Sunday, January 17, 2010

2010 Blasts in with Regulatory Cybersecurity Bar Raising
- NERC CIP-002-4 (Project 706 Ph II) and NRC RG 5.71- both with NIST Enhancements

Last updated 1/24/2010
As 2010 opens, beefed up regulatory scope and rigor around cybersecurity on both the Bulk Electric System (BES) and commercial Nuclear Power Plant (NPP) fronts are forming up- even as expanding regulatory scrutiny has been focusing on assessing the status of current requirements and programs.

Draft NERC CIP-002-4 Released. Now in Phase II, NERC Project 706 (to address FERC Order 706-A), released draft standard CIP-002-4, Cyber Security - BES Cyber System Categorization (16 pages, w/VSLs) in December for an informal comment period through February 12th. This version calls for significantly more extensive risk assessment process:
  • Substantially addresses concerns raised in Assante’s April 2009 letter – see Assante Throws Down the Gauntlet on CIP-002 -
  • Rather just focusing what to include, requires a complete inventory list of BES Cybersecurity systems for determinations to be made.
  • Getting NISTy (more) with graded BES impact assessment and commensurate controls- high, medium, low (catch all) impact ranking
  • Emphasizes functional assurance, not just security around functions.
  • Specific Violation Severity Levels (VSLs) penalties called for if mis-categorization is determined to have taken place.
  • NPP applicability- structures, components, equipment and systems of facilities within a nuclear generation plant not regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety.
  • More- effective date is two years after approval (“eighth calendar quarter”), bottom up conservative approach with granular assessment/engineering evaluation expectations, various impact categorizations for assessment addressing inadvertent/adverse changes, example fishbone diagramming dependencies- see Draft Guidance Document (10 pages)

    Updated 1/24/2010
  • On Feb 3rd, 2010 at 1pm EST, NERC is scheduled to host a webinar "Proposed Revisions to CIP-002-4" (register)
NRC RG 5.71 Released. Following the November 23, 2009 deadline for NPPs to file required Cyber Security Plans for review and approval (per NRC Reg 10 CFR 73.54), the NRC released regulatory guide RG 5.71, Cyber Security Programs for Nuclear Facilities (copy, 100+ pages, including template/appendixes) earlier this month, source: NRC Regulatory Guides - Materials and Plant Protection (Division 5). This now public regulatory guide formally expands and supersedes prior NRC endorsed NEI 04-04 developed by the industry. Some argue it’s like going back to a blank piece of paper to stand up a new program – not entirely true but still very dense as regulatory guides go, and also getting more NIST aligned (more). Commercial nuclear has gone through a number of development steps over the last decade, see NEI Power Plant Security- Cybersecurity.

More perspective around RG 5.71 can be gained from reviewing NRC's Advisory Committee on Reactor Safeguards (ACRS) 567th Meeting- Nov2009 - Official Transcript (copy, - 330 pages, good place to start is page 98 for "cybersecurity", jump to page 275 for more specific RG 5.71 coverage). This guide is writen for the cybersecurity professional and covers aspects that others may miss when reading through it.

FERC Order 706-B - NRC/NERC MOU Released. FERC recognized a regulatory gap with Order 706B; the NRC, primarily focused on public safety and nuclear significant aspects of NPPs, does not have regulatory scope addressing continuity of power. FERC Order 706-B states that balance of plant systems at NPPs not regulated by the NRC must comply with NERC CIP Standards and requires NRC to make a compliance filing outlining implementation schedule. A NRC/NERC MOU released last week, establishes a working agreement consistent with FERC Order 706-B recommendations. FERC's Dec 17th filing expects additional compliance filing from NERC to more clearly address (i) how determinations of systems will be made that that fall under either program (NRC Cyber or NERC CIP), and (ii) establishing an exception process for exempting systems that fall under NRC Cyber from CIP compliance.

  1. Informal Comment Form: Project 2008-06 Cyber Security Order 706 CIP-002-4 (due 2/12/2010)
  2. NRC and NERC Execute Memorandum of Understanding Regarding Enforcement of Cyber Security Requirements- Morgan Lewis Energy Lawflash, January 12, 2010
  3. NRC Reg (10 CFR 73.54) Protection of digital computer and communication systems and networks.
  4. NIST on a roll with "Historic" Security Controls Guidance (SP 800-53 Rev 3)

No comments: