ML24043A087: Difference between revisions
Jump to navigation
Jump to search
StriderTol (talk | contribs) (StriderTol Bot change) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
| Line 15: | Line 15: | ||
=Text= | =Text= | ||
{{#Wiki_filter: | {{#Wiki_filter:Cybersecurity Inspections Lessons Learned Public Meeting (Closed) | ||
February 15, 2024 10:00 A.M. - 12:00 P.M. | February 15, 2024 10:00 A.M. - 12:00 P.M. | ||
Tammie Rivera, Cybersecurity Specialist Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response | |||
Topics | |||
* Key Messages | * Key Messages | ||
* Background | * Background | ||
* 2023 Top 3 Trends ( MTM Violations & Cross-Cutting Aspects) | * 2023 Top 3 Trends (MTM Violations & Cross-Cutting Aspects) | ||
* Observations | * Observations | ||
* Lessons Learned & Insights | * Lessons Learned & Insights | ||
* Next Steps | * Next Steps | ||
* Q & A | * Q & A 2 | ||
2 | |||
* This meeting focuses on cybersecurity baseline inspection activities conducted during CY 2023. | * This meeting focuses on cybersecurity baseline inspection activities conducted during CY 2023. | ||
* Staff identified lessons learned and trends from the 2023 cybersecurity inspections. | * Staff identified lessons learned and trends from the 2023 cybersecurity inspections. | ||
* This effort will support identification of any actions needed to ensure efficiency and effectiveness of future inspections. | * This effort will support identification of any actions needed to ensure efficiency and effectiveness of future inspections. | ||
Key Messages 3 | |||
=== | |||
Background=== | |||
===Background=== | |||
* Objectives of IP 71130.10 | * Objectives of IP 71130.10 | ||
: 1. To provide assurance that digital equipment associated with safety, security, or emergency preparedness (SSEP) functions are adequately protected against cyber-attacks in accordance with (10 CFR) 73.54 and the licensee's approved cyber security plan (CSP). | : 1. To provide assurance that digital equipment associated with safety, security, or emergency preparedness (SSEP) functions are adequately protected against cyber-attacks in accordance with (10 CFR) 73.54 and the licensee's approved cyber security plan (CSP). | ||
: 2. To verify that CSP changes and reports are in accordance with 10 CFR 50.54(p). | : 2. To verify that CSP changes and reports are in accordance with 10 CFR 50.54(p). | ||
Inspection Procedure 71130 Attachment 10, Cyber Security, (ML21155A209) 4 | |||
Background (continued) | |||
* Inspection Requirements | * Inspection Requirements Excerpt from IP 71130.10, page 2: | ||
Excerpt from IP 71130.10, page 2: | |||
* This inspection requirement range for completion is as follows: | * This inspection requirement range for completion is as follows: | ||
* minimum of three inspection requirements, | * minimum of three inspection requirements, | ||
* nominal four inspection requirements, and | * nominal four inspection requirements, and | ||
* maximum, based on unusual circumstance, or special | * maximum, based on unusual circumstance, or special considerations, five inspection requirements. | ||
* Inspection teams considered the following special considerations during development of cybersecurity team inspection plans: | * Inspection teams considered the following special considerations during development of cybersecurity team inspection plans: | ||
* First biennial cycle completion using IP 71130.10 | * First biennial cycle completion using IP 71130.10 | ||
* High number of inspection findings during the biennial cycle | * High number of inspection findings during the biennial cycle 5 | ||
Inspection Procedure 71130 Attachment 10, Cyber Security, (ML21155A209) | |||
Inspection Procedure 71130 Attachment 10, Cyber Security, ( ML21155A209) | |||
6 2023 | Inspections and Violations 24 31 Total Baseline Inspections - Full Biennial Cycle Inspections for 2022 Inspections for 2023 55 Total 6 | ||
6 17 46 78 0 | |||
10 20 30 40 50 60 70 80 90 2022 2023 2022 2023 LIV LIV MTM MTM | |||
# of Violations LIVS & MTMs by Year 183% | |||
70% | |||
MTM Violations | 2023 Top 3 Trends MTM Violations Most commonly cited NEI 08-091 security controls: | ||
Most commonly cited NEI 08- | 1. | ||
Vulnerability Management (E.12) 2. | |||
Baseline Configuration (E.10.3) 3. | |||
: | Monitoring Tools and Techniques (E.3.4) 1 NEI 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 6, Addendum 1 Markup dated 2017 (ML17079A423) 2 IMC 0310, Aspects Within The Cross-cutting Areas, (ML19011A360) 7 Cross-Cutting Aspects (CCAs) | ||
( | Most commonly cited CCAs as described in NRC IMC 03102: | ||
1. | |||
