NERC Bright- Line Presentation by 7SjX48t

VIEWS: 16 PAGES: 29

									Nuclear Power Plant “Bright-Line”

NERC:   Tim Roxey and Jim Hughes
NRC:    Perry Pederson and Ralph Costello


Charlotte, NC           April 22, 2010
Phoenix, AZ             April 26, 2010
Philadelphia, PA        May 4, 2010
Chicago, IL             May 6, 2010
Workshop Topics

 Bright-Line Requirement

 Cyber Security at NRC

 Bright-Line Process

 NRC’s Position Relative to the MOU

 Bright-Line Survey

 NERC Point of Contacts

 Q & A – Please hold questions and comments to the
  end of the presentation
                                                      2
“Bright-Line” Requirement


 Establish the FERC and NRC jurisdictional delineation of
  Nuclear Power Plant (NPP) Systems Structures and
  Components (SSC) through the creation of an exemption
  process for excluding certain SSCs from the scope of
  applicable NERC Standards as provided in FERC Order No.
  706-B



                   Bright-Line

                                                        3
Cyber Security at NRC

NRC/NERC Bright-Line Workshop


            Perry Pederson
     NSIR Security Specialist (Cyber)
Overview

 • 10 CFR 73.54
 • Regulatory Guide 5.71
10 CFR 73.54
• High-level, Performance-Based, Programmatic
  − FOCUS: Prevention of Radiological Sabotage
  − Generic (i.e., not reactor-specific)
  − Consistent with physical security regulatory
    approach
• Basic Requirements
  −   Systems that must be protected
  −   Defense-in-Depth protective strategy
  −   Application of security controls
  −   Implementation details maintained on site
  −   Submit Cyber Security Plans to NRC for approval
• Cyber Security Plans
  − Site-specific processes and criteria
RG 5.71 Overview
                               Published
• Components                   Jan 2010
  −   Main Body
  −   Appendix A (generic cyber security plan template)
  −   Appendix B (technical security controls)
  −   Appendix C (operational/management security
      controls)
• Performance-Based, Programmatic
  − Consistent with NIST recommendations
  − Flexible and minimally prescriptive with burden on
    licensees to establish effective programs
• Alignment with Digital I&C Interim Staff
  Guidance
  − ISG-1
  − ISG-4
  − RG 1.152
RG 5.71 Guideline
  Form Cyber Security Team



 Identify Critical Digital Assets



 Apply Defensive Architecture



  Address Security Controls

 1.   Address each control for each CDA
 2.   Or, apply alternative measures
 3.   Or, explain why a control is N/A
Bright-Line Process

NERC:   Tim Roxey
Cyber Controls – NPP a Total View
      Security Controls to address                                           Bulk Power Reliability Controls:
                                            NRC       FERC/NERC
   - 10 CFR 73.1 (Design Basis Threat)                                    Section 215 of the Federal Power Act
      - 10 CFR 73.54 (Cyber Security)                                    18 CFR Conservation of Power and Water
                                                                                       Resources
         Performance Objective:                                                      Regulatory Basis:
                                                                                      Grid Reliability
       PREVENT RADIOLOGICAL
              SABOTAGE                                                               NERC Governance:
                                                                        Rules of Procedures section 400 “Compliance
                                                                                   Enforcement Program”



             Title 10 Scope:
                                                                                 FPA Section 215 Scope:
          Systems that support
                                                  Fully compliant
            -Safety functions               NOTE:Title 10It should be       Balance-of-Plant “Support Systems”
                                                                               that do not adversely impact:
           -Security functions
    -Emergency Response functions
                                                          that
                                             notedTitle 10 215 there
                                                         and
                                                   Fully compliant
                                                  FPA Section
                                                                                     -Safety functions
                                                                                    -Security functions
      - Support Systems that could
    adversely impact one of the above
                                            will be some SSCs                -Emergency Response functions
                functions
    NRC REGULATORY GUIDE 5.71
                                              that will not be
                                            impacted by either                    FERC Order 706/706B:

                                               Bright-Line
                                              NRC or NERC                  Identify those SSCs that are exempted
                                                                             from NERC jurisdiction and thereby
                                                                            MAY not be subject to applicable CIP
  Individual licensee Cyber Security Plan
         submitted (10 CFR 73.54)
                                               requirements.                              standards

   Individual COL Applicant submitted (
              10 CFR Part 52)                                                      NERC CIP 002 - 009
                                                                                                                 2
Bright-Line History

 January 18, 2008: FERC issued Order No. 706 adopting
  CIP-002 – 009 standards
   • CIP-002 - 009 Standards exempt facilities regulated by the NRC

 March 19, 2009: FERC issued Order No. 706-B, certain
  balance of plant (BOP) SSCs are subject to compliance
  with NERC CIP Reliability Standards
   • No “dual regulation” i.e., Bright-Line

 September 14, 2009: NERC’s NPP CIP Implementation
  Plan for each NPP, by requirement, filed to FERC
   • R = FERC Effective Date,
   • S = Scope of Systems Determination and,
   • RO = Next Refueling Outage beyond 18 months (R+6)
                                                                      3
Bright-Line History (Cont’d)

