The Nuclear Regulatory Commission published in Final Rule in
Monday’s Federal Register (80 FR 67264-67277; available on-line today)
concerning Cyber Security Event Notifications. The rule codifies certain reporting
activities associated with cybersecurity events contained in security
advisories issued by the NRC.
The rule makes modifications to three sections of 10
USC Part 73 (§73.8,
§73.22,
and §73.54)
and adds a new section (§73.77;
Cyber Security Event Notifications). For readers of this blog, the items of
specific interest will be found in the changes to §73.54 (Protection of digital computer and communication
systems and networks) and the new §73.77.
Protecting Cyber
Assets
Section 73.54 provides a great deal of detail about the
requirements that a regulated facility needs to undertake to protect cyber systems
associated with {§73.54(a)(1)}:
• Safety-related and important-to safety
functions;
• Security functions;
• Emergency preparedness functions,
including offsite communications; and
• Support systems and equipment which, if
compromised, would adversely impact safety, security, or emergency preparedness
functions
Paragraph (d) of the current §73.54 outlines the licensee actions that are
required for the security program set forth in the section. They include:
• Ensure that appropriate facility personnel,
including contractors, are aware of cyber security requirements and receive the
training necessary to perform their assigned duties and responsibilities.
• Evaluate and manage cyber risks.
• Ensure that modifications to
assets, identified by paragraph (b)(1) of this section, are evaluated before
implementation to ensure that the cyber security performance objectives
identified in paragraph (a)(1) of this section are maintained.
The new final rule adds a fourth required action: “Conduct
cyber security event notifications in accordance with the provisions of §73.77.”
Event Notification
The NRC safety regulations contain a whole host of
requirements for notification activities that must be under taken by licensees
(see §73.71
for example). The new §73.77
adds a new set of notification requirements and classifies them generally by
how soon notification is required after the event is detected. There are four
operational time limit are:
• One hour;
• Four hour;
• Eight hour; and
• 24 hour
The one hour time limit
is reserved for cyber attacks that: “that adversely impacted safety-related or
important-to-safety functions, security functions, or emergency preparedness
functions (including offsite communications); or that compromised support
systems and equipment resulting in adverse impacts to safety, security, or
emergency preparedness functions within the scope of § 73.54” {new §73.77(a)(1)}. In
other words there was an actual impact on safety, security or emergency
preparedness.
There are three categories of events under the four hour reporting
standard. First is an attack that could have resulted
in a situation that would have required a one-hour report if it had been
successful. The second is the discovery of a “suspected or actual cyber attack
initiated by personnel with physical or electronic access to digital computer
and communication systems and networks within the scope of §73.54” {§73.77(a)(2)(ii)};
essentially a breach of the cyber perimeter. The third is a generic catch all
that requires a report of any cyber related situation that resulted in a
notification of law enforcement.
The eight hour category
is the last one that requires actual telephonic communications with the NRC. It
is reserved for information “regarding observed behavior, activities, or
statements that may indicate intelligence gathering or pre-operational planning
related to a cyber attack against digital computer and communication systems
and networks within the scope of §73.54” {§73.77(a)(3)}.
The ’24 hour’ category that I’ve listed here is not actually
a requirement to ‘communicate’ with the NRC in any direct way. It is a
requirement to record the event in the “corrective action program (CAP)”. This is
an NRC inspect able document maintained under §73.55(b)(10)
that the facility uses to “track, trend, correct and prevent recurrence of
failures and deficiencies in the physical protection program”. Under the new §73.77(b) the
facility will now also
record “vulnerabilities, weaknesses, failures, and deficiencies in their §
73.54 cyber security program” as well as documenting any of the notifications
made under the provisions outlined above.
The remainder of the new §73.77 outlines how the facility is to report the
incidents described above to the NRC and how a follow-up written report will be
prepared and submitted.
Effective Date
This rule becomes effective on December 2nd,
2015. The NRC will begin enforcement of the rule on May 2nd, 2016.
Commentary
Few readers (I know there are some, bear with me) of this
blog are intimately involved in the operation of nuclear power plants or
maintenance of the security apparat that protects them. I am certainly not
planning on becoming a subject matter expert on the topic. This rulemaking is
important, however, because it outlines a cybersecurity event notification
process that can serve as a model in developing a regulatory scheme for control
systems in other critical infrastructure sectors.
Before we go any further, let me remind folks that the NRC
already has a regulatory process that is set up to take security reports from
the regulated community, digest those reports and communicate the essential
information to other facilities in that regulated community so that they can
modify their on-going processes at a higher level of safety and security.
Lacking that sort of information digestion and communication, there is
absolutely no reason to require timely reporting of cybersecurity incidents, or
any sort of security incidents for that matter.
The important thing for other regulators to take from this
rulemaking is the way that the NRC prioritized reporting requirements; events
that had cyber physical impacts, events that could have had cyber physical
impacts, and events that demonstrate penetration of the cyber perimeter. This
categorization should be able to withstand numerous changes in technology and
be adaptable to any industry that has the potential for cyber physical impacts
outside of the facility boundary.
The other important take away from this rulemaking is that
the NRC had already established a workable definition of the critical control
systems at their regulated facilities; safety functions, security functions,
emergency response functions and systems that directly support those functions.
Again, those functions could be easily translated into any regulated industry
that has the potential for cyber physical impacts outside of the company fence line.
With minor adaptations they could even be modified to apply to mobile control
systems (auto, planes and ships) and even medical devices.
There is much that is still missing from this rulemaking,
which is arguably part of the most proactive security program functioning in
this country outside of the military. The NRC rules are still missing a cyber
forensics component, for example. But the NRC is actually trying to codify a
proactive cyber incident reporting program and that is a very important part of
any cybersecurity program, a part that should be looked at very carefully by
other critical infrastructure regulatory agencies.