In January the Nuclear Regulatory Commission issued NRC 5.71 Cyber Security Program for Nuclear Facilities.

It is interesting that the NRC took a very NIST SP800 approach specifically using the NIST documents high impact baseline as a starting point. We did not do an exhaustive comparison, but the technical, operational and management requirements looked to be basically NIST plus some additional words and minor modifications. You can see the requirements in C.3.3 and Appendices B and C.

This NIST approach rather than a NERC CIP approach is a nod to the growing sentiment in Congress and elsewhere in the USG that if NIST SP800 is appropriate for USG networks then critical infrastructure networks should not be protected any “less”. “Less” is in parenthesis because it presupposes that the NIST document leads to greater security.

NRC 5.71 definitely has a higher security effect in one area – – it closes the routable network loophole in NERC CIP that has led to many utilities disconnecting systems to avoid calling them Critical Cyber Assets. The NRC equivalent to NERC’s Critical Assets / Critical Cyber Assets is Critical Systems / Critical Digital Assets. NRC 5.71 has some flowcharts to identify CS and CDA, but I’m not sure it is an improvement over the NERC CIP text that everyone is asking to be clarified in more prescriptive detail.

The key sections is C: Regulatory Position because it enumerates the specific elements a Cyber Security Plan should entail. See this small excerpt as an example:

• how the licensee has incorporated the cyber security program into the physical security program
(10 CFR 73.54(b)(3))
• defense-in-depth protective strategies and how they are used to protect, detect, respond to, and
recover from cyber attacks (10 CFR 73.54(c)(2))
• the elements of the cyber security program that are designed to mitigate the adverse effects of
cyber attacks (10 CFR 73.54(c)(3))
• how the cyber security program is designed to ensure that the functions of protected assets
identified by 10 CFR 73.54(b)(1) are not adversely impacted by cyber attacks
(10 CFR 73.54(c)(4))
• how the cyber security awareness and training programs (10 CFR 73.54(d)(1)) provide the
training necessary to perform assigned duties and responsibilities
• the process used by the licensee to evaluate and manage cyber security risks

They make it very easy though by including a Cyber Security Plan template in Appendix A. All an owner/operator would need to do is to a global replace with their name and look to see if any modifications are required. The challenge will then be implementing this plan.

A final comment is legacy systems and the exception process appear to have less leeway then in NERC CIP. You still have to meet the requirements by compensating controls. Given the age of many of these nuclear related control systems this could be quite a challenge. Hats off to the drafting team though on a good effort and necessary document.