, a new security rule (10 CFR 73.54) went into effect requiring commercial nuclear power plants licensed to operate in the United States to submit cyber security plans to the Nuclear Regulatory Commission for review and approval.
By year’s end, these plans would begin pouring into the NRC, each describing in detail site-specific cyber security programs designed to protect systems providing safety, important-to-safety, security, and emergency preparedness functions for the plant from cyber attacks. This marked a new stage in nearly a decade of collaboration between NRC and utility representatives on a range of topics related to cyber security and the protection of critical plant systems.
On A Mission
When I first met Eric Lee of the NRC earlier in 2009, he was a man on a mission. With the new rule on the verge of going into effect, Lee was the technical lead over the development of official NRC guidance aimed at providing licensees (those utilities possessing a license to operate nuclear power plants) greater clarity as to what exactly the NRC was looking for in a cyber security program. At the time, Lee faced four major challenges.
First, with respect to cyber security, nuclear power plants are regulated by both the NRC and the Federal Energy Regulatory Commission. For some time, utilities faced having to implement cyber security requirements imposed by two regulators.
As early as 2002, the NRC began defining cyber security requirements for licensees, and by 2008, cyber security standards developed by the North American Electric Reliability Corporation were approved by FERC for implementation at the power plants.
According to Scott Morris, deputy director for Reactor Security for the NRC’s Office of Nuclear Security and Incident Response Division of Security Policy, systems providing SSEP functions will be excluded from the FERC/NERC standards, while systems not providing SSEP functions (specifically those that could affect reliable electricity generation) still need to comply with the FERC/NERC requirements.
Morris went said that the NRC and NERC are currently co-developing a Memorandum of Understanding “between the two organizations to establish formal protocols associated with information sharing, license ‘exception request’ reviews, on-site compliance inspections, and incident/event response.”
The MOU should be published in the Federal Register sometime in early 2010. For Lee, this meant guidance provided by the NRC needed to qualify where boundaries will be drawn delineating critical systems performing SSEP functions from plant systems accountable under FERC regulations.
Another Challenge
The second challenge stemmed from a requirement in the rule that licensees (utilities) “implement cyber security controls to protect [assets performing SSEP functions]… from cyber attacks.” (10 CFR 73.54(c)(1)) One option was for NRC to develop its own set of cyber security controls to meet the unique needs of systems providing SSEP functions, something that would take considerable time and resources to accomplish.
However, with cyber security plans due to the NRC by late 2009 and the utilities asking for guidance to aid compliance efforts beforehand, another option was needed.
In that first meeting with Lee, the recommendation was to look at NIST. At the time, the National Institute for Standards and Technology was working on a revision to its Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations.
Part of that revision was a new appendix outlining security controls and guidance for industrial control systems, something previous versions did not include. NIST, in partnership with representatives from both the public and private sectors, based many of the industrial control system security controls off another NIST guide, namely NIST Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security.
Lee was already familiar with the Department of Homeland Security Control Systems Security Program and its “Catalog of Control Systems Security: Recommendations for Standards Developers,” which likewise spoke to security controls offered within the NIST Special Publication 800-53.
Standardized Security Controls
The decision was not a difficult one. The NIST and DHS guidelines offered a set of standardized security controls and principles that spoke to the types of systems in place at nuclear power plants.
Unlike traditional institutions whose digital infrastructures represent a range of familiar technologies, such as servers, workstations, routers, switches, firewalls, etc., equipment within industrial settings represent a more diverse and broad set of technologies that require special considerations when it comes to security.
Beyond the familiar technologies many of us may be accustomed to, plant systems also include Supervisory Control and Data Acquisition systems, Distributed Control Systems (DCS), Programmable Logic Controllers , and other types of digital and non-digital industrial measurement and control devices operating either in isolation or as part of highly integrated networks. (See NIST SP 800-82 available at the NIST Web site http://csrc.nist.gov/publications/drafts.)
Not having to start from scratch certainly factored into NRC’s decision to use materials provided by NIST and DHS, but this still took a backseat to a larger, more grounded base of reasoning.
Proven Strategies
Morris explained the use of NIST standards provided a means to leverage proven strategies for effective cyber security, noting that NIST standards are consensus-based, adding a comprehensive and credible starting point for what the NRC was setting out to accomplish. But this would not be a cut-and-paste exercise. Safety and security are two things the NRC and nuclear power industry take very seriously.
If standards-based security controls and principles were to evolve into guidance specifically targeting SSEP functions at nuclear power plants, some tailoring would still be required.
This marked the next challenge. What followed were months of intense workgroup sessions and cooperation among NRC personnel, representatives from the Nuclear Energy Institute, security practitioners from several nuclear power plants, and private sector experts in the areas of cyber security and nuclear plant operations. With Eric Lee at the helm, this group worked together to ensure language embedded in the revised cyber security controls addressed the specific security and operational requirements of systems performing SSEP functions.
The result was a set of “nuclearized” cyber security controls that would form the cornerstone of NRC’s guidance document related to the new security rule.
However, cyber security controls, no matter how well-defined, doesn’t make a security program.
Lee and his team proceeded to package the newly tailored cyber security controls within a programmatic framework addressing roles and responsibilities, processes for identifying and analyzing critical digital assets and systems, defense-in-depth strategies, continuous monitoring activities, and review and validation methodologies to ensure management, operational, and technical security controls will be implemented properly and function as intended.
Just as before, this effort included heavily leveraged standards from NIST, DHS, IEEE, and the International Society of Automation, to name a few, in addition to continued working sessions with industry experts. The final product was entitled NRC Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities.
Compliance with regulatory guides is not mandatory. Utilities operating nuclear power plants can elect to follow the guide in full or in part, or not at all. When submitting cyber security plans to the NRC, utilities need only demonstrate an acceptable approach to meeting the intent and requirements of the new security rule.
Why A Guide?
Why then develop a Regulatory Guide at all if the utilities are not bound to abide by its approach and guidelines?
“Regulatory Guide 5.71 provides a clear and consistent method to implement the requirements of 10 CFR 73.54 and to provide effective protection against cyber attacks. This methodology has the added advantage of providing sufficient flexibility to address highly dynamic cyber threat environments, and newly identified vulnerabilities,” Morris said. “Further, this document will be used as the basis for NRC review of site-specific cyber security plans (licensing) and inspection, assessment, and enforcement activities (oversight) in the near term and long term.”
The Regulatory Guide acts as an aid for utilities to better understand the position and viewpoints of the regulator in respect to the new security rule, affording greater clarity and common ground for review processes in which the NRC accepts, analyzes, and determines the efficacy of cyber security plans submitted by the utilities.
While utility cyber security plan reviews will be ongoing throughout 2010, the NRC plans to make its new Regulatory Guide available to the public early in the year. This will provide the general public and security practitioners industry-wide greater transparency into measures established by the NRC to protect critical infrastructure from radiological sabotage through effective use of standards-based approaches to cyber security within the nuclear power plants.
Vendors and companies supporting the design and build of next generation nuclear power plants will also be paying attention. The use and applicability of the Regulatory Guide for industries outside nuclear power is yet to be determined, but not beyond consideration at this stage. Although developed for a limited scope of plant systems, the input and contributions of those involved represent a set of highly qualified approaches for the protection of assets and systems within the industrial setting.