Status of NRC Licensees’ Implementation of Cyber Security Plans NRC/FERC Joint Commission Meeting February 23, 2017 Agenda • James Andersen, Director, Division of Physical & Cyber Security Policy, Office of Nuclear Security & Incident Response • Cyber Program Requirements • Implementation Milestones and Progress • Looking Beyond Full Implementation 2 NRC Power Reactor Cyber Security Over 15 years of progress • 2009: 10 CFR 73.54, Cyber Security Rule • 2012: Implementation/Oversight of Interim Cyber Security measures • 2015: 10 CFR 73.77, Cyber Security Event Notification Rule • 2017: Full implementation of Cyber Security requirements 3 Continuing FERC/NRC Cooperation • FERC/NRC discussions on potential regulatory gaps • Establishment of a “Bright Line” • Memoranda of Agreement between NRC and FERC, and NRC and NERC 4 Interim Milestones (1-7) Addressed Significant Threats • Implemented controls for the most risk significant assets • Implemented by end of 2012 • Inspections completed 2013-2015 5 Continued Program Implementation • Key Lessons Learned for Milestones 1-7 • Identification of digital assets • Selecting security controls • Securing portable media and mobile devices • Determining the effectiveness of cyber security programs 6 NRC and Industry Preparing for Full Implementation (Milestone 8) • Milestone 8 adds additional defense- in-depth • Tabletops and workshops to exercise specific aspects of the guidance • Training for NRC inspection staff • NRC anticipates initiating Milestone 8 inspections in July 2017 7 Looking Beyond Full Implementation • NRC staff plans to conduct lessons learned workshops to: • Evaluate requirements and guidance documents • Discuss inspection team composition, inspection procedures, and inspection periodicity 8 NRC Updating Cyber Security Roadmap • Initial Commission Paper June 2012 • Currently updating roadmap • Evaluating need for cyber security requirements at additional types of NRC licensees – Fuel cycle facilities – Non-power reactors – Independent Spent Fuel Storage Installations – Byproduct materials licensees – Decommissioning plants 9 Interactions with other Agencies • Cyber Security Forum for Independent and Executive Branch Regulators • Understanding the threat environment, sharing information with: • Department of Homeland Security • Federal Bureau of Investigation 1 0
Description: