Staff members from the US Nuclear Regulatory Commission’s (NRC’s) Office of Nuclear Security and Incident Response and Office of Nuclear Reactor Regulation held a public meeting on June 17 to discuss a summary of the Assessment of the NRC’s Power Reactor Cyber Security Program. In response to the Nuclear Energy Institute’s (NEI’s) PRM-73-18, “Petition to Amend 10 CFR 73.54, ‘Protection of Digital Computer and Communication Systems and Networks’,” and based on NRC guidance, this Assessment marked 10 years since the publication of 10 CFR 73.54.
As previously reported on Up & Atom, NRC staff initiated the Assessment in January 2019. The objectives of the Assessment were to identify key areas for improvement by capturing lessons learned from stakeholders, and to use the Assessment to further inform the outcome of PRM-73-18. NRC staff collected feedback from licensees, NEI, Federal Energy Regulatory Commission (FERC) staff, NRC Headquarters cybersecurity staff, and NRC Regional cybersecurity inspection staff. NRC held two public meetings and one closed meeting.
The main area stakeholders identified for improvement was NRC’s scoping of critical digital assets (CDAs). Current scoping criteria is focused on protecting CDAs from adverse impact, but many CDAs currently being protected may not pose a risk to public health and safety. Factors that led to stakeholders’ identification of CDA scoping issues were rule and guidance interpretations, past cybersecurity on-site inspections, and overly broad definitions and terms.
Other areas stakeholders identified for improvement included: providing clarification on the scope of digital assets not categorized as CDAs; utilizing controls tailored to an industrial control system environment; and transforming the future cybersecurity inspection program. Most notably, stakeholders recommended NRC staff consider updating the NRC policy to align with current North American Reliability Corporation (NERC) Critical Infrastructure Protection standards.
Also discussed at the public meeting were the results of NRC’s Office of the Inspector General (OIG) Audit of NRC’s Cyber Security Inspections at Nuclear Power Plants (OIG-19-13). Based on the audit findings, OIG recommended that the NRC work to close the critical skill gap for future cybersecurity inspection staffing, and develop and implement cybersecurity performance measures, which licensees can demonstrate sustained program effectiveness.
NRC staff stated that the goal following the public meeting was to initiate changes as appropriate to the power reactor cybersecurity program and consider revisions to multiple guidance documents, including: “Identifying Systems and Assets Subject to the Cyber Security Rule” (NEI 10-04), “Cyber Security Plan for Nuclear Power Reactors” (NEI 08-09), “Cyber Security Control Assessments” (NEI 13-10), and Regulatory Guide 5.71, “Cyber Security Programs for Nuclear Facilities.” NRC staff also plans to develop new guidance that incorporates all previous guidance into one consolidated document.
NRC staff stated that a final report of the Assessment is expected to be released in July 2019. We will continue to monitor developments and issuances of the final assessment.