By Rich Heidorn Jr.
The Nuclear Regulatory Commission briefed FERC on its plans to replace its time-intensive inspections of licensees’ cybersecurity plans with a more “risk-informed” approach at the two agencies’ annual public meeting Sept. 25.
NRC published its cybersecurity rule (10 CFR 73.54) in 2009, with interim implementation due by December 2012 and full implementation in December 2017. The rule requires that nuclear power plant licensees provide high assurance that their digital computer and communication systems and networks are adequately protected against cyberattacks. It focuses on critical digital assets (CDAs) — those whose failure could result in an adverse impact on safety, security and emergency preparedness functions.
The commission has now completed full implementation inspections of almost two-thirds of its 57 licensees, Shana Helton, director of its Division of Physical and Cyber Security Policy, told FERC during the meeting at NRC headquarters outside D.C., in Rockville, Md. Each inspection is two weeks long and is conducted by teams of two regional inspectors and two technical support contractors.
NRC expects to inspect the remainder of its licensees by the first quarter of fiscal 2021. But it doesn’t plan to repeat the time-consuming inspections going forward, Helton said.
“We’re taking a look at our regulations, our guidance — but also our oversight,” she said in response to a question from FERC Commissioner Richard Glick. “We’ve had some very intensive [inspections]. … We feel that was an appropriate level of inspection for looking at the initial full implementation by licensees. But going forward … we think there are places where we could do more to further risk-inform as well as perhaps look at performance-based indicators and see if we could use those to influence our inspection programs. So that’s work that we’re going to be undertaking in the very near future.”
The new approach resulted from feedback collected during a six-month cybersecurity assessment by NRC staff and cybersecurity specialists from Idaho National Laboratory.
The assessment, completed in July, recommended “a more risk-informed, graded approach” to identifying CDAs and providing more credit for existing plant programs addressing insider mitigation, physical security and configuration management.
The assessment team also was tasked with developing a near-term plan to develop “a further risk-informed approach to scoping critical digital assets related to emergency preparedness as well as those related to balance of plant, with a focus of aligning with the [NERC] critical infrastructure protection standards,” Helton said.
Inspector General Audit
Following an audit of the cybersecurity inspections, NRC’s inspector general also recommended a risk-influenced approach, noting that the number of CDAs identified has far exceeded what was expected when the rule was finalized a decade ago.
The audit, released in June, called for identifying performance measures similar to those used in NRC’s Reactor Oversight program, saying it would make the inspections “more efficient and reliable without diminishing the level of assurance.”
The audit cited the National Institute of Standards and Technology’s Guide to Industrial Control Systems (ICS) Security, which identified as potential metrics vulnerability assessment and patching, equipment changes, equipment configurations, and antivirus software management.
“Current cybersecurity inspections are largely programmatic and compliance-based. The principal focus of the inspection procedure is verifying that the key cybersecurity program elements have been established and are working together effectively in a viable program,” the IG wrote. “The broad scope inspection, while effective, cannot be sustained beyond the current commitment. The current inspection program is resource-intensive for both the licensees and the agency, and requires a wide range of hours to complete, depending on conditions at each facility inspected.”
The audit also identified a need to address staffing challenges in the inspection program, which relies on providing cybersecurity training to regional inspectors who are also responsible for fire protection and other issues. “Since inspectors perform other, non-cybersecurity inspections, maintaining cybersecurity expertise can be difficult,” the auditors said.
They also noted that about 26% of NRC’s regional Divisions of Reactor Safety staffers are currently eligible for retirement, a percentage that will increase to 32% by the end of FY 2020.
“If staffing levels and skillsets do not align with cybersecurity inspection workload requirements, NRC’s ability to adapt to a dynamic threat environment and detect problems with licensees’ cybersecurity programs could be compromised,” the IG said.
The audit concluded that NRC’s cybersecurity inspections “provide reasonable assurance” that licensees are meeting the agency’s regulations.
Findings: ‘Very Low Safety Significance’
Helton agreed. “Our staff has found that in most instances, licensees understand what it takes to fully implement the NRC’s cyber requirements and have adequately implemented their cybersecurity programs,” she said. The inspections so far have resulted in findings of “very low safety significance” mostly concerning documentation, she added.
“Licensees may have controls in place, [but] they might be a little bit different than what was described in their cybersecurity plan,” she explained. “In those cases, they’ve been of very low safety significance because they do have appropriate alternative measures in place, and there’s substantial defense in depth. But they need to reflect that in their cybersecurity plans.”
From Analog to Digital
While most of the U.S. nuclear fleet was built more than 40 years ago and is largely analog, upgrades at those plants are increasingly using digital technology.
“There can be challenges with trying to replace an analog design, from the standpoint that the component may or may not be produced any longer and manufacturers are moving more and more toward using digital [technology] where they can,” Helton said. “So we rely on licensees’ configuration management processes. As they acquire a new system, they do need to look at the cybersecurity involved with that.”
Companies seeking licenses for new reactor designs with more sophisticated and integrated digital assets must submit cybersecurity plans with their applications.
NRC is currently working with licensee Southern Nuclear on the AP1000 design it is using for Vogtle Units 3 and 4 “to better understand key design elements of the plant and the licensee’s schedule for implementing cybersecurity requirements,” Helton said. Southern’s cyber controls must be in place prior to Vogtle’s receipt of nuclear fuel on site.
FERC Chair Neil Chatterjee asked how NRC’s cybersecurity incident reporting rules compare with NERC CIP requirements.
Helton said there are several reporting requirements in 10 CFR 7377. “Anything that is having an impact directly on the safety and security of the plant, we’ll hear about it within an hour,” she said, adding other incidents carry four-hour reporting requirements.