30
NuclearPlantJournal.com Nuclear Plant Journal, September-October 2015
Protection from...
the program. They then had to identify
all of the CDAs and then apply all of
the controls for NEI 08-09, including
its appendices D and E, and Reg Guide
5.71,
Cyber Security Programs for
Nuclear Facilities
, appendices B and C.
Each licensee had to address all of those
controls for the CDAs within the plant.
6.
Is there any other document from
NRC, NEI or any other organizationwhich
is helping the utilities and organizations
like Black & Veatch to facilitate the
implementation of protection against
cyber threat?
Dahl:
NEI 10-04,
Identifying
Systems and Assets Subject to the Cyber
Security Rule
, was created to provide
guidance to the licensees for determining
what digital assets should be classified
as CDAs. It provides the criteria for
determining whether or not a digital
component is a safety-related, a security-
related or an Emergency Preparedness
(EP)-related CDA.
The latest document that has been
published is NEI 13-10,
Cyber Security
Control Assessments
, and it takes the
CDAs and classifies them into three
different groups. The first group is the
indirect EP-related CDAs. The second is
the indirect non-EP related CDAs. The
third group is direct CDAs. The document
provides guidance to the licensees as far
as what specific controls are required for
the three groups and how to implement
those controls. The direct CDA’s have
all 138 controls applied to them. The EP
CDAs have five of what are referred to
as baseline security controls. The indirect
non-EP CDAs have seven baseline
security controls. It’s a way of applying
the rest of the controls or meeting the
goals, of the rest of the controls but in a
more streamlined fashion. Both of those
documents have been endorsed by the
NRC, although with the NEI 10-04 they
did take a couple of exceptions to it. They
said, we’re going to endorse this, but we
think you should expand your scope of
what you look at for the EP CDAs and
the security related CDAs.
In NEI 13-10 they’ve endorsed two
revisions. They’re working on a third
revision now. The goal is to provide more
detail for different types of components
based on the capabilities that they have.
So, what’s been endorsed at this point in
appendix six of NEI 13-10 is a description
of a very simple device. I believe it is
referred to as an A1. It’s a device that
doesn’t have network connectivity. It
doesn’t have user accounts. There is no
logical user interaction with it and they’re
basically saying, because of that, the
threat vector of these controls doesn’t
really apply. So, you don’t need to worry
about some of these 138 controls, because
essentially the absence of that control or
the failure of that control would have
no negative impact on a simple device.
We don’t have to worry about changing
passwords on a device where nobody
logs into it. The main aspect that people
discovered was that although they
believed there would be a small number
of CDAs at each plant, there were as
many as a thousand or more CDAs that
require protection at each plant.
Gribble:
You get a thousand of these
different devices, and there are different
strategies to implement the protection
schemes. And the protections may just
be for such items as a fax machine, but
somebody’s got to go through all the
devices. Utilities have many other work
demands every day, including operating
the nuclear power plant safely and
reliably. So, companies like Black &
Veatch are able to step in and go through
the assets, determining the threat vector,
what the appropriate mitigating measures
are and document all of this then sit down
with the utility, get their buy-in and the
NRC’s buy-in, and then implement those
physical controls and modifications.
Some of this may just be on paper.
For instance, you add and use another
designated fax machine if the primary
one isn’t working. Or it may be a physical
modification, where you move some of
the devices into a locked room and only
with a different access code or a physical
key can you gain access. You’ve got to go
through those plans and then implement
the modifications.
7.
What is the status of other countries
implementing cyber threat protection?
Gribble:
Black & Veatch, being
a global provider of infrastructure and
projects, is intimately involved across the
globe on cyber security issues. The U.S.
and other Western nations are leading
in addressing cyber security issues, and
that’s where our primary interaction has
been. The engagement overseas in other
utilities, we believe, will come as the
U.S. has implemented its standards and
mitigating measures.
Dahl:
At the two annual conferences
in the U.S. that deal with cyber security
issues for the nuclear space, the NEI
cyber security workshop and the NITSL
(Nuclear
Information
Technology
Strategic Leadership) conference, there
are always representatives of overseas
utilities. NEI 08-09 and Reg Guide 5.71
are essentially the gold standard for
cyber security. The Emirates Nuclear
Energy Company (ENEC), hired a firm
to essentially take NEI 08-09 and turn it
into their cyber security plan. So, other
countries are definitely looking at it.
8.
Concluding comments.
Dahl:
With the completion of
milestones one through seven, with the
data diodes and those types of protections
included, the risk of a cyber attack
causing significant damage to a plant is
very low. I always tell people, the biggest
risk to a nuclear plant in America today is
the price of natural gas. And the biggest
cyber security risk now, post milestone
one through seven being implemented,
is the risk of noncompliance with the
rule. Companies are far more likely to be
negatively impacted by the complexity of
implementing that rule than they are by
a cyber attack causing any kind of core
damage or release of radioactivity. The
risk is low but it is there. I don’t want
to totally diminish risk possibilities.
However, the risk is not what you see
portrayed in movies and TV. It is very
much being handled in an appropriate
way and licensees are working towards
full program implementation, which will
improve security even more.
Contact: Sean Clark, Black & Veatch
Corporation, 4451 Briarwood Court
South Annandale, VA 22003; telephone:
