Cyber
Security
Assessment
Tool
By Laura Snyder, Tennessee Valley
Authority.
Laura Snyder
Laura Snyder is the Senior Manager,
Nuclear Cyber Security Program,
Nuclear Engineering, responsible for the
implementation of TVA’s cyber security
program for its nuclear fleet. She holds
a BS Engineering degree from the
University of Tennessee, Chattanooga.
She has 22 years of engineering
experience in the nuclear fleet’s
Computer Engineering Department.
Her background includes analyzing,
designing, developing, installing, testing,
and maintaining real time process
monitoring/control computer systems
and networks. Most recently, she has
been responsible for implementation of
the Nuclear Cyber Security Program.
She serves on the NEI Cyber Security
Task Force and received a TIP Award
for TVA’s nuclear fleet cyber security
assessment process.
Nuclear Energy Institute’s Top Industry
Practice (TIP) Awards highlight the
nuclear industry’s most innovative
techniques and ideas.
This innovation won the 2015 Materials,
Management Processes and Support
Services Award.
The team members who participated
included: Laura Snyder, Senior Manager,
Nuclear Cyber Security (TVA); Jamie
Crocker, Systems Analyst, Real Time
Computer Systems (TVA); Galen Riley,
Systems Analyst, Real Time Computer
Systems (TVA); Heather Pickard,
Systems Analyst, Real Time Computer
Systems (TVA); Mike Zavislak, I&C
Engineer, Real Time Computer Systems
(TVA).
Summary
10 CFR 73.54, “Protection of Digital
Computer and Communication Systems
and Networks,” requires each nuclear
plant to develop a cyber security plan
that provides high assurance that digital
computer and communication systems
and networks are protected from cyber
attack. Those digital assets which meet
any of the following criteria are within
the scope of the “Cyber Security Rule”
and must be protected from unauthorized
access and manipulation.
Performs safety related function.
Performs function that is important
to safety.
Performs emergency preparedness
function
including
offsite
communications.
Performs security function.
In addition, because TVA is a federal
agency, TVA’s cyber security program
must address Office of Management
and Budget (OMB) cyber security
requirements set forth in the Federal
Information Security Management Act
(FISMA).
TVA’s nuclear generating fleet
identified
approximately
7800
critical digital assets subject to these
requirements. Each of these devices
must be evaluated against approximately
670 cyber security controls. Therefore,
the assessment process must address
approximately 5,200,000 control-asset
interactions.
In response to this challenge TVA’s
Computer Engineering Group developed
a cyber security assessment process and
tool that seamlessly integrates the two sets
of cyber security requirements into one
program. When the tool was developed,
no commercial product was available that
captured information about the digital
assets in plant systems, the applicability
of the hundreds of cyber security controls
that they must be evaluated against, and
the remediation actions necessary to
address identified vulnerabilities. What
makes this tool unique is that it contains
the logic, functionality, and assessment
methodology that streamlines the
assessment process and the application of
cyber controls to the plant’s digital assets.
It also enables TVA to automatically
generate system security plans that
document the assessment results.
The assessment tool enabled TVA
to evaluate all 5.2 million control-asset
interactions and the development of
remediation plans for the nuclear fleet
in 42 weeks. The tool not only ensured
standard application of the assessment
methodology across the fleet, it also
standardized the application of the cyber
security controls to all digital assets
within the scope of the NRC and OMB
programs. The tool ensured consistency
in the development of remediation actions
to address identified vulnerabilities
and consistent documentation of the
assessment results.
The chief outputs of the tool are
system security plans which document
the status of each control-asset
interaction and remediation actions for
compliance. Use of the tool also reduced
the risk of human performance errors
in the assessment process. Vetting the
remediation actions and consistently
applying the cyber security controls helps
reduce the risk of a cyber attack.
The tool supportsnot only thebaseline
cyber security assessments performed
as part of the cyber security program’s
initial rollout, it also supports changes
to the plant as part of the configuration
management processes to ensure changes
to the plant’s digital devices are assessed
against the same criteria and documented
in the same manner. It ensures that the
cyber security controls are applied in
the same manner and that remediation
actions are addressed during the design
process.
Safety Response
The Cyber Security program is
designed to protect critical digital
assets and systems in the plant from
unauthorized access and manipulation.
Cyber attacks are occurring at an alarming
frequency across the country. No industry
is immune to the threat. Even non-
malicious incidents can adversely impact
plant operations and present challenges
to plant operators. A comprehensive
assessment process is required to identify
the critical systems and their associated
critical digital assets. Consistent
Nuclear Plant Journal, May-June 2016 NuclearPlantJournal.com
43
