Voglio sapere a riguardo di…

jbell on DSKJLSW7X2PROD with PROPOSALS

Federal Register / Vol. 86, No. 151 / Tuesday, August 10, 2021 / Proposed Rules sabotage. According to the petitioner, this creates an inconsistency between the NRCs cyber security requirements and the 73.55 physical protection program. The petitioner, citing 73.55b3 and referencing the existing process used to identify target sets, asserts that the performance objectives of the 73.55 physical protection program must protect against significant core damage and spent fuel sabotage. However, according to the petitioner, because the current language in 73.54a1 requires the protection of digital assets that cannot, even if compromised, result in significant core damage or spent fuel sabotage, it is inconsistent with the performance objectives of the 73.55 physical protection program.
NRC Response to Assertion B:
The NRC disagrees with the petitioners Assertion B. The petitioner asserts that the language in 73.54a1
is inconsistent with the cyber security rules original intent of protecting against the Design Basis Threat DBT of radiological sabotage. The petitioners assertion is predicated on the assumption that protecting against the DBT of radiological sabotage is limited to only protecting that equipment and those digital assets that can directly cause significant core damage or spent fuel sabotage.
The NRC agrees that, consistent with the regulatory language in 73.54b3
and 73.55b3, a licensees cyber security program must protect against significant core damage and spent fuel sabotage. However, the NRC does not agree that protecting against the radiological sabotage DBT only involves protecting those digital assets that can directly cause significant core damage and spent fuel sabotage. Rather, protecting against radiological sabotage also involves protecting those digital assets that could either directly or indirectly cause significant core damage or spent fuel sabotage. Additionally, the NRC included EP systems in the cyber security rule because such systems are essential to mitigate the consequences of radiological sabotage. Accordingly, for the reasons described in this section, the NRC does not agree that the language in 73.54a1 is inconsistent with either the cyber security rules original intent of protecting against the DBT of radiological sabotage or inconsistent with the performance objectives of 73.55.
There is nothing in the language of either the 2006 proposed rule or the 2009 final rule that supports the petitioners assertion. Section 73.54a of the 2009 final rule states the general performance objective that licensees
VerDate Sep<11>2014

16:29 Aug 09, 2021

Jkt 253001

must protect against the DBT as described in 73.1. There is no language indicating that protecting against the DBT is limited to protecting only those digital assets that can directly cause significant core damage or spent fuel sabotage. Similarly, Regulatory Guide RG 5.71, Cyber Security Program for Nuclear Facilities, and the other documents cited by the petitioner reiterate the general performance objective that licensees must protect against the DBT and prevent significant core damage or spent fuel damage.
The petitioner references the existing process used to identify target sets to support the assertion that the performance objectives of the 73.55
physical protection program only require protection against significant core damage and spent fuel sabotage. As noted previously, the NRC agrees that a licensees cyber security program must protect against significant core damage and spent fuel sabotage. The NRC
further agrees that the process for developing and identifying target sets defines the set of equipment that must be protected from a physical attack to prevent significant core damage and spent fuel sabotage. The NRC notes that 73.55f2 requires that licensees consider cyber attacks in the development and identification of target sets. However, the purpose of the cyber security language in 73.55f2 is to identify a specific type of threat that target sets must be protected from. This language is not intended and should not be used to define the scope of the NRCs cyber security requirements.
As previously noted in the NRCs response to petitioners Assertion A, 73.55m1 of the 2006 proposed rule would have required licensees to have a cyber security program that would protect computer systems that, if compromised, would adversely impact SSEP. In the SOC to the 2006 proposed rule, the NRC explained that the cyber security requirements were designed to minimize potential attack pathways and the consequences of a successful cyber attack. These requirements are part of a defense-in-depth strategy to protect SSEP digital assets that, if compromised, could directly or indirectly result in radiological sabotage at an NRC-licensed nuclear power plant.
Additionally, the NRC included EP
systems in the cyber security rule because such systems are essential to mitigate the consequences of radiological sabotage.
The NRC made a conscious and deliberate decision to include computer and network systems that could affect SSEP functions in the cyber security rule, even though not all of the
PO 00000

Frm 00003

Fmt 4702

Sfmt 4702

43601

equipment and digital assets requiring protection that are associated with those systems can directly cause significant core damage or spent fuel sabotage. The NRC further explained that as computer technology is increasingly integrated into nuclear power plants, many plant safety and security systems rely on this technology to carry out their functions.
The NRC intended that digital assets associated with such systems be protected to minimize potential attack pathways that could indirectly or directly result in radiological sabotage.
Accordingly, the NRC does not agree with the petitioners assertion that the original intent of the cyber security requirements in the 2006 proposed rule was limited to protecting only those digital assets that could directly cause significant core damage or spent fuel sabotage. For these reasons, the NRC has determined that the language in 73.54a1 is consistent with the original intent of the 2006 proposed rule and is consistent with the performance objectives in 73.55.
Assertion C in Section III of the PRM:
The petitioner asserts that the language in 73.54a1 unnecessarily requires licensees to focus on protecting hundreds to thousands of digital assets at their sites that are, in some way, associated with the SSEP functions identified in 73.54a1. The petitioner asserts that many of these digital assets have no nexus to radiological sabotage. As a result, the considerable time, resources and costs needed to protect these assets is not justified. The petitioner further asserts that granting the petition will lead to a more efficient use of licensee resources without compromising plant safety or security.
NRC Response to Assertion C:
The NRC disagrees with the petitioners assertion that the NRCs cyber security requirements in 73.54a1 require the protection of hundreds, and in some cases thousands, of digital assets that have no nexus to radiological sabotage. Section 73.54a1 requires that licensees protect digital computer and communication systems and networks associated with SSEP functions from a cyber attack. The NRC recognizes that these systems may contain hundreds and possibly thousands of digital assets.
It is not the NRCs expectation that all digital assets associated with such functions will necessarily require protection in accordance with the NRCs cyber security requirements. Consistent with the requirements in 73.54a2, only those digital assets that could adversely impact SSEP functions are within the scope of the NRCs cyber
E:FRFM10AUP1.SGM

10AUP1