Text

THIS PRELIMINARY PROPOSED RULE LANGUAGE AND ACCOMPANYING DISCUSSION IS BEING RELEASED TO SUPPORT INTERACTIONS WITH STAKEHOLDERS AND THE ADVISORY COMMITTEE ON REACTOR SAFEGUARDS (ACRS). THIS LANGUAGE HAS NOT BEEN SUBJECT TO COMPLETE NRC MANAGEMENT OR LEGAL REVIEW, AND ITS CONTENTS SHOULD NOT BE INTERPRETED AS OFFICIAL AGENCY POSITIONS. THE NRC STAFF PLANS TO CONTINUE WORKING ON THE CONCEPTS AND DETAILS PROVIDED IN THIS DOCUMENT AND WILL CONTINUE TO PROVIDE OPPORTUNITIES FOR PUBLIC PARTICIPATION AS PART OF THE RULEMAKING ACTIVITIES.

THE STAFF IS PRIMARILY SEEKING INSIGHTS REGARDING THE CONCEPTS IN THIS PRELIMINARY LANGUAGE AND SECONDARILY SEEKING INSIGHTS RELATED TO DETAILS SUCH AS NUMERICAL VALUES FOR VARIOUS CRITERIA. WHILE THE NRC WILL CONSIDER ALL COMMENTS RECEIVED IN FURTHER DEVELOPING THE PRELIMINARY LANGUAGE, IT WILL NOT PROVIDE WRITTEN RESPONSES TO THOSE COMMENTS. ONCE THE PROPOSED RULE IS ISSUED IN THE FEDERAL REGISTER, THE PUBLIC WILL HAVE AN ADDITIONAL OPPORTUNITY TO PROVIDE COMMENTS AND THE AGENCY WILL RESPOND IN WRITING TO ALL PUBLIC COMMENTS ON THE PROPOSED RULE WHEN ISSUING A FINAL RULE.

STAFF DISCUSSION OF CYBER SECURITY - PRELIMINARY RULE LANGUAGE (November 2021)

Preliminary Language Discussion CYBER SECURITY

§ 73.110 - Technology neutral requirements for protection of The proposed section implements a graded approach digital computer and communication systems and networks to determine the level of cyber security protection required for digital computer, communication systems and networks (i.e., protection at the cyber security program level and the security controls implementation level). A graded approach based on consequences is intended to account for the differing risk levels within reactor technologies. Specifically, the proposed section requires licensees to demonstrate reasonable assurance of protection against cyber attacks commensurate with the potential consequences from those attacks. The 1

graded approach will be further explained as part of a new regulatory guidance development effort.

The proposed section leverages (1) the operating experience from power reactors and fuel cycle facilities and (2) the 10 CFR 73.54 framework, which contains some of the basic requirements needed for cyber security regardless of type of reactor.

Differences between the 10 CFR 73.54 requirements and those discussed herein are primarily based on the implementation of a graded approach to cyber security as discussed above to accommodate the wide range of reactor technologies to be assessed by the NRC.

(a) Each licensee of a commercial nuclear reactor under 10 CFR part This paragraph implements a graded approach to 53 shall establish, implement, and maintain a cyber security program cyber security to accommodate the wide range of that is commensurate with the potential consequences resulting from reactor technologies to be assessed by the NRC.

cyber attacks. Accordingly, each licensee shall, up to and including Specifically, this section provides criteria for the design basis threat as described in § 73.1. The cyber security implementing a consequence-based approach to program must provide reasonable assurance that digital computer cyber security by determining whether a potential and communication systems and networks are adequately protected cyber attack would result in the consequences listed against cyber attacks that are capable of causing the following herein. The licensee shall establish, implement, and consequences: maintain a cyber security program for protecting those digital assets within the scope of § 73.110 that makes use of risk insights, including threat information, and considers the resulting level of consequences of the threats.

This consequence deals with a scenario where the (1) Exceeding the criterion in § 53.830(a)(2)(i); cyber attack leads to offsite radiation hazards that (1) Adversely impacting the functions performed by digital assets that would endanger public health and safety (i.e., the prevent a postulated radiological release exceeding the offsite dose resulting consequence exceeds reference dose values in §§ 53.210(a) and (b) of this chapter. values in §§ 53.210(a) and (b)).

2

(2) Adversely impacting the functions performed by the digital assets This consequence deals with a scenario where the used by the licensee for implementing the physical security cyber attack adversely impacts the physical security requirements in § 53.830(a)(1) of this chapter for special nuclear digital assets used by the licensee to prevent material, source material, and byproduct material. unauthorized removal of material or radiological sabotage. Security digital assets include those used for nuclear material control and accounting.

(b) The licensee shallTo protect digital computer and communication The adjusted language implements a graded systems and networks associated with the functions listeddescribed approach to cyber security to accommodate the wide in [§ 73.54paragraphs (a)(1)] in a manner that is commensurate with ) range of reactor technologies to be assessed by the and (2), the licensee shall: NRC. The intent of the requirement is for licensees to protect the functions and associated systems from (1) Analyze the potential consequences resulting from cyber attacks cyber attacks that cause the consequences identified on digital computer and communication systems and networks and in paragraph (a) above (e.g., safety functions, security identify those assets that must be protected to satisfy paragraph (a) functions). The graded approach will be further of this section. explained as part of a new regulatory guidance development effort.

