Nuclear Plant Journal, September-October 2015 NuclearPlantJournal.com
29
Richard Dahl
Richard Dahl, formerly of Black &
Veatch, is the founder of cmplid:// inc.
a software company offering security
management
automation solutions
to the nuclear, bulk
electric, and other
critical infrastructure
industries. His
previous experience
includes over 20
years in the cyber
security field
providing consulting
services to many
organizations in a
variety of situations.
Richard has spent
most of the last six
years dedicated to
nuclear cyber security
and has participated
in inspections and industry information
sharing initiatives. He began his career
as a counterintelligence agent in the U.S.
Army and the diversity of his experience
allows him practical insight into almost
all aspects of security.
3.
Has the US NRC issued a regulation
for cyber protection?
Dahl:
Absolutely. 10 CFR 73.54
essentially states that all nuclear power
plants must have a cyber-security plan
as part of their physical security plan.
And for the implementation, the NRC
published Regulatory Guide (Reg Guide)
5.71: Cyber Security Programs for
Nuclear Facilities and the Nuclear Energy
Institute (NEI), published NEI 08-09:
Cyber Security Plan for Nuclear Power
Reactors. NEI 08-09 became the template
for the cyber security plans that were
adopted by each individual plant. They
were included in a license amendment
request and they were all approved by
the NRC. NEI 08-09 required each
plant to address about 138 controls that
were included within the document.
Those controls were developed from
a document published by the National
Institute of Standards and Technology
(NIST), Special Publication (SP) 800-
53: Recommended Security Controls
for Federal Information Systems and
Organizations. The guidance within NEI
08-09 became the basis for protecting
the plants from a cyber attack. So that is
definitely within the regulatory space.
The implementation of this cyber
security plan was divided into eight
milestones. The first seven milestones
were due and were implemented by every
plant by the end of December 2012. They
are now working on milestone eight,
which is referred to as full program
implementation. Implementation of
this milestone is generally in 2016
or by December 2017, depending on
the particular licensee. So, they’re all
working towards securing their critical
digital assets (CDAs), the digital
components that support Safety, Security
or Emergency Preparedness (SSEP).
Plant owners are currently evaluating
those CDAs and addressing the controls
prescribed for them within NEI 08-09.
4.
If a plant has all analog, is cyber
security still a concern?
Dahl:
They’ve all been upgraded
since they began operating. I doubt there
is a plant operating today that only has
analog systems. Every plant I am aware
of has some digital equipment in it that
supports SSEP functions.
Gribble:
Now, interestingly enough,
we’ve dealt with a number of utilities
that in some of
their designs, just
equipment upgrades,
they will at times
avoid digital assets, a
PLC or a digital-type
measuring
device.
They use an analog-
type configuration,
just to avoid all
the cyber security
aspects and risks.
This is a strategy
that plants have been
implementing to stay
more in the analog
space when they are
able.
5.
What are the highlights of the above
stated Reg Guide and the NEI guideline
and the Code of Federal Regulations?
Dahl:
The Code of Federal
Regulations 10 CFR 73.54. is only about
a paragraph or two long and very simple. It
states that you need to implement a cyber
security plan that addresses protection of
the digital equipment from cyber attack.
If you look at the Gramm-Leach-
Bliley Act for the banking industry,
there’s a very simple paragraph included
that states you have to have an information
security plan to protect your customers’
data.And that’s about the extent of it. SOX
404 top–down risk assessment (Sarbanes-
Oxley Act Section 404) has a very simple
statement about cyber security. Cyber
security cannot be codified into a federal
law very easily because of its complexity
and the speed at which understood threats
and appropriate countermeasures change.
It’s just too complex and moving too
fast. So generally speaking, all the laws
state that your actions must be deemed
appropriate by your regulator.
What Reg Guide 5.71 and NEI 08-
09 specify is very similar. There are
very few differences between those
documents. Essentially, they’re divided
up into a couple of different sections.
The first section is the template for a
cyber security plan. Essentially, most
of the text in it is black. In NEI 08-09
there was some text that was blue, and
there was some text that was green. And
each licensee basically took them and
changed the blue text to reflect the names
of their plant and the particulars of their
organization, and then changed the green
text to reflect their defensive strategy
for their networks. This is where they
were going to put the data diodes versus
where they were going to place firewalls
and Intrusion Detection Systems. And
then all of the black text they pretty
much accepted. NEI 08-09 outlined
what was needed for cyber security
management
structure,
assessment
requirements and implementation of and
ongoing management of the individual
controls contained therein. Licensees
also had to put together the appropriate
responsibilities for plant personnel
and ensure training and effective
organizational change management for
