Voglio sapere a riguardo di…

jbell on DSKJLSW7X2PROD with PROPOSALS

43602

Federal Register / Vol. 86, No. 151 / Tuesday, August 10, 2021 / Proposed Rules
security requirements and must be protected against a cyber attack.
Section 73.54b1 requires licensees to conduct an analysis of digital computer and communication systems and networks and identify those digital assets that must be protected against a cyber attack. This requirement reflects the NRCs recognition that licensees are well situated to determine the safety and security significance of digital systems and assets at their facilities. The NRC issued RG 5.71 to provide guidance to licensees in implementing the NRCs cyber security requirements. Section 3.1.3 of RG 5.71 recognizes that not all digital assets associated with SSEP
functions may need to be protected. It sets forth a process for identifying those assets, referred to as CDAs in the regulatory guide, that must be protected against a cyber attack. CDAs are those digital assets that meet the criteria in 73.54a2 and, if compromised, could adversely impact SSEP functions.
The petitioner identifies examples of digital assetsspecifically fax machines, hand-held calibration devices, radios and pagers, and certain calculators used by licensee staffthat it claims have no nexus to radiological sabotage. The NRC agrees that some digital assets associated with SSEP
functions may not need to be protected from cyber attack. Consistent with 73.54b1, determining whether a specific digital asset, such as a fax machine, calibration device, radio, or the like, has a nexus to radiological sabotage requires a site-specific analysis to determine the safety and security significance of the specific asset. The purpose of the analysis is to determine if a specific digital asset must be protected consistent with the criteria in 73.54a2. That is why neither the NRCs cyber security rule nor RG 5.71
prescribe a list of specific digital assets that must be protected against a cyber attack.
As elaborated in the NRC Response to Assertion B, the NRC does not agree with the petitioners assertion that only those digital assets that, if compromised, can directly result in radiological sabotage are subject to the NRCs cyber security requirements.
Digital assets, the compromise of which may not directly cause significant core damage or spent fuel sabotage, but that could serve as attack pathways that potentially increase the risk of a successful cyber attack if not protected, are within the scope of the NRCs cyber security requirements.
The NRC has been conducting cyber security inspections since 2013 and recently completed a major assessment of the NRCs cyber security
VerDate Sep<11>2014

16:29 Aug 09, 2021

Jkt 253001

requirements. One of the major lessons learned from these inspections and the assessment is that many licensees adopted a conservative approach to identifying digital assets at their facilities that could potentially impact SSEP functions. This resulted in a large number of digital assets being included within the scope of licensees cyber security programs. As a result of the lessons learned from these inspections and the assessment, the NRC has been and is continuing to engage with stakeholders to revise existing guidance and refine the methodology for identifying CDAs that fall within the scope of the NRCs cyber security requirements. Based on these interactions, NEI revised NEI 1310 to include a consequence-based, graded approach for identifying CDAs. The NEI
1310 guidance enables industry to focus resources on the more significant digital assets. The NRC is continuing to work with stakeholders to identify additional revisions to the guidance for identifying those digital assets that must be protected from a cyber attack. For the reasons discussed in this section, the NRC does not agree with the petitioners assertion that the language in 73.54a1 requires the protection of digital assets that do not have a nexus to radiological sabotage.
The NRC disagrees with the assertion that the cyber security rule requires the unnecessary expenditure of licensee resources to protect digital assets that have no nexus to radiological sabotage.
The NRC issued RG 5.71 in January 2010 to provide guidance to licensees in implementing the NRCs cyber security requirements. It establishes a process for identifying those digital assets, called CDAs, that must be protected against a cyber attack. Some stakeholders have taken a conservative approach to identifying CDAs. The NRC has determined that this is an implementation issue, not an issue with the cyber security rule language.
Accordingly, the NRC has been and is continuing to work with industry stakeholders to revise existing guidance and establish new guidance to refine the methodology for identifying CDAs. For these reasons, the NRC does not agree with the petitioners assertion that the language in 73.54a1 requires the protection of digital assets that do not have a nexus to radiological sabotage and results in an unjustified burden and costs for licensees.
Assertion D in Section III of the PRM
The petitioner notes that on October 21, 2010, the Commission made a policy determination to apply the NRCs cyber security rule to SSCs in the balance of plant BOP at NRC-licensed nuclear
PO 00000

Frm 00004

Fmt 4702