Add to collection(s) Add to saved
  1. Business
  2. Management

NERC Bright-Line Presentation

advertisement 
Nuclear Power Plant “Bright-Line”
NERC:
Tim Roxey and Jim Hughes
NRC:
Perry Pederson and Ralph Costello
Charlotte, NC
April 22, 2010
Phoenix, AZ
April 26, 2010
Philadelphia, PA
May 4, 2010
Chicago, IL
May 6, 2010
Workshop Topics
 Bright-Line Requirement
 Cyber Security at NRC
 Bright-Line Process
 NRC’s Position Relative to the MOU
 Bright-Line Survey
 NERC Point of Contacts
 Q & A – Please hold questions and comments to the
end of the presentation
2
“Bright-Line” Requirement
 Establish the FERC and NRC jurisdictional delineation of
Nuclear Power Plant (NPP) Systems Structures and
Components (SSC) through the creation of an exemption
process for excluding certain SSCs from the scope of
applicable NERC Standards as provided in FERC Order No.
706-B
Bright-Line
3
Cyber Security at NRC
NRC/NERC Bright-Line Workshop
Perry Pederson
NSIR Security Specialist (Cyber)
Overview
• 10 CFR 73.54
• Regulatory Guide 5.71
10 CFR 73.54
• High-level, Performance-Based, Programmatic
− FOCUS: Prevention of Radiological Sabotage
− Generic (i.e., not reactor-specific)
− Consistent with physical security regulatory
approach
• Basic Requirements
−
−
−
−
−
Systems that must be protected
Defense-in-Depth protective strategy
Application of security controls
Implementation details maintained on site
Submit Cyber Security Plans to NRC for approval
• Cyber Security Plans
− Site-specific processes and criteria
RG 5.71 Overview
• Components
−
−
−
−
Published
Jan 2010
Main Body
Appendix A (generic cyber security plan template)
Appendix B (technical security controls)
Appendix C (operational/management security
controls)
• Performance-Based, Programmatic
− Consistent with NIST recommendations
− Flexible and minimally prescriptive with burden on
licensees to establish effective programs
• Alignment with Digital I&C Interim Staff
Guidance
− ISG-1
− ISG-4
− RG 1.152
RG 5.71 Guideline
Form Cyber Security Team
Identify Critical Digital Assets
Apply Defensive Architecture
Address Security Controls
1.
2.
3.
Address each control for each CDA
Or, apply alternative measures
Or, explain why a control is N/A
Bright-Line Process
NERC:
Tim Roxey
Cyber Controls – NPP a Total View
Security Controls to address
- 10 CFR 73.1 (Design Basis Threat)
- 10 CFR 73.54 (Cyber Security)
NRC
FERC/NERC
Bulk Power Reliability Controls:
Section 215 of the Federal Power Act
18 CFR Conservation of Power and Water
Resources
Regulatory Basis:
Grid Reliability
Performance Objective:
PREVENT RADIOLOGICAL
SABOTAGE
NERC Governance:
Rules of Procedures section 400 “Compliance
Enforcement Program”
Title 10 Scope:
Systems that support
-Safety functions
-Security functions
-Emergency Response functions
- Support Systems that could
adversely impact one of the above
functions
NRC REGULATORY GUIDE 5.71
Individual licensee Cyber Security Plan
submitted (10 CFR 73.54)
Individual COL Applicant submitted (
10 CFR Part 52)
FPA Section 215 Scope:
Fully compliant
NOTE:Title
It 10should be
Fully compliant
and
noted
that
there
FPA Title
Section
10 215
will be some SSCs
that will not be
impacted by either
NRC
or NERC
Bright-Line
requirements.
Balance-of-Plant “Support Systems”
that do not adversely impact:
-Safety functions
-Security functions
-Emergency Response functions
FERC Order 706/706B:
Identify those SSCs that are exempted
from NERC jurisdiction and thereby
MAY not be subject to applicable CIP
standards
NERC CIP 002 - 009
2
Bright-Line History
 January 18, 2008: FERC issued Order No. 706 adopting
CIP-002 – 009 standards
• CIP-002 - 009 Standards exempt facilities regulated by the NRC
 March 19, 2009: FERC issued Order No. 706-B, certain
balance of plant (BOP) SSCs are subject to compliance
with NERC CIP Reliability Standards
• No “dual regulation” i.e., Bright-Line
 September 14, 2009: NERC’s NPP CIP Implementation
Plan for each NPP, by requirement, filed to FERC
• R = FERC Effective Date,
• S = Scope of Systems Determination and,
• RO = Next Refueling Outage beyond 18 months (R+6)
3
Bright-Line History (Cont’d)
 December 17, 2009: FERC Order directing NERC to
present a process on how SSCs are exempted from
NERC Reliability Standards by January 19, 2010 (BrightLine)
 December 30, 2009: Historic MOU executed between
the NRC and NERC identifying their roles and
responsibilities
 January 19, 2010: NERC filing to FERC the details on
the exemption process for NPP
 Coordinated with the NRC to determine those SSCs subject to
NERC jurisdiction and those SSCs subject to NRC jurisdiction –
Generic List
 March 18, 2010: FERC Order approving NERC’s BrightLine & Implementation plan (R = March 18, 2010)
4
Confidential Information
NERC’s Handling of Confidential Information
• The information provided by the NPPs to NERC will be
handled in accordance with the NERC Rules of Procedure
(RoP) section 1500 “Confidential Information” if that
information is so designated by the NPP
• NERC and regional staff that review information that is SGI
will be Safeguard Authorized per 10 CFR §73.21 & §73.22
• NERC will establish “Reviewing Officials” for SGI per the
MOU
5
Collection of Information
NERC Authority to Collect Bright-Line Information
▪ Section 215 of the Federal Power Act (16 U.S.C. §824o):
• Established NERC as the ERO to enforce NERC Standards
▪ Title 18 C.F.R §39.2(d) (FERC’s Regulations):
• User, owner or operator of the bulk power system shall provide
such information as is necessary to implement section 215 of the
Federal Power Act to FERC/ERO/Region
▪ NERC Rule of Procedure 400, Section 10.1:
• Information Submittal - Each Regional Entity has the authority to
collect the necessary information to determine compliance
6
North American Energy Reliability
Corporation and
Nuclear Regulatory Commission
Memorandum of Understanding
Ralph Costello
Team Leader
Office of Nuclear Security and Incident Response
Nuclear Regulatory Commission
1
NRC - NERC MOU
• Cooperation –NERC’s disposition of exceptions
– Brightline process
e.g. Safety and Important to safety systems,
Security systems, and Emergency Preparedness
systems
e.g. Systems, structures,
and components subject
to FERC requirements
FERC Order 706B permits licensees to seek “exceptions” to compliance with
NERC CIPs for digital systems subject to both FERC and NRC regulations
2
NRC - NERC MOU Cont.
• Share information relative to digital assets
governed by the other party’s cyber security
requirements
• Coordinate to maximum extent on the process for
conducting inspections
3
NRC - NERC MOU Cont.
• Sharing of all information necessary to carry out
the intent of the MOU
• Coordinate on all public announcements of
enforcement actions relative to cyber security
requirements and coordinate the resolution of
issues involving enforcement actions
4
NRC - NERC MOU Cont.
Memorandum of Understanding
http://www.nrc.gov/reading-rm/doc-collections/news/2010/10005.html
http://edocket.access.gpo.gov/2010/2010-229.htm
5
Nuclear Power Plant “Bright-Line" Survey
Jim Hughes
Workshop Objectives
 Terminal Objective:
• Identify the requirements to complete the NERC
Bright-Line Survey
 Enabling Objectives:
• Identify where to find the Bright-Line documentation
• Identify the critical attributes of the Bright-Line Survey
2
Bright-Line Documentation
 Provided on the NERC Web site:
• FERC Orders
• NERC/NRC MOU
• Presentation Materials
• Bright-Line Survey
http://www.nerc.com/page.php?cid=3|23|347
3
Bright-Line Survey Overview
 Introduction & Scope
 Due Date and Contact Data
 Survey Items 1 and 2
 Company Information and Approval
 Generic SSC lists
• Attachment I (SSCs under NERC Jurisdiction)
• Attachment II (SSCs Excluded from Attachment I)
4
Bright-Line Survey
Survey Item 1
 Does Attachment I include all SSCs in your power
plant that could impact reliable delivery of electricity
to the Bulk Power System or manage critical energy
infrastructure information?
 Exclude those SSCs in Attachment II
5
Bright-Line Survey
 Survey Item 2
 If the answer to Survey Item 1 is “No” please
revise the list to add to or remove SSCs from
Attachment I
• All changes to Attachment I must be accompanied with the
basis for those changes
6
Next Steps
 Special Registration for NPPs
 Surveys will be e-mailed to each CC/NPP
on or before June 25, 2010
 Surveys shall be completed by NPPs and
returned to NERC on or before
July 23, 2010
“S” Date
 NERC to review and approve, with NRC
coordination, the completed Bright-Line
surveys on or before October 15, 2010
7
Important Takeaways
 Do not provide information such as IP
Addresses, and asset/network
vulnerabilities
 Recommended that System Engineering
complete Survey Items 1&2
 Need accurate subject matter expert point
of contact data
 The Bright-Line Attachment 1 is complete
after NERC review (October 15, 2010)
8
NERC Contact Data
 E-mail completed survey to Jim.Hughes@nerc.net
• Phone: 609-203-2288
 Secondary contact: Tim.Roxey@nerc.net
• Phone: 410-474-9240
 Alternate contact: Monica.Benson@nerc.net
•
Phone: 609-524-7073
If mailing completed survey:
North American Electric Reliability Corporation
c/o Jim Hughes
116-390 Village Boulevard
Princeton, New Jersey 08540-5721
9
Questions?
Related documents
Taxonomic principles and tools in botanical research
Taxonomic principles and tools in botanical research
About the Water Security Knowledge Exchange Programme
About the Water Security Knowledge Exchange Programme
2015 Project for Updating Reliability Standards
2015 Project for Updating Reliability Standards
Request to Develop a Definition Form
Request to Develop a Definition Form
GS10-Villafranca - Institute of Public Utilities
GS10-Villafranca - Institute of Public Utilities
Project 2013-02 Retirement of Reliability Standard
Project 2013-02 Retirement of Reliability Standard
The science of volcanoes from subsurface to impact
The science of volcanoes from subsurface to impact
Appendix B - Planning Meeting Scope Template
Appendix B - Planning Meeting Scope Template
9909 NERC Reliability Coordinator Operator
9909 NERC Reliability Coordinator Operator
Download
advertisement