Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20, 2010 1 Cyber Security Overview NRC NERC 2 Overview NRC 10 CFR 73.54 and NERC CIP 002 009 Both large projects with significant assessment and documentation required. In some cases, modifications may be required to bring digital components into compliance. Scope: ◦ NRC: Safety, Important to Safety, Security, EP ◦ NERC: Bulk Electric System (Balance of Plant) 3 NRC 4 NRC All 104 US licensed nuclear units submitted CS Plan to NRC for their approval November, 2009. All used NEI 08-09 as guidance. Nuclear Energy Institute & industry team responded to ~71 Requests for Additional Information questions from NRC staff. Updated NEI 08-09 as a result. Rev. 6 has been approved by NRC Staff by letter in early May. Licensees will need to re-submit LAR based on NEI 08-09 Rev. 6 in ~July/August 2010. 5 NRC Technical Challenges ◦ ~140 cyber security controls w/ multiple bullets ◦ Numerous “Critical Digital Assets (CDAs)” per site. ◦ Each control has to be “addressed:” Implement the control Implement an alternate control, with justification Justify why control is not needed. ◦ Controls based on National Institute of Standards & Technology (NIST) SP 800-53 & 82. Not written in “nuclear speak.” Thus, training is required. 6 NRC Schedule ◦ 10 CFR 73.54 did not specify a schedule. ◦ Sites submitted “draft” implementation schedule with original submittal in November 2009. ~ 60 % of industry submitted 36/48/60 months after approval by NRC Staff. ◦ NRC now wants new schedule with supplement Milestones as “commitments” Final END DATE as condition of the License 7 NRC Project Overview ◦ Cyber security assessment Cyber Security Assessment Team (CSAT) – (similar to MR Expert Panel) ~35 CDAs per site (average) x ~140 controls x ~5 bullets per control Walkdown/validation Cross site fleet QV&V & industry benchmarks ◦ Training CSAT Ongoing ◦ Procedures/Directives NSD 803, NSD 804, NSD 807, EDM 801 Implementing procedures ◦ Records Documentation of assessment Documentation of controls Assessment team records ◦ Etc. 8 NRC Ongoing Program ◦ ◦ ◦ ◦ ◦ Periodic assessment weekly/monthly/quarterly/yearly surveillances Independent oversight Linkage to physical security plan Will require permanent, dedicated resources Estimated ~ 2+ per site, dedicated, cyber security specialists System engineers & IAE resources impacted on a case by case basis. OPS, EP, Security resources impacted ongoing by CSAT 9 NRC Configuration Management ◦ ONGOING MONITORING AND ASSESSMENT …The ongoing monitoring program includes: Configuration management of CDAs; Numerous assessment & verification activities 10 NRC Configuration Management ◦ 4.4 ONGOING MONITORING AND ASSESSMENT …The ongoing monitoring program includes: Configuration management of CDAs; Numerous assessment & verification activities 11 NRC Configuration Management ◦ 4.4.1 Configuration Management and Change Control CDA cyber security and configuration management documentation is updated or created using the site configuration management program or other configuration management procedure or process. This documentation includes the bases for not implementing one or more of the technical cyber security controls specified in Appendix D of NEI 0809, Revision 6. 12 NRC Configuration Management ◦ Appendix E, Section 10 Configuration Management 10.2 Configuration Management Policy and Procedures 10.3 Baseline Configuration – document configuration of various cyber security related settings. 10.4 Security Change Control – authorize & document changes. 10.5 Security Impact Analysis prior to making changes 10.6 Access restrictions – physical and electronic access 10.7 Configuration Settings 10.8 Least functionality – eliminate unnecessary ports, services, etc. 10.9 Component Inventory 13 NERC 14 NERC FERC Order 706-B clarified the exemption for “facilities” regulated by the NRC. “Facilities” to Nuclear meant “Oconee Nuclear Station.” Facilities to FERC meant the Reactor Protection System at Oconee Nuclear Station. FERC “hired” NERC to implement the cyber security rules, thus the NERC CIP cyber security standards. Great desire by industry to only have one regulator per system. ◦ “bright line” divides NERC scope from NRC scope ◦ NERC “survey” of systems due to NERC by 7-23-10. 15 NERC Presently per NERC CIP 002, many nuclear stations are not in scope. ◦ Not “critical assets” to the Bulk Electric System. ◦ Few nuclear stations are critical. ◦ Nor are the large Duke SE fossil stations. Revision 4 of NERC CIPs likely to be approved in December 2010. If the current draft is approved, many generation sites are likely to be in scope. Revision 4 of the standards are out for comment right now. Implementing NRC and NERC concurrently will be significantly difficult. 16 “My job is to tell you things you don’t want to hear, asking you to spend money you don’t have, to prepare for something you don’t believe will ever happen.” (Mike Selves, Director of Emergency Management and Homeland Security, Johnson County, Kansas) 17 COMMENTS/QUESTIONS? 18