ML18156A419: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 15: | Line 15: | ||
=Text= | =Text= | ||
{{#Wiki_filter:}} | {{#Wiki_filter:1 10 CFR 50, Appendix B Components and Cyber Security Aaron Armstrong Office of New Reactors (NRO) | ||
Technical Meeting for Reducing Cyber Risks in the Supply Chain IAEA Headquarters Vienna, Austria June 25-29, 2018 | |||
Topics | |||
* Nuclear Regulatory Commission (NRC) | |||
Regulations | |||
* Discuss the oversight of the supply chain | |||
* Observations identified during vendor inspection activities | |||
* Questions 2 | |||
NRC Regulations | |||
* 10 CFR Part 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants | |||
- Quality Assurance comprises all those planned and systematic actions necessary to provide adequate confidence that a structure, system, or component will perform satisfactorily in service | |||
- Consists of 18 Criteria of Quality Assurance (QA) 3 | |||
NRC Regulations | |||
* NRC evaluated Appendix B and ISO 9001-2000 | |||
* NRC issued the results of this analysis in SECY-03-0117 which is publicly available | |||
* The attachment to SECY-03-0117 provides the details for the Appendix B to ISO 9001-2000 comparison. | |||
4 | |||
NRC Regulations | |||
* 10 CFR Part 21, Reporting Of Defects And Noncompliance | |||
- Requires evaluation of deviations and failures to comply relating to defects that could create a substantial safety hazard | |||
- Also prescribes the reporting requirements for defects or failures to comply | |||
- Section 21.41, Inspection grants access for NRC inspections 5 | |||
NRC Regulations Other NRC Regulations that are applicable to NRC vendors: | |||
* 10 CFR Part 50.5, Deliberate misconduct | |||
* 10 CFR Part 50.7, Employee protection 6 | |||
Oversight of the supply chain | |||
* NRCs Vendor Inspection Center of Expertise (COE) provides oversight of vendors supplying safety-related* parts, materials and services. | |||
Performs routine and reactive vendor inspections, as well as, quality assurance implementation inspections for new reactor applicants. | |||
*safety-related as defined by 10 CFR 50.2 7 | |||
Oversight of the supply chain | |||
* SECY-11-0154, Agencywide approach to Counterfeit, Fraudulent and Suspect Items, provide the following direction: | |||
- The NRC staff will conduct vendor inspections at suppliers of safety-related Critical Digital Assets (CDAs), in accordance with 10 CFR Part 21 | |||
- The NRC staff will evaluate the results of these inspections to determine the need to expand the inspection sample to suppliers and sub-suppliers of non-safety-related CDAs 8 | |||
Oversight of the supply chain Vendor oversight of CDAs occurs if the items are procured as basic components (safety-related*) | |||
- Appendix B and Part 21 requirements are contractually imposed on the vendor through the licensees procurement document | |||
- These requirements are inspected by NRC using Inspection Procedure 43002 | |||
*safety-related as defined by 10 CFR 50.2 9 | |||
* Inspection Procedure 43002, Routine Inspections of Nuclear Vendors | |||
-Provides guidance to ensure NRC staff observes and assesses the vendors actual implementation to meet the licensee's contractual / procedural requirements 10 Oversight of the supply chain | |||
Vendor Inspection Observations | |||
* Several licensee purchase orders to a vendor requiring: | |||
- No harmful code or malicious logic: vendor shall have appropriate procedures in place to ensure that no viruses, malicious code or unintended code is transported into the production environment or the operational environment | |||
* Vendor did not have a documented cyber security program in place to meet procurement document requirements 11 | |||
Vendor Inspection Observations | |||
* Information Notice 2016-01 Allen Bradley Relays | |||
- Manufacturer redesigned a relay to use a complex programmable logic device (CPLD) | |||
- Use of a CPLD led to loss of safety function | |||
- The plant was unaware of modifications to the basic component, so electromagnetic compatibility was not evaluated 12 | |||
Questions? | |||
13 | |||
ADAMS Accession Numbers | |||
* Inspection Procedure 43002 | |||
- ML13148A361 | |||
* Cyber Vendor Inspection Report | |||
- ML15342A429 | |||
- ML17123A085 | |||
- ML18018A989 | |||
* Allen Bradley Information Notice | |||
- ML15295A173 14 | |||
ADAMS Accession Numbers | |||
