The Nuclear Power Industry is working hard to protect their plants from cybersecurity attacks. The NRC issued 10 CFR 73.54 “Protection of digital computer and communication systems and networks” which requires power plant licensees to protect their systems and networks. They must have a Cyber Security Plan to apply and maintain defense-in-depth strategies to ensure the capability to detect, respond to, and recover from cyber attacks. Regulatory Guide 5.71 “Cyber Security Programs for Nuclear Facilities” describes an acceptable method for implementing a defensive architecture. NEI 08-09, Revision 6, “Cyber Security Plan for Nuclear Power Reactors” further describes what is required for protection of the plants digital assets. In our Nuclear Power Plants cybersecurity is a requirement dictated by the Nuclear Regulatory Commission (NRC). They provide the details on what good will look like. The goal is to protect every digital device that applies to safety, security, and emergency preparedness functions.
The approach to implement cybersecurity has been a phased project. The first phase was to establish a cybersecurity program. This included developing policies and procedures to control the program. The initial milestone was completed by December 31, 2012 and included the following:
1. Establishment of a Cybersecurity Assessment Team (CSAT) with collective knowledge in digital systems and plant operations.
2. Identify Critical Systems and the Critical Digital Assets within those systems.
3. Isolate critical plant systems by use of one-way devices that only allow communications outbound.
4. Portable media must have security controls in place.
5. Programs are established to look for obvious signs of tampering.
6. Implementation of cybersecurity controls for the most important digital assets.
7. Establishment of an on-going monitoring program for all assets whose cybersecurity controls have been implemented.
The number of digital assets that require protection under this program are well over a thousand per power plant. The second phase of the project is to implement the security controls for all the remaining digital assets not completed as part of the first phase. This phase is on-going with the end dates varying according the number of digital assets within that power plant.
The NRC performs inspections of each phase to ensure the licensees are properly implementing the regulations. Anything that does not meet the NRC requirements must be corrected in a timely manner.
Protecting our most important assets and facilities is of first importance in cybersecurity. Learn more about cybersecurity and get involved in this growing field by enrolling in classes!