The U.S. Nuclear Regulatory Commission has updated a 13-year-old guide to protect nuclear plants from cyber attacks, requiring plans that detail operations and protections against vulnerabilities.
Notice about the updated guide, known as Revision 1, was published in the Feb. 13 Federal Register.
The Regulatory Guide posted on the NRC’s website describes “design-basis threats” to be used to build safeguard systems to protect against acts of radiological sabotage and prevent the theft of radiological material.
Revision 1, according to the Federal Register notice, incorporates references to industry guidance on identifying and protecting critical digital assets. It also clarifies guidance on defense-in-depth, or comprehensive protections, for cybersecurity. And it includes updated text based on the latest security guidance from the National Institute of Standards and Technology and International Atomic Energy Agency.
The NRC in 2010 issued cybersecurity regulations that cover structures, systems and components important to radiological health and safety at NRC-licensed nuclear power plants. Digital assets at nuclear power plants that had been covered by cybersecurity regulations of the Federal Energy Regulatory Commission were transferred to the jurisdiction of the NRC.
Nuclear plants have since updated cybersecurity plans to incorporate balance of plant systems, which are the supporting components and auxiliary systems, apart from the generating unit, that help deliver energy.
In 2015, the NRC published guidance on cybersecurity event notifications. It set requirements clarifying the types of cyberattacks that require NRC notification, the timeliness of notifications, and other details.
The 160-page revised guidance clarifies issues identified in cybersecurity inspections, technologies and information from a security frequently asked questions process and from international and domestic cybersecurity attacks.
The guidance requires nuclear plants to describe in cybersecurity plans how they have “achieved high assurance” that digital systems are protected from cyberattacks. A plan must demonstrate a safety-related and emergency-preparedness function, including offsite communications.
Plant operators must show how cybersecurity plans protect the integrity and confidentiality of data and software, physical security program and protective strategies and how they would protect, detect, respond to and recover from cyberattacks.
Cybersecurity plans must provide details of a nuclear plant’s defenses against cyberattacks: how a plant’s cybersecurity program works; how a cybersecurity program is incorporated into its physical security program; how a cybersecurity awareness and training program provides training; and how a nuclear plant evaluates and manages cybersecurity risks.
The NRC says a nuclear plant licensee can establish cybersecurity training by defining and documenting roles, responsibilities and authorities and making sure they are understood.
The regulations describe who is responsible for oversight and communications in administering the cybersecurity plan.