Conservative Bias (H.14) 2. | |||
Resources (H.1) 3. | |||
Procedure Adherence (H.8) | |||
Observations | |||
* Resources - Staffing and retention of well qualified cyber staff | * Resources - Staffing and retention of well qualified cyber staff | ||
* Training - properly trained staff and knowledge transfer (particularly, specialized training) | * Training - properly trained staff and knowledge transfer (particularly, specialized training) | ||
* Documentation - insufficient documentation (i.e. CDA assessments and alternate controls) | * Documentation - insufficient documentation (i.e. CDA assessments and alternate controls) | ||
* Licensee cyber staff not thoroughly familiar with the requirements, guidance, or misinterpretation of the requirements | * Licensee cyber staff not thoroughly familiar with the requirements, guidance, or misinterpretation of the requirements 8 | ||
Lessons Learned | |||
* A one -week inspection is challenging and resource intensive | * A one-week inspection is challenging and resource intensive | ||
* Inspectors have observed that the best performing sites and | * Inspectors have observed that the best performing sites and well-maintained cybersecurity programs have strong support from senior management | ||
* Documentation still does not reflect the whole story | * Documentation still does not reflect the whole story | ||
* Inspectors observed that some licensee staff lacked experience with regulatory requirements, background, and guidance related to the implementation of the cybersecurity program. | * Inspectors observed that some licensee staff lacked experience with regulatory requirements, background, and guidance related to the implementation of the cybersecurity program. | ||
9 | |||
Insights | |||
* Accurate and complete documentation improvement reduces the number of questions. | * Accurate and complete documentation improvement reduces the number of questions. | ||
* The program is in the maintenance phase. Inspection focus on the defense -in-depth approach | * The program is in the maintenance phase. Inspection focus on the defense-in-depth approach | ||
* The NRC will continue to enhance the oversight program. | * The NRC will continue to enhance the oversight program. | ||
IMC 0612 Appendix E, "Examples of Minor Issues" 10 | |||
Next Steps | |||
* An agency working group was established to evaluate alternate inspection procedure frequencies and team composition | * An agency working group was established to evaluate alternate inspection procedure frequencies and team composition | ||
* Reasons for establishing the working group: | * Reasons for establishing the working group: | ||
Completing cybersecurity biennial inspections in one onsite week has been a challenge for regional inspection teams. | Completing cybersecurity biennial inspections in one onsite week has been a challenge for regional inspection teams. | ||
Inspection teams and licensee response teams need more time to address questions and disposition identified issues. | |||
* The working group expects to present solutions that will gain efficiency and effectiveness | * The working group expects to present solutions that will gain efficiency and effectiveness | ||
* The working group will develop recommendations for management consideration. Any proposed changes to the inspection procedure will be discussed at a later public meeting. | * The working group will develop recommendations for management consideration. Any proposed changes to the inspection procedure will be discussed at a later public meeting. | ||
11 | |||
Questions & Discussion Trends Observations Lessons Learned Increase Efficiency 12 | |||
Trends Observations Lessons Increase | |||
12 | |||
To submit feedback and comments please: | Submitting Meeting Feedback & POC To submit feedback and comments please: | ||
* Navigate to this meeting on the NRC Public Meeting Schedule | * Navigate to this meeting on the NRC Public Meeting Schedule | ||
* Click the Meeting Feedback Form link | * Click the Meeting Feedback Form link Meeting POC: Tammie Rivera Tammie.Rivera@nrc.gov Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response 13}} | ||
Meeting POC: Tammie Rivera Tammie.Rivera@nrc.gov Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response | |||
13}} | |||
Latest revision as of 20:24, 24 November 2024
| ML24043A087 | |
| Person / Time | |
|---|---|
| Issue date: | 02/15/2024 |
| From: | Tammie Rivera NRC/NSIR/DPCP/CSB |
| To: | |
| References | |
| Download: ML24043A087 (1) | |
Text
Cybersecurity Inspections Lessons Learned Public Meeting (Closed)
February 15, 2024 10:00 A.M. - 12:00 P.M.
