As we have previously reported, the Nuclear Regulatory Commission (NRC) is issuing revised guidance for cybersecurity programs for nuclear power reactors for the first time in over a decade. Earlier this year, the NRC updated Regulatory Guide (RG) 5.71, “Cyber Security Programs for Nuclear Power Reactors” (Revision 1), with guidance on meeting the cybersecurity requirements described in Section 73.54 of Title 10 of the Code of Federal Regulations, “Protection of digital computer and communication systems and networks.”
The NRC has now followed up on that guidance with revisions to RG 5.83, “Cybersecurity Event Notifications (Revision 1),” to address new cybersecurity concerns, provide clarification, and align with new guidance in RG 5.71. This guidance is critical for the nuclear industry given the rapid pace at which cybersecurity threats and deterrent strategies evolve. All nuclear power reactor owners must review NRC’s latest guidance and confirm that their cybersecurity programs are in compliance.
Summary of Updates
RG 5.83 Revision 1 describes acceptable methods for licensees to meet requirements in NRC regulations to report and record cybersecurity events. In addition to the approach that was detailed in the initial version of RG 5.83, through Revision 1 NRC staff have also approved the use of Nuclear Energy Institute 15-09 1, “Cyber Security Event Notifications,” issued May 2022, as an acceptable method that licensees can use to meet the requirements of 10 CFR 73.77, “Cybersecurity Event Notifications.”
RG 5.83 Revision 1 also addresses new concerns identified since the NRC first issued RG 5.83 in 2015, which includes incorporating revisions to RG 5.71. The most significant of these updates are additions and modifications to the defined terms section. For example, the definition of “adverse impact” has been modified to narrow the scope of a “direct deleterious effect” on a critical digital asset to effects on a “safety-related, important-to-safety, security, or emergency preparedness functions; on the operation of systems, networks, and associated equipment; or on the integrity and confidentiality of data and software.”
The glossary also includes the newly defined term “credible” information, increased clarity on what constitutes a “compromise,” and a significantly expanded definition for a critical digital asset that includes both components and support systems.
NRC staff also provided clarification in the eight-hour notification section about the reportability of malicious activity. Licensees must evaluate whether to report malicious activities against devices residing on the same network as a critical digital asset or against devices that support critical digital assets, such as devices with monitoring and alerting functions. As part of this assessment, licensees need only consider information deemed to be “credible” by security personnel.