Digital (computer) systems have been used in nuclear power plants since the early 1960s. Originally, these systems were stand-alone, had their own dedicated input/output (I/O), and had few if any interfaces to other systems. Furthermore, these early computer systems utilized custom, often proprietary, protocols, requiring the development of custom intrusion schemes for each system. Cyber threats were difficult and rare.
As technology moved to plug-and-play systems, standardization became the way to go, and cyber intrusion became much easier. Finally, with the advent of utilizing intranets, or worse yet, the Internet, to communicate between systems or between systems and users, the current deluge of cyber-attacks was born.
Although development of methodologies to minimize or prevent cyber intrusion into Critical Digital Assets (CDAs) had been underway for some time, the events of September 11, 2001 brought a new awareness of how dangerous a terrorist cyber-attack could be. In particular, the nation’s electric grid, including its nuclear power plants, was recognized as a particularly vulnerable target.
On February 28, 2005, the Nuclear Energy Institute (NEI) issued NEI 04-04, Cyber Security Program for Power Reactors, to provide “tools and techniques for developing and managing an effective cyber security program at nuclear power reactor sites.”
Network Systems’ engineers have been involved in the application of these guidelines to CDAs at multiple power stations ever since.
In May 2008, the Nuclear Regulatory Commission (NRC) issued 10 CFR 73.54, which required licensees to protect digital computer and communications systems and networks associated with the following functions:
- safety-related and important-to-safety functions,
- security functions,
- emergency preparedness functions, including offsite communications, and support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions
Furthermore 10CFR73.54 requires the licensee to protect such systems and networks from those cyber-attacks that would act to modify, destroy, or compromise the integrity or confidentiality of data or software; deny access to systems, services, or data; and impact the operation of systems, networks, and equipment.
November 2009, the NRC issued Regulatory Guide 5.71 which provides implementation guidance the NRC deems acceptable for complying with the Commission’s regulations regarding the protection of digital computers, communications systems, and networks. Regulatory Guide 5.71 endorses the recommendations of NIST SP 800-53 and 800-82 by providing a list of security controls to address the potential cyber risks to CDAs. Specifically, the NIST standards recommend over 100 security controls, which are categorized into 18 families. These families of security controls are further divided into three classes: technical, operational, and management.
Licensees responded by developing and issuing NEI 08-09 Rev. 6 in April 2010. Like Regulatory Guide 5.71, NEI 08-09 Rev. 6 leverages the NIST standards and provides an approach to addressing the 10 CFR 73.54 cyber security regulations.
Since then NEI and licensees have developed NEI 10-04 Rev. 1, “Identifying Systems and Assets Subject to the Cyber Security Rule” in June 2010 and soon will release NEI 10-09 Rev. 0, “Addressing Cyber Security Controls for Nuclear Power Reactors.” These documents provide licensees implementing guidance for identifying critical plant systems and assets within the scope of the rule and guidance regarding how to address the 100+ technical, operational and management cyber security controls. Network Systems engineers participated in the development of some of these NEI documents.
The result is that Network Systems, with its extensive experience with computer systems in nuclear applications, is uniquely suited to assist its Clients with the implementation of a comprehensive Cyber Security Program in accordance with all applicable regulatory requirements.
Network Systems will work with its Clients to perform the following:
- Identifying critical digital assets (CDAs) – These are the plant assets that perform critical functions associated with Safety-related, Security, or Emergency Planning (SSEP) at a nuclear station, in accordance NEI 10-04 guidelines.
- Evaluating the applicability of cyber security controls to the SSEP CDAs, in accordance with NEI-10-09. This evaluation will yield potential security gaps in CDAs which must be remediated.
- Developing a remediation plan that includes one of the following for applicable security controls for which a CDA does not adequately comply with:
- The CDA as designed can be configured to apply the cyber security control feature. In this case a design change can be processed to implement the security control.
- The cyber security control feature can be purchased for the CDA. In this case Network Systems will work with a vendor to develop specifications to develop, test and implement the control via a design change.
- An alternate cyber security control feature can be implemented which provides the same or greater protection as the original control feature. In this case Network Systems will assist the licensee with documenting the technical bases for the alternate control and how it addresses the required control.