Tammie Rivera, Cybersecurity Specialist Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response
Topics
- Key Messages
- Background
- 2023 Top 3 Trends (MTM Violations & Cross-Cutting Aspects)
- Observations
- Lessons Learned & Insights
- Next Steps
- Q & A 2
- This meeting focuses on cybersecurity baseline inspection activities conducted during CY 2023.
- Staff identified lessons learned and trends from the 2023 cybersecurity inspections.
- This effort will support identification of any actions needed to ensure efficiency and effectiveness of future inspections.
Key Messages 3
=
Background===
- Objectives of IP 71130.10
- 1. To provide assurance that digital equipment associated with safety, security, or emergency preparedness (SSEP) functions are adequately protected against cyber-attacks in accordance with (10 CFR) 73.54 and the licensee's approved cyber security plan (CSP).
- 2. To verify that CSP changes and reports are in accordance with 10 CFR 50.54(p).
Inspection Procedure 71130 Attachment 10, Cyber Security, (ML21155A209) 4
Background (continued)
- Inspection Requirements Excerpt from IP 71130.10, page 2:
- This inspection requirement range for completion is as follows:
- minimum of three inspection requirements,
- nominal four inspection requirements, and
- maximum, based on unusual circumstance, or special considerations, five inspection requirements.
- Inspection teams considered the following special considerations during development of cybersecurity team inspection plans:
- First biennial cycle completion using IP 71130.10
- High number of inspection findings during the biennial cycle 5
Inspection Procedure 71130 Attachment 10, Cyber Security, (ML21155A209)
Inspections and Violations 24 31 Total Baseline Inspections - Full Biennial Cycle Inspections for 2022 Inspections for 2023 55 Total 6
6 17 46 78 0
10 20 30 40 50 60 70 80 90 2022 2023 2022 2023 LIV LIV MTM MTM
- of Violations LIVS & MTMs by Year 183%
70%
2023 Top 3 Trends MTM Violations Most commonly cited NEI 08-091 security controls:
1.
Vulnerability Management (E.12) 2.
Baseline Configuration (E.10.3) 3.
Monitoring Tools and Techniques (E.3.4) 1 NEI 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 6, Addendum 1 Markup dated 2017 (ML17079A423) 2 IMC 0310, Aspects Within The Cross-cutting Areas, (ML19011A360) 7 Cross-Cutting Aspects (CCAs)
Most commonly cited CCAs as described in NRC IMC 03102:
1.
Conservative Bias (H.14) 2.
Resources (H.1) 3.
Procedure Adherence (H.8)
Observations
- Resources - Staffing and retention of well qualified cyber staff
- Training - properly trained staff and knowledge transfer (particularly, specialized training)
- Documentation - insufficient documentation (i.e. CDA assessments and alternate controls)
- Licensee cyber staff not thoroughly familiar with the requirements, guidance, or misinterpretation of the requirements 8
Lessons Learned
- A one-week inspection is challenging and resource intensive
- Inspectors have observed that the best performing sites and well-maintained cybersecurity programs have strong support from senior management
- Documentation still does not reflect the whole story
- Inspectors observed that some licensee staff lacked experience with regulatory requirements, background, and guidance related to the implementation of the cybersecurity program.
9
Insights
- Accurate and complete documentation improvement reduces the number of questions.
- The program is in the maintenance phase. Inspection focus on the defense-in-depth approach
- The NRC will continue to enhance the oversight program.
IMC 0612 Appendix E, "Examples of Minor Issues" 10
Next Steps
- An agency working group was established to evaluate alternate inspection procedure frequencies and team composition
- Reasons for establishing the working group:
Completing cybersecurity biennial inspections in one onsite week has been a challenge for regional inspection teams.
Inspection teams and licensee response teams need more time to address questions and disposition identified issues.
- The working group expects to present solutions that will gain efficiency and effectiveness
- The working group will develop recommendations for management consideration. Any proposed changes to the inspection procedure will be discussed at a later public meeting.
11
Questions & Discussion Trends Observations Lessons Learned Increase Efficiency 12
Submitting Meeting Feedback & POC To submit feedback and comments please:
- Navigate to this meeting on the NRC Public Meeting Schedule
- Click the Meeting Feedback Form link Meeting POC: Tammie Rivera Tammie.Rivera@nrc.gov Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response 13