Cyber Security Roadmap

Jim BeardsleyChief, Cyber Security Branch

Division of Physical & Cyber Security PolicyOffice of Nuclear Security and Incident Response

16/13/2017

Cyber Security Roadmap Paper

• Originally Issued June 25, 2012.– Power Reactors & COL Holders– Fuel Cycle Facilities– Non Power Reactors– ISFSIs & Materials

• Updated Feb 2017 to reflect program changes and progress in cyber implementation.– Added Decommissioning Reactors– ML16354A258

26/13/2017

Power Reactors & COL Holders

• Milestone 1-7 Completed in 2012; inspected 2013-2015.

• Milestone 8 (Full Cyber Implementation) Complete by December 2017

• Full Implementation Inspections 2017-2020– The NRC and Licensees have learned a lot of

lessons through the implementation process.– Graded approach to CDA control application

through NEI 13-10.36/13/2017

Fuel Cycle Facilities

• Completed the supporting offices concurrences on the draft proposed rule package – January 2017

• OGC gave NLO on the draft proposed rule package –April 2017

• Draft proposed rule package due to the Commission – September 30, 2017

• Upcoming rule related activities:– June 8, 2017 – ACRS full committee meeting– June 27, 2017 – Brief the CRGR– July 2017 – Response due to working group from ACRS and

CRGR46/13/2017

Non Power Reactors

• Staff assessed the wide variety of licensees through self-assessments and site visits.– The staff concluded that NPR licensees have

implemented an adequate level of cyber security at their facilities.

• The staff published guidance with effective practices for cyber at NPRs based on the assessment– ML 15252A236

56/13/2017

Independent Spent Fuel Storage Installations (ISFSIs)

• The staff conducted an assessment of cybersecurity at ISFSIs in 2012 and determined, at that time, that the licensee’s cyber security efforts adequately protect from a cyber attack.

• The staff plans to re-evaluate the physical security protections at ISFSIs in 2020 to determine if rulemaking is warranted, and cyber will be included in that assessment.

66/13/2017

Decommissioning Reactors

• In a COMSECY dated Dec 5, 2016, staff noted that the cyber security rule (10 CFR 73.54) no longer applies to reactor licensees following termination of their license.

• Cyber security for decommission is included in the ongoing decommissioning rulemaking effort.

76/13/2017

Byproduct Materials

• Very complex due to the wide variety of licensees.

• Staff plans documented in a Commission memorandum on April 29, 2016– ML 15246A306

• The staff is developing a Commission notation vote paper that will provide the working groups recommendations - due to the EDO September 29, 2017

86/13/2017

Questions

9

Backup Slides

106/13/2017

Background

11

• 2002-2003: NRC included the first cyber requirements in Physical Security and Design Basis Threat Orders

• 2005: NRC supported industry voluntary cyber program (NEI 04-04)

• 2009: 10 CFR 73.54, Cyber Security Rule

• 2010: NRC Regulatory Guidance 5.71 was released.

• 2012: Implementation/Oversight of Interim Cyber Security Milestones.

• 2013-2015: Milestone 1-7 Inspections

• 2016-2017: Cyber PI&R Samples at Operating Sites

Full Implementation Cybersecurity Inspections

• Staff have developed the following in support of the inspection program.– New Inspection Procedure (IP 71130.10)

• With NRR for publishing• 2 week inspection. 2 inspectors, 2 contractors, 1 NSIR

– Updated SDP (IMC 0609 Appendix E, Part IV)• In 30 day review by the regions

– Enforcement Guidance Memorandum (EGM)• With OE for processing• The Cyber EGM will provide the inspectors with a

process for Enforcement Discretion 12

Full Implementation Cybersecurity Inspections

• Joint tabletop exercises and workshops to exercise guidance and exchange experience– Next one at Diablo Canyon (May 2017)

• Full implementation inspections start in 2017:• South Texas - July/ August• Monticello - September

• Cyber Inspection “Time Out” October-December• Assess lessons learned, both industry & staff• Cyber Inspector Counterpart/Training, Nov 2017

• Full inspection program starts in January 2018• The program is expected to take ~3 years.

13

Cyber for New Construction

• RII, NRO & NSIR have conducted joint vendor inspections at WEC to look at the AP-1000 cyber implementation.

• RII is developing a phased cyber inspection program for the AP-1000s.

• The cybersecurity program is required before fuel is brought onsite.

14