Staff members from the US Nuclear Regulatory Commission’s (NRC’s) Office of Nuclear Security and Incident Response and Office of Nuclear Reactor Regulation held a kickoff meeting on January 10 to discuss the planned assessment of the NRC’s Power Reactor Cyber Security Program. Based on the Nuclear Energy Institute’s PRM-73-18, “Petition to Amend 10 CFR 73.54, ‘Protection of Digital Computer and Communication Systems and Networks,’” as well as NRC guidance, this assessment marks 10 years since the publication of 10 CFR 73.54. The goals of the assessment are to ensure that all licensees have implemented and are complying with 10 CFR 73.54, but to also ascertain licensees’ processes for identifying critical digital assets (CDAs).
For more than a decade, the NRC has addressed cyber threats and has improved programs and oversight for nuclear power plants to identify and protect CDAs. CDAs interconnect plant systems performing safety, security, and emergency preparedness functions and are isolated from the internet. Initial requirements were imposed by orders issued after the September 11, 2001, terrorist attacks. NRC’s cybersecurity rule, finalized as 10 CFR 73.54, was published in March 2009 and covers power reactor licensees and applicants for new reactor licenses.
10 CFR 73.54 requires NRC licensees to provide high assurance that digital computer and communications systems and networks are adequately protected against cyberattacks, and each licensee must submit a cybersecurity plan (CSP) for Commission review and approval. The purpose of the CSP is to provide a description of how the licensee implements the requirements of 10 CFR 73.54, namely identifying CDAs. The NRC developed Regulatory Guide 5.71 to aid licensees in the identification of CDAs. The Regulatory Guide directs licensees to address the potential cyber security risks of CDAs by applying the defensive architecture and the collection of security controls identified in the Regulatory Guide.
At the kickoff meeting, NRC staff and industry representatives spoke of the significance of the assessment, due to the threat of radiological sabotage and the growing cyber threat, which has increased drastically since 10 CFR 73.54 was published. During the open meeting, industry participants discussed their experiences implementing the program and also raised concerns with certain aspects of the program, such as the appropriate scope of CDAs that need to be covered under each licensee’s CSP.
The NRC staff currently plan to engage with assessment team members every two weeks through March, with a mid-process public meeting in mid-March, and then the process will conclude with a final public meeting in April or May. The NRC plans to publish the assessment’s final report in June. We will continue to monitor developments and issuances of the final assessment.