  December 17, 2009: FERC Order directing NERC to
   present a process on how SSCs are exempted from
   NERC Reliability Standards by January 19, 2010 (Bright-
   Line)
  December 30, 2009: Historic MOU executed between
   the NRC and NERC identifying their roles and
   responsibilities
  January 19, 2010: NERC filing to FERC the details on
   the exemption process for NPP
     Coordinated with the NRC to determine those SSCs subject to
      NERC jurisdiction and those SSCs subject to NRC jurisdiction –
      Generic List
  March 18, 2010: FERC Order approving NERC’s Bright-
   Line & Implementation plan (R = March 18, 2010)                     4
Confidential Information

NERC’s Handling of Confidential Information

• The information provided by the NPPs to NERC will be
  handled in accordance with the NERC Rules of Procedure
  (RoP) section 1500 “Confidential Information” if that
  information is so designated by the NPP

• NERC and regional staff that review information that is SGI
  will be Safeguard Authorized per 10 CFR §73.21 & §73.22

• NERC will establish “Reviewing Officials” for SGI per the
  MOU

                                                              5
Collection of Information

NERC Authority to Collect Bright-Line Information

▪ Section 215 of the Federal Power Act (16 U.S.C. §824o):
   • Established NERC as the ERO to enforce NERC Standards

▪ Title 18 C.F.R §39.2(d) (FERC’s Regulations):
   • User, owner or operator of the bulk power system shall provide
     such information as is necessary to implement section 215 of the
     Federal Power Act to FERC/ERO/Region

▪ NERC Rule of Procedure 400, Section 10.1:
   • Information Submittal - Each Regional Entity has the authority to
     collect the necessary information to determine compliance


                                                                         6
North American Energy Reliability
         Corporation and
 Nuclear Regulatory Commission
 Memorandum of Understanding




                   Ralph Costello
                    Team Leader
  Office of Nuclear Security and Incident Response
           Nuclear Regulatory Commission
                         1
                                     NRC - NERC MOU
• Cooperation –NERC’s disposition of exceptions
  – Brightline process
  e.g. Safety and Important to safety systems,           e.g. Systems, structures,
  Security systems, and Emergency Preparedness           and components subject
  systems                                                to FERC requirements




      FERC Order 706B permits licensees to seek “exceptions” to compliance with
       NERC CIPs for digital systems subject to both FERC and NRC regulations
                                         2
            NRC - NERC MOU Cont.

• Share information relative to digital assets
  governed by the other party’s cyber security
  requirements



• Coordinate to maximum extent on the process for
  conducting inspections



                          3
            NRC - NERC MOU Cont.

• Sharing of all information necessary to carry out
  the intent of the MOU



• Coordinate on all public announcements of
  enforcement actions relative to cyber security
  requirements and coordinate the resolution of
  issues involving enforcement actions

                          4
              NRC - NERC MOU Cont.
      Memorandum of Understanding

http://www.nrc.gov/reading-rm/doc-collections/news/2010/10-
                           005.html

     http://edocket.access.gpo.gov/2010/2010-229.htm




                             5
Nuclear Power Plant “Bright-Line" Survey


Jim Hughes
Workshop Objectives

 Terminal Objective:
  • Identify the requirements to complete the NERC
    Bright-Line Survey


 Enabling Objectives:
  • Identify where to find the Bright-Line documentation
  • Identify the critical attributes of the Bright-Line Survey




                                                                 2
Bright-Line Documentation

 Provided on the NERC Web site:
  • FERC Orders
  • NERC/NRC MOU
  • Presentation Materials
  • Bright-Line Survey

   http://www.nerc.com/page.php?cid=3|23|347


                                           3
Bright-Line Survey Overview


 Introduction & Scope
 Due Date and Contact Data
 Survey Items 1 and 2
 Company Information and Approval
 Generic SSC lists
  • Attachment I (SSCs under NERC Jurisdiction)
  • Attachment II (SSCs Excluded from Attachment I)

                                                      4
Bright-Line Survey

Survey Item 1
 Does Attachment I include all SSCs in your power
  plant that could impact reliable delivery of electricity
  to the Bulk Power System or manage critical energy
  infrastructure information?
    Exclude those SSCs in Attachment II




                                                       5
Bright-Line Survey


 Survey Item 2
   If the answer to Survey Item 1 is “No” please
    revise the list to add to or remove SSCs from
    Attachment I
    • All changes to Attachment I must be accompanied with the
      basis for those changes




                                                                 6
Next Steps

 Special Registration for NPPs
 Surveys will be e-mailed to each CC/NPP
  on or before June 25, 2010
 Surveys shall be completed by NPPs and
  returned to NERC on or before
  July 23, 2010                       “S” Date
 NERC to review and approve, with NRC
  coordination, the completed Bright-Line
  surveys on or before October 15, 2010     7
Important Takeaways

 Do not provide information such as IP
  Addresses, and asset/network
  vulnerabilities
 Recommended that System Engineering
  complete Survey Items 1&2
 Need accurate subject matter expert point
  of contact data
 The Bright-Line Attachment 1 is complete
  after NERC review (October 15, 2010)
                                              8
NERC Contact Data

 E-mail completed survey to Jim.Hughes@nerc.net
   • Phone: 609-203-2288
 Secondary contact: Tim.Roxey@nerc.net
   • Phone: 410-474-9240
 Alternate contact: Monica.Benson@nerc.net
   •   Phone: 609-524-7073


If mailing completed survey:
         North American Electric Reliability Corporation
         c/o Jim Hughes
         116-390 Village Boulevard
         Princeton, New Jersey 08540-5721
                                                           9
Questions?

								
To top