Quiero saber acerca de...

43608

Federal Register / Vol. 86, No. 151 / Tuesday, August 10, 2021 / Proposed Rules
jbell on DSKJLSW7X2PROD with PROPOSALS

communication systems and networks associated with EP functions, including offsite communications were removed as the PRM requests, this would likely hamper a reactor licensees ability to notify emergency responders in the event that offsite communication systems were compromised in a cyber attack.
The NRC assumes that the commenters reference to layered defenses refers to the concept of defense-in-depth. As discussed in the response to the Category 5 Comments, the existing regulations in 73.54 reflect a defense-in-depth approach, and the NRC agrees that granting the PRM
would not be consistent with maintaining defense-in-depth.
Comment Category 15: RG 5.71 and NEI 0809 should be reassessed.
Two comment submissions opposing the petition assert that the current regulatory guidance is insufficient. The commenters assert that neither RG 5.71
nor NEI 0809 addresses cyber threats and vulnerabilities that have been demonstrated to be exploitable, and that the scope of RG 5.71 should be reassessed. One commenter also states that the scope of RG 5.71 should be reassessed to better address control system-specific cyber security issues.
The commenters also provide various examples of concerns regarding the current regulatory guidance and specific suggestions for improving this guidance.
The commenters assert that the current interpretation of the cyber security rule is increasing plant risk by reducing operational stability. The commenters further assert that configuration changes prescribed by NEI 0809 and RG 5.71
contribute to uncertainty in the reliability of CDAs. The commenters assert that RG 5.71 should be updated to include consideration of plant risk.
One commenter asserts that the existing guidance is too focused on information technology and ignores the merits of current protective approaches that are based on traditional I&C Engineering and other license requirements.
NRC Response to Category 15
Comments: These comments are beyond the scope of the PRM. The petition does not raise the guidance issues identified
in the comment submissions. The NRC
performs periodic reviews of its guidance documents to determine if they need revision. The results of the most recent periodic review of RG 5.71
can be found under ADAMS Accession No. ML15099A158. The NRC disagrees that the current interpretation of the cyber security rule is increasing plant risk by reducing operational stability.
The comment submissions did not provide support for this assertion, and the NRC is not aware of any such reduction in operational stability.
Comment Category 16: Existing plant processes are sufficient to protect most digital equipment.
Two comment submissions that support the PRM assert that while there are thousands of digital assets that are important to the efficient operation of reactor facilities, such assets would be adequately protected by the existing plant controls such as physical protection, network isolation, configuration management, maintenance and testing. One of the comment submissions adds that EP
functionality assets, such as communication systems, are typically protected using redundancy and diversity.
NRC Response to Category 16
Comments: The NRC recognizes that there may be large numbers of digital assets that are important to the efficient operation at a nuclear power plant.
These assets may well be protected by existing plant controls. The NRC cyber security requirements do not require the protection of such assets if they cannot adversely impact SSEP functions even if they are compromised. The NRC has determined that CDAs that can adversely impact SSEP functions must be protected from a cyber attack. If a licensees site-specific analysis can demonstrate that existing plant controls at a given nuclear power plant can protect these CDAs from a cyber attack, then the licensee does not need to apply additional security controls to meet the requirements of the NRCs cyber security rule. If existing plant controls cannot provide such protection, then additional cyber security controls for CDAs would be required.

Comment Category 17: Cyber Security Language was not offered for public comment.
One commenter reiterates the petitioners assertion that the 2006
proposed rules scoping language 71 FR
62664; October 26, 2006 was removed and replaced with new text in the 2009
final rule 74 FR 13926; March 27, 2009, asserting that the practical effect of the new scoping language was likely not clear when the final rule was issued.
NRC Response to Category 17
Comments: For the reasons stated in the Reasons for Denial section of this document, the NRC does not agree with this comment. The clarifying changes made to the scoping language in the 2009 final rule are consistent with and a logical outgrowth of the proposed rule, and the reasons for making these changes were adequately explained in the 2009 SOC.
Comment Category 18: NRC cyber security requirements should be expanded.
One commenter suggested that in order to cover all digital assets involved in the management of powerblock industrial energy, the scope of 73.54 should be expanded.
NRC Response to Category 18
Comments: The NRC assumes that in referencing all digital assets involved in the management of power-block industrial energy the commenter is referring to digital assets or digital components used to support a reactor facilitys on-site power systems. Safetyrelated digital assets or safety-related digital components interfacing with the facilitys on-site power systems are addressed in the safety requirements of 10 CFR part 50 specifically in appendix A to 10 CFR part 50, general design criterion 17. The commenter does not provide a basis for expanding the scope of 73.54 to include matters relating to general design criterion 17.
V. Availability of Documents The documents identified in the following table are available to interested persons through one or more of the following methods, as indicated.
Adams Accession No.
or Federal Register citation or website
Document
Date
PRM7318Petition to Amend 10 CFR 73.54, Protection of Digital Computer and Communication Systems and Networks submitted by Nuclear Energy Institute NEI.
Protection of Digital Computer and Communication Systems and Networks; Notice of Docketing and Request for Comment.

June 12, 2014

ML14184B120

September 22, 2014

79 FR 56525

VerDate Sep<11>2014

16:29 Aug 09, 2021

Jkt 253001

PO 00000

Frm 00010

Fmt 4702

Sfmt 4702

E:FRFM10AUP1.SGM

10AUP1