Atomic Force Plant "Brilliant Line" NERC: Tim Roxey and Jim Hughes NRC: Perry Pederson and Ralph Costello.

Uploaded on:
Atomic Power Plant “Bright-Line” NERC: Tim Roxey and Jim Hughes NRC: Perry Pederson and Ralph Costello Charlotte, NC April 22, 2010 Phoenix, AZ April 26, 2010 Philadelphia, PA May 4, 2010 Chicago, IL May 6, 2010 Workshop Topics Bright-Line Requirement Cyber Security at NRC
Slide 1

Atomic Power Plant "Brilliant Line" NERC: Tim Roxey and Jim Hughes NRC: Perry Pederson and Ralph Costello Charlotte, NC April 22, 2010 Phoenix, AZ April 26, 2010 Philadelphia, PA May 4, 2010 Chicago, IL May 6, 2010

Slide 2

Workshop Topics Bright-Line Requirement Cyber Security at NRC Bright-Line Process NRC\'s Position Relative to the MOU Bright-Line Survey NERC Point of Contacts Q & A – Please hold inquiries and remarks to the end of the presentation

Slide 3

"Splendid Line" Requirement Establish the FERC and NRC jurisdictional outline of Nuclear Power Plant (NPP) Systems Structures and Components (SSC) through the production of an exception process for barring certain SSCs from the extent of relevant NERC Standards as gave in FERC Order No. 706-B Bright-Line

Slide 4

Cyber Security at NRC/NERC Bright-Line Workshop Perry Pederson NSIR Security Specialist (Cyber)

Slide 5

Overview 10 CFR 73.54 Regulatory Guide 5.71

Slide 6

10 CFR 73.54 High-level, Performance-Based, Programmatic FOCUS: Prevention of Radiological Sabotage Generic (i.e., not reactor-particular) Consistent with physical security administrative methodology Basic Requirements Systems that must be ensured Defense-in-Depth defensive technique Application of security controls Implementation points of interest kept up nearby Submit Cyber Security Plans to NRC for endorsement Cyber Security Plans Site-particular procedures and criteria

Slide 7

RG 5.71 Overview Published Jan 2010 Components Main Body Appendix A (non specific digital security arrangement layout) Appendix B (specialized security controls) Appendix C (operational/administration security controls) Performance-Based, Programmatic Consistent with NIST proposals Flexible and insignificantly prescriptive with weight on licensees to set up viable projects Alignment with Digital I&C Interim Staff Guidance ISG-1 ISG-4 RG 1.152

Slide 8

RG 5.71 Guideline Form Cyber Security Team Identify Critical Digital Assets Apply Defensive Architecture Address Security Controls Address every control for each CDA Or, apply elective measures Or, clarify why a control is N/A

Slide 9

Bright-Line Process NERC: Tim Roxey

Slide 10

Cyber Controls – NPP a Total View Security Controls to address - 10 CFR 73.1 (Design Basis Threat) 10 CFR 73.54 (Cyber Security) Performance Objective : PREVENT RADIOLOGICAL SABOTAGE NRC FERC/NERC Bulk Power Reliability Controls : Section 215 of the Federal Power Act 18 CFR Conservation of Power and Water Resources Regulatory Basis : Grid Reliability NERC Governance : Rules of Procedures area 400 "Consistence Enforcement Program" Title 10 Scope : Systems that bolster Safety capacities Security capacities Emergency Response capacities Support Systems that could antagonistically affect one of the above capacities NRC REGULATORY GUIDE 5.71 FPA Section 215 Scope: Balance-of-Plant "Emotionally supportive networks" that don\'t unfavorably affect: Safety capacities Security capacities Emergency Response works Fully agreeable Title 10 and FPA Section 215 NOTE: It ought to be noticed that there will be some SSCs that won\'t be affected by either NRC or NERC necessities. Completely agreeable Title 10 Bright-Line FERC Order 706/706B: Identify those SSCs that are exempted from NERC locale and in this way MAY not be liable to material CIP benchmarks Individual licensee Cyber Security Plan submitted (10 CFR 73.54) Individual COL Applicant submitted ( 10 CFR Part 52) NERC CIP 002 - 009

Slide 11

Bright-Line History January 18, 2008: FERC issued Order No. 706 embracing CIP-002 – 009 norms CIP-002 - 009 Standards excluded offices controlled by the NRC March 19, 2009: FERC issued Order No. 706-B, certain parity of plant (BOP) SSCs are liable to consistence with NERC CIP Reliability Standards No "double control" i.e ., Bright-Line September 14, 2009: NERC\'s NPP CIP Implementation Plan for each NPP, by necessity, documented to FERC R = FERC Effective Date, S = Scope of Systems Determination and, RO = Next Refueling Outage past year and a half (R+6)

