Transcript of "Cyber security regulation strictly regulated by nrc feb 2013"
SecurityCyber Security Strictly Regulated by NRC;No Additional Regulation NeededFebruary 2013Key Points The U.S. Nuclear Regulatory Commission (NRC) has extensive regulations for cyber security protection at nuclear energy facilities. Regulatory oversight by other agencies is unnecessary and would duplicate the already-strict NRC oversight. The nuclear energy industry implemented a cyber security program in 2002 to protect critical digital assets and the information they contain from sabotage or malicious use. The industry has been strengthening its response in the years since. The NRC in 2009 established regulations for cyber security at commercial reactors, even though critical computer systems used to control nuclear energy facilities are not connected to the Internet. The industry has worked with federal regulators—including the NRC, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC)—to ensure that digital assets are fully protected. FERC initially proposed rules to cover portions of a nuclear energy facility but reversed its stance when it found that the NRC’s cyber security rulemaking covers the entire facility.Cyber Security SystemsNuclear energy facilities use both digital and analog systems to monitor plant processes, operate equip-ment, and store and retrieve information. Analog systems follow hard-wired instructions; digital computersystems use software to provide instructions. Digital systems, including individual computers and networks,are vulnerable to cyber attacks, which include malicious exploitation and infection by malware such asviruses, worms and other types of programming code.Nuclear energy facilities are designed to shut down safely if necessary, even if there is a breach of cybersecurity. A cyber attack cannot prevent critical systems in a nuclear energy facility from performing theirsafety functions. Among other measures, these critical systems are not connected to the Internet or to afacility’s internal network. The isolation of critical safety systems minimizes the pathways for a cyberattack. Nuclear energy facilities also are designed to automatically disconnect from the power grid if thereis a disturbance that could be caused by a cyber attack.No Need for Duplicative Federal OversightThe White House has proposed that the Department of Homeland Security work with critical infrastructuresectors, including the electric sector, to devise strategies to secure computer systems and protect them 1
against cyber threats. Under the proposal, the agency could develop a cyber security strategy for facilitiesthat do not have one. The electric power sector is the only industry with mandatory, enforceable cybersecurity standards—Critical Infrastructure Protection standards. Moreover, nuclear power plants are strict-ly regulated in this area by NRC regulations and oversight. Additional regulation would be duplicative andwould risk creating inconsistencies in requirements.Cyber Protection in Place at Nuclear Power PlantsThe Nuclear Energy Institute has developed the only comprehensive cyber security program specificallydesigned for control system and critical infrastructure security and the first of its kind within the energysector. All nuclear power plants adopted the NEI cyber security program in 2006 and had implemented itby 2008.A year later, the NRC issued comprehensive regulations that require a cyber security plan for all nuclearenergy facilities. NRC regulation covers all areas of a plant, including those that might otherwise be subjectto NERC’s critical infrastructure protection reliability standards or proposed Department of HomelandSecurity oversight.Every company operating nuclear power plants has earned NRC approval for a cyber security plan thatdescribes how the facility is implementing its cyber security program. Companies also provided the NRCwith a schedule describing the actions toward full implementation of its cyber security program. The NRChas reviewed and approved each of these schedules and regularly inspects cyber protection measures atU.S. reactors.Five Steps That Provide ProtectionEach U.S. nuclear power plant has taken the following measures to ensure protection against cyberthreats: Isolated key control systems using either air-gaps, which do not implement any network or internet connectivity, or installed robust hardware-based isolation devices that separate front-office computers from the control system, thus making the front-office computers useless for attacking essential sys- tems. As a result, key safety, security and power generation equipment at the plants are protected from any network-based cyber attacks originating outside the plant. Enhanced and implemented strict controls over the use of portable media and equipment. Where de- vices like thumb drives, CD, and laptops are used to interface with plant equipment, measures are in place to minimize the cyber threat. These measures include authorizing use of portable assets to the performance of a specific task, minimizing the movement from less secure assets to more secure as- sets, and virus scanning. As a result, nuclear power plants are well-protected from attacks like Stuxnet, which was propagated through the use of portable media. Heightened defenses against an insider threat. Training and insider mitigation programs have been enhanced to include cyber attributes. Individuals who work with digital plant equipment are subject to increased security screening, cyber security training and behavioral observation. Implemented cyber security controls to protect equipment deemed most essential for the protection of public health and safety. 2
Taken measures to maintain effective cyber protection measures. These measures include maintaining equipment listed in the plant configuration management program and ensuring changes to the equip- ment are performed in a controlled manner. A cyber security impact analysis is performed before mak- ing changes to relevant equipment. The effectiveness of cyber security controls is periodically as- sessed, and enhancements are made where necessary. Vulnerability assessments are performed to ensure that the cyber security posture of the equipment is maintained. 3