* SECY-03-117, Approaches for Adopting More Widely Accepted International Quality Standards | |||
- ML031490421 | |||
* SECY-11-015, Agencywide approach to Counterfeit, Fraudulent and Suspect Items | |||
- ML112200150 15}} | |||
Latest revision as of 18:33, 5 January 2025
| ML18156A419 | |
| Person / Time | |
|---|---|
| Issue date: | 06/05/2018 |
| From: | Aaron Armstrong NRC/NRO/DCIP/QVIB1 |
| To: | |
| Armstrong A, NRO/DCIP | |
| References | |
| Download: ML18156A419 (15) | |
Text
1 10 CFR 50, Appendix B Components and Cyber Security Aaron Armstrong Office of New Reactors (NRO)
Technical Meeting for Reducing Cyber Risks in the Supply Chain IAEA Headquarters Vienna, Austria June 25-29, 2018
Topics
- Nuclear Regulatory Commission (NRC)
Regulations
- Discuss the oversight of the supply chain
- Observations identified during vendor inspection activities
- Questions 2
NRC Regulations
- 10 CFR Part 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants
- Quality Assurance comprises all those planned and systematic actions necessary to provide adequate confidence that a structure, system, or component will perform satisfactorily in service
- Consists of 18 Criteria of Quality Assurance (QA) 3
NRC Regulations
- NRC evaluated Appendix B and ISO 9001-2000
- NRC issued the results of this analysis in SECY-03-0117 which is publicly available
- The attachment to SECY-03-0117 provides the details for the Appendix B to ISO 9001-2000 comparison.
4
NRC Regulations
- 10 CFR Part 21, Reporting Of Defects And Noncompliance
- Requires evaluation of deviations and failures to comply relating to defects that could create a substantial safety hazard
- Also prescribes the reporting requirements for defects or failures to comply
- Section 21.41, Inspection grants access for NRC inspections 5
NRC Regulations Other NRC Regulations that are applicable to NRC vendors:
- 10 CFR Part 50.5, Deliberate misconduct
- 10 CFR Part 50.7, Employee protection 6
Oversight of the supply chain
- NRCs Vendor Inspection Center of Expertise (COE) provides oversight of vendors supplying safety-related* parts, materials and services.
Performs routine and reactive vendor inspections, as well as, quality assurance implementation inspections for new reactor applicants.
- safety-related as defined by 10 CFR 50.2 7
Oversight of the supply chain
- SECY-11-0154, Agencywide approach to Counterfeit, Fraudulent and Suspect Items, provide the following direction:
- The NRC staff will conduct vendor inspections at suppliers of safety-related Critical Digital Assets (CDAs), in accordance with 10 CFR Part 21
- The NRC staff will evaluate the results of these inspections to determine the need to expand the inspection sample to suppliers and sub-suppliers of non-safety-related CDAs 8
Oversight of the supply chain Vendor oversight of CDAs occurs if the items are procured as basic components (safety-related*)
- Appendix B and Part 21 requirements are contractually imposed on the vendor through the licensees procurement document
- These requirements are inspected by NRC using Inspection Procedure 43002
- safety-related as defined by 10 CFR 50.2 9
- Inspection Procedure 43002, Routine Inspections of Nuclear Vendors
-Provides guidance to ensure NRC staff observes and assesses the vendors actual implementation to meet the licensee's contractual / procedural requirements 10 Oversight of the supply chain
Vendor Inspection Observations
- Several licensee purchase orders to a vendor requiring:
- No harmful code or malicious logic: vendor shall have appropriate procedures in place to ensure that no viruses, malicious code or unintended code is transported into the production environment or the operational environment
- Vendor did not have a documented cyber security program in place to meet procurement document requirements 11
Vendor Inspection Observations
- Information Notice 2016-01 Allen Bradley Relays
- Manufacturer redesigned a relay to use a complex programmable logic device (CPLD)
- Use of a CPLD led to loss of safety function
- The plant was unaware of modifications to the basic component, so electromagnetic compatibility was not evaluated 12
Questions?
13
ADAMS Accession Numbers
- Cyber Vendor Inspection Report
- Allen Bradley Information Notice
- ML15295A173 14
ADAMS Accession Numbers
- SECY-03-117, Approaches for Adopting More Widely Accepted International Quality Standards
- SECY-11-015, Agencywide approach to Counterfeit, Fraudulent and Suspect Items
- ML112200150 15