(2) Implement the cyber security program in accordance with paragraph (d) of this section. The licensee should analyze and identify which specific digital assets within the scope of § 73.110.

(c) The licensee shall meet the confidentiality, integrity, and This paragraph is developed from § 73.54(a)(2). The availability requirements in § 73.54(a)(2) for the systems and intent of the requirement is to address the impacts on networks covered byidentified in paragraph (b)(1) of this section in a systems and networks (i.e., a compromise in manner that is commensurate with the potential consequences confidentiality, integrity, or availability) from cyber resulting from cyber attacks. attacks that need to be prevented. The adjusted language implements a graded approach to cyber security to accommodate the wide range of reactor technologies to be assessed by the NRC. The graded approach will be further explained as part of a new regulatory guidance development effort.

Requirements have been streamlined to merge (d) The licensee shall: paragraph (d) into paragraphs (b)(1) and (2).

(1) Analyze the potential consequences resulting from cyber attacks on digital computer and communication systems and networks and 3

identify those assets that must be protected to satisfy paragraphs (a),

(b) and (c) of this section; and, (2) Establish, implement, and maintain a cyber security program for the protection of the assets identified under paragraph (d)(1) of this section.

(ed) The cyber security program must be designed in a manner that This paragraph is developed from § 73.54(c). The is commensurate with the potential consequences resulting from adjusted language implements a graded approach to cyber attacks through the following steps: cyber security to accommodate the wide range of reactor technologies to be assessed by the NRC. The (1) Implement security controls to protect the assets identified under graded approach will be further explained as part of a paragraph (db)(1) of this section from cyber attacks, commensurate new regulatory guidance development effort.

with their safety and security significance; (2) Apply and maintain defense-in-depth protective strategies to The overall intent of this requirement is to address the ensure the capability to detect, delay, respond to, and recover from need for the licensee to develop a cyber security cyber attacks capable of causing the consequences identified in program that implements a defense-in-depth paragraph (a) of this section; protective strategy. A defense-in-depth protective strategy for cyber security is represented by (3) Mitigate the adverse effects of cyber attacks capable of causing collections of complementary and redundant security the consequences identified in paragraph (a) of this section; and controls that establish multiple layers of protection to safeguard critical digital assets. Under a defense-in-(4) Ensure that the functions of protected assets identified under depth protective strategy, the failure of a single paragraph (db)(1) of this section are not adversely impacted due to protective strategy or security control should not cyber attacks capable of causing the consequences identified in result in the compromise of safety and security paragraph (a) of this section. . functions.

4

(fe) The licensee shall implement the following requirements in a This paragraph is developed from §§ 73.54(d) manner that is commensurate with the potential consequences through 73.54(h). The adjusted language implements resulting from cyber attacks: a graded approach to cyber security to accommodate the wide range of reactor technologies to be assessed by the NRC. The graded approach will be further explained as part of a new regulatory guidance development effort.

(1) As part of the cyber security program, the licensee shallmust The requirement is primarily intended to address the meet the requirements in §§ 73.54(d)(1), 73.54(d)(2), 73.54(d)(4), implementation of a cyber security program and the and the following: associated security life cycle activities for maintaining it such as continuous monitoring and assessment, (i) Ensuremust ensure that modifications to assets, identified under configuration management, ongoing assessment of paragraph (db)(1) of this section, are evaluated before security controls and programs effectiveness, implementation to ensure vulnerability scans/assessments, and cyber security that the cyber security performance objectives identified in paragraph event notifications. Potential conforming changes to (a) of this section are maintained. § 73.77, Cyber security event notifications, are under consideration by the NRC staff.

(2) The licensee shallmust establish, implement, and maintain a cyber security plan that implements the cyber security program requirements of this section in accordance with the requirements in

§ 73.54(e). of this section.

(i) The cyber security plan must describe how the requirements of this section will be implemented and must account for the site-specific conditions that affect implementation.

(ii) The cyber security plan must include measures for incident response and recovery for cyber attacks. The cyber security plan must describe how the licensee will:

(A) Maintain the capability for timely detection and response to cyber attacks; (B) Mitigate the consequences of cyber attacks; 5

(C) Correct exploited vulnerabilities; and (D) Restore affected systems, networks, and/or equipment affected by cyber attacks.

(3) The licensee shall develop and maintain written policies and implementing procedures to implement the cyber security plan in accordance with the requirements in § 73.54(f). . Policies, Pointer replaced with requirement from § 73.54(f).

implementing procedures, site-specific analysis, and other supporting technical information used by the licensee need not be submitted for Commission review and approval as part of the cyber security plan but are subject to inspection by NRC staff on a periodic basis.

(4) The licensee shall review the cyber security program in accordance with the requirements in § 73.100(e). f).

(5) The licensee shall retain all records and supporting technical documentation required to satisfy the requirements in § 73.54(h).of this section as a record until the Commission terminates the license Pointer replaced with requirement from § 73.54(h).

for which the records were developed, and shall maintain superseded portions of these records for at least three (3) years after the record is superseded, unless otherwise specified by the Commission.

6