Transcription
Mario R. Fernandez Jr. , Security Specialist (Cyber)Cyber Security DirectorateOffice of Nuclear Securityy and Incident ResponsepCyber Security DirectorateNRC & NERC IInteractionstti“Ask SME and Learn”Learn1
Interactions between the NRC and theFederal Energy Regulatory Commission(FERC) North American Electric ReliabilityCorporation (NERC) Jurisdiction BBackgroundkd on NERC CCyberb SSecurityitCritical Infrastructure Protection (CIP)StandardsAAgendad2
– Specifically exempted "facilities regulated bythe NRC" from compliance3– Imposed 8 NERC CIP standards for cybersecurity for users, owners, and operators of theBulk-Power System.FERC Order 706 (January 2008)Background
– Allowed nuclear facilities to seek exceptionspfrom NERC’sCIP standards on a case-by-case basis for those digitalassets subject to the NRC's cyber security requirements.– Clarified that the balance of plant (BOP) systems andequipment within a power plant that are not within thescope of 10 CFR 73.54 are subject to compliance with theCIP standards approved in Order 706FERC Order 706B (March 2009)Background4
OBJECTIVE: Prevent radiologicalsabotageSCOPE: Digital systemsassociated with safety, security,or emergency preparednessfunctionsNRCOBJECTIVE: Maximize electricalgrid reliabilitySCOPE: Digital systems associatedwith bulk power system reliabilityNERC5FERC Order 706B permits licensees to seek “exceptions” to compliance withNERC CIPs for digitalgsystemsysubjectjto both NERC and NRC regulationsgSystems include e.g. Turbine Controls, Feedwater Controls
MOU withith NERCNERC signedid ini December,Db 2009.2009 SimilarSi il totMOA with FERC, the MOU with NERC helped facilitateg Line process.pthe Bright MOA with FERC- signed in August, 2009, provided abasis for cooperationpon the subsequentqBrightg Lineprocess.– NERC created “Bright-Line”Bright Line Process. To determine whatSSCs were subject to NERC CIP standards and couldpotentially be subject to NRC Cyber security RegulationsFERC Order 706B (March 2009)6NRC FERC,NRC,FERC NERC Interactions
– AftAfter carefulf l review,ibothb th FERC andd theth NRC agreedd thatth tthese assets were within the scope of 10 CFR 73.54.7– Licensees further stated that for this reason, all BOP SSCsfall within the scopep of the NRC’s cyberysecurityyregulations.– Licensees indicated that if compromised the BOPStructures, systems, and components (SSCs) would affectreactivity and were important-to-safety.FERC Order 706B (March 2009)NRC FERC,NRC,FERC NERC Interactions
8 The NRC Commission determined that 10CFR73.54 should be interpreted to include SSCs in theBOP that have a nexus to radiological health andsafetyy at NPPs Clarifies NRC’s position on structures, systems,andd componentst (SSCs)(SSC ) ini theth balanceb loff plantl t(BOP) with respect to the NRC’s Cyber RuleStaff Requirements Memorandum (SRM) COMWCOCOMWCO10-0001, “Regulation of Cyber Security at NuclearPower Plants”
OBJECTIVE: Prevent radiologicalsabotageSCOPE: Digital systemsassociated with safety, security,or emergency preparednessfunctionsNRCOBJECTIVE: Maximize electricalgrid reliabilitySCOPE: Digital systems associatedwith bulk power system reliabilityNERC9FERC Order 706B permits licensees to seek “exceptions” to compliance withNERC CIPs for digitalgsystemsysubjectjto both NERC and NRC regulationsgSystems include e.g. Turbine Controls, Feedwater Controls
– NRC CCommission’si i ’ ddeterminationti tion SSC iin ththe BOPare subject to NRC Regulations.– BrightB i ht LineLi ProcessP Interactions between the NRC and the FederalEnergy Regulatory Commission (FERC) NorthAmerican Electric Reliabilityy Corporationp(NERC)()Jurisdiction BackgroundB kd on FERC CCyberb RRegulationl tiSummary10
Q tiQuestions11
equipment within a power plant that are not within the scope of 10 CFR 73.54 are subject to compliance with the CIP standards approved in Order 706 CIP standards approved in Order - Allowed nuclear facilities to seek exce p tions from NERC's CIP standards on a case-by-case basis for those digital assets subject to the NRC's cyber security .
