NRC Publishes Cybersecurity Event Reporting Final Rule

The Nuclear Regulatory Commission published in Final Rule in Monday’s Federal Register (80 FR 67264-67277; available on-line today) concerning Cyber Security Event Notifications. The rule codifies certain reporting activities associated with cybersecurity events contained in security advisories issued by the NRC.

The rule makes modifications to three sections of 10 USC Part 73 (§73.8, §73.22, and §73.54) and adds a new section (§73.77; Cyber Security Event Notifications). For readers of this blog, the items of specific interest will be found in the changes to §73.54 (Protection of digital computer and communication systems and networks) and the new §73.77.

Protecting Cyber Assets

Section 73.54 provides a great deal of detail about the requirements that a regulated facility needs to undertake to protect cyber systems associated with {§73.54(a)(1)}:

• Safety-related and important-to safety functions;

• Security functions;

• Emergency preparedness functions, including offsite communications; and

• Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions

Paragraph (d) of the current §73.54 outlines the licensee actions that are required for the security program set forth in the section. They include:

• Ensure that appropriate facility personnel, including contractors, are aware of cyber security requirements and receive the training necessary to perform their assigned duties and responsibilities.

• Evaluate and manage cyber risks.

• Ensure that modifications to assets, identified by paragraph (b)(1) of this section, are evaluated before implementation to ensure that the cyber security performance objectives identified in paragraph (a)(1) of this section are maintained.

The new final rule adds a fourth required action: “Conduct cyber security event notifications in accordance with the provisions of §73.77.”

Event Notification

The NRC safety regulations contain a whole host of requirements for notification activities that must be under taken by licensees (see §73.71 for example). The new §73.77 adds a new set of notification requirements and classifies them generally by how soon notification is required after the event is detected. There are four operational time limit are:

• One hour;

• Four hour;

• Eight hour; and

• 24 hour

The one hour time limit is reserved for cyber attacks that: “that adversely impacted safety-related or important-to-safety functions, security functions, or emergency preparedness functions (including offsite communications); or that compromised support systems and equipment resulting in adverse impacts to safety, security, or emergency preparedness functions within the scope of § 73.54” {new §73.77(a)(1)}. In other words there was an actual impact on safety, security or emergency preparedness.

There are three categories of events under the four hour reporting standard. First is an attack that could have resulted in a situation that would have required a one-hour report if it had been successful. The second is the discovery of a “suspected or actual cyber attack initiated by personnel with physical or electronic access to digital computer and communication systems and networks within the scope of §73.54” {§73.77(a)(2)(ii)}; essentially a breach of the cyber perimeter. The third is a generic catch all that requires a report of any cyber related situation that resulted in a notification of law enforcement.

The eight hour category is the last one that requires actual telephonic communications with the NRC. It is reserved for information “regarding observed behavior, activities, or statements that may indicate intelligence gathering or pre-operational planning related to a cyber attack against digital computer and communication systems and networks within the scope of §73.54” {§73.77(a)(3)}.

The ’24 hour’ category that I’ve listed here is not actually a requirement to ‘communicate’ with the NRC in any direct way. It is a requirement to record the event in the “corrective action program (CAP)”. This is an NRC inspect able document maintained under §73.55(b)(10) that the facility uses to “track, trend, correct and prevent recurrence of failures and deficiencies in the physical protection program”. Under the new §73.77(b) the facility will now also record “vulnerabilities, weaknesses, failures, and deficiencies in their § 73.54 cyber security program” as well as documenting any of the notifications made under the provisions outlined above.

The remainder of the new §73.77 outlines how the facility is to report the incidents described above to the NRC and how a follow-up written report will be prepared and submitted.

Effective Date

This rule becomes effective on December 2^nd, 2015. The NRC will begin enforcement of the rule on May 2^nd, 2016.

Commentary

Few readers (I know there are some, bear with me) of this blog are intimately involved in the operation of nuclear power plants or maintenance of the security apparat that protects them. I am certainly not planning on becoming a subject matter expert on the topic. This rulemaking is important, however, because it outlines a cybersecurity event notification process that can serve as a model in developing a regulatory scheme for control systems in other critical infrastructure sectors.

Before we go any further, let me remind folks that the NRC already has a regulatory process that is set up to take security reports from the regulated community, digest those reports and communicate the essential information to other facilities in that regulated community so that they can modify their on-going processes at a higher level of safety and security. Lacking that sort of information digestion and communication, there is absolutely no reason to require timely reporting of cybersecurity incidents, or any sort of security incidents for that matter.

The important thing for other regulators to take from this rulemaking is the way that the NRC prioritized reporting requirements; events that had cyber physical impacts, events that could have had cyber physical impacts, and events that demonstrate penetration of the cyber perimeter. This categorization should be able to withstand numerous changes in technology and be adaptable to any industry that has the potential for cyber physical impacts outside of the facility boundary.

The other important take away from this rulemaking is that the NRC had already established a workable definition of the critical control systems at their regulated facilities; safety functions, security functions, emergency response functions and systems that directly support those functions. Again, those functions could be easily translated into any regulated industry that has the potential for cyber physical impacts outside of the company fence line. With minor adaptations they could even be modified to apply to mobile control systems (auto, planes and ships) and even medical devices.

There is much that is still missing from this rulemaking, which is arguably part of the most proactive security program functioning in this country outside of the military. The NRC rules are still missing a cyber forensics component, for example. But the NRC is actually trying to codify a proactive cyber incident reporting program and that is a very important part of any cybersecurity program, a part that should be looked at very carefully by other critical infrastructure regulatory agencies.