After 13 years, the Nuclear Regulatory Commission has issued revised guidance for cybersecurity programs for nuclear power reactors. All nuclear power reactor owners must review the NRC’s latest guidance and confirm their cybersecurity programs are in compliance.
Regulatory Guide (RG) 5.71, “Cyber Security Programs for Nuclear Power Reactors” (Revision 1), provides NRC licensees with guidance on meeting the cybersecurity requirements described in Section 73.54 of Title 10 of the Code of Federal Regulations (CFR), “Protection of digital computer and communication systems and networks.”
Up-to-date cybersecurity guidance is vital for critical infrastructure, including nuclear energy generation, especially in a cybersecurity landscape where security exploits can be detected within hours of a program being released. The NRC’s update is further important because nuclear power reactors are exempt from most of the North American Electric Reliability Corporation (NERC) reliability standards applicable to other types of power generation, which are constantly reviewed and updated.
Summary of Updates
RG 5.71 Revision 1 references 10 CFR § 73.77, Cyber Security Event Notifications, published in 2015, and its associated guidance, RG 5.83, Cyber Security Event Notifications. 10 CFR § 73.77 established requirements clarifying the types of cyberattacks that require notification to NRC, the timeliness for making the notifications, how licensees are to make notifications, and how they are to submit follow-up written reports to the NRC.
Revision 1 also clarifies issues identified from cybersecurity milestone inspections, and incorporates additional insights gained through documented international and domestic cybersecurity attacks. The updated guidance takes into account new technologies, and incorporates lessons learned from operating experience since the NRC’s original publication of Revision 0 of RG 5.71 in 2010.
Revision 1 clarifies guidance on defense in depth for cybersecurity and incorporates updates based on the latest National Institute of Standards and Technology (NIST) and International Atomic Energy Agency cybersecurity guidance. The new guidance, among other things, requires nuclear power plants to document a process as part of their cybersecurity plans for describing how they have achieved “high assurance” that digital computer and communication systems and networks identified in 10 CFR § 73.54(a)(1) are adequately protected from cyberattacks. NRC defines “high assurance” as equivalent to a reasonable assurance of adequate protection, as further explained in the NRC’s Staff Requirements Memoranda SRM-SECY-16-0073, “Options and Recommendations for the Force-on-Force Inspection Program in Response to SRM-SECY-14-0088.”
The assets in scope requiring protection are digital computer and communication systems and supporting systems and equipment that, if compromised, would adversely impact the safety-related, important-to-safety, security, and emergency preparedness functions of a nuclear facility.