Slide 12

Bright-Line History (Cont\'d) December 17, 2009: FERC Order coordinating NERC to introduce a procedure on how SSCs are exempted from NERC Reliability Standards by January 19, 2010 (Bright-Line) December 30, 2009: Historic MOU executed between the NRC and NERC recognizing their parts and obligations January 19, 2010: NERC recording to FERC the points of interest on the exception process for NPP Coordinated with the NRC to decide those SSCs subject to NERC locale and those SSCs subject to NRC purview – Generic List March 18, 2010: FERC Order favoring NERC\'s Bright-Line & Implementation arrangement (R = March 18, 2010)

Slide 13

Confidential Information NERC\'s Handling of Confidential Information The data gave by the NPPs to NERC will be taken care of as per the NERC Rules of Procedure (RoP) segment 1500 "Classified Information" if that data is so assigned by the NPP NERC and local staff that audit data that is SGI will be Safeguard Authorized per 10 CFR §73.21 & §73.22 NERC will set up "Inspecting Officials" for SGI per the MOU

Slide 14

Collection of Information NERC Authority to Collect Bright-Line Information ▪ Section 215 of the Federal Power Act (16 U.S.C. §824o): Established NERC as the ERO to authorize NERC Standards ▪ Title 18 C.F.R §39.2(d) (FERC\'s Regulations): User, proprietor or administrator of the mass force framework should give such data as is important to execute area 215 of the Federal Power Act to FERC/ERO/Region ▪ NERC Rule of Procedure 400, Section 10.1: Information Submittal - Each Regional Entity has the power to gather the fundamental data to decide consistence

Slide 15

North American Energy Reliability Corporation and Nuclear Regulatory Commission Memorandum of Understanding Ralph Costello Team Leader Office of Nuclear Security and Incident Response Nuclear Regulatory Commission

Slide 16

NRC - NERC MOU Cooperation –NERC\'s mien of special cases Brightline process e.g. Wellbeing and Important to security frameworks, Security frameworks, and Emergency Preparedness frameworks e.g. Frameworks, structures, and parts subject to FERC prerequisites FERC Order 706B grants licensees to look for "special cases" to consistence with NERC CIPs for computerized frameworks subject to both FERC and NRC controls

Slide 17

NRC - NERC MOU Cont. Offer data with respect to advanced resources administered by the other party\'s digital security prerequisites Coordinate to most extreme degree on the procedure for directing reviews

Slide 18

NRC - NERC MOU Cont. Sharing of all data important to do the plan of the MOU Coordinate on every single open declaration of implementation activities in respect to digital security necessities and direction the determination of issues including authorization activities

Slide 19

NRC - NERC MOU Cont. Update of Understanding rm/doc-accumulations/news/2010/10-005.html

Slide 20

Nuclear Power Plant "Splendid Line" Survey Jim Hughes

Slide 21

Workshop Objectives Terminal Objective: Identify the prerequisites to finish the NERC Bright-Line Survey Enabling Objectives: Identify where to locate the Bright-Line documentation Identify the basic traits of the Bright-Line Survey

Slide 22

Bright-Line Documentation Provided on the NERC Web website: FERC Orders NERC/NRC MOU Presentation Materials Bright-Line Survey|23|347

Slide 23

Bright-Line Survey Overview Introduction & Scope Due Date and Contact Data Survey Items 1 and 2 Company Information and Approval Generic SSC records Attachment I (SSCs under NERC Jurisdiction) Attachment II (SSCs Excluded from Attachment I)

Slide 24

Bright-Line Survey Item 1 Does Attachment I incorporate all SSCs in your energy plant that could affect dependable conveyance of power to the Bulk Power System or oversee basic vitality framework data? Reject those SSCs in Attachment II

Slide 25

Bright-Line Survey Item 2 If the response to Survey Item 1 is "No" please update the rundown to add to or expel SSCs from Attachment I All progressions to Attachment I should be went with the premise for those progressions

Slide 26

Next Steps Special Registration for NPPs Surveys will be messaged to every CC/NPP prior to June 25, 2010 Surveys might be finished by NPPs and came back to NERC at the very latest July 23, 2010 NERC to audit and favor, with NRC coordination, the finished Bright-Line studies at the latest October 15, 2010 "S" Date

Slide 27

Important Takeaways Do not give data, for example, IP Addresses, and resource/system vulnerabilities Recommended that System Engineering complete Survey Items 1&2 Need exact topic master purpose of contact information The Bright-Line Attachment 1 is finished after NERC audit (October 15, 2010)

Slide 28

NERC Contact Data E-mail finished review to Phone: 609-203-2288 Secondary contact: Phone: 410-474-9240 Alternate contact: Phone: 609-524-7073 If mailing finished overview: North American Electric Reliability Corporation c/o Jim Hughes 116-390 Village Boulevard Princeton, New Jersey 08540-5721

Slide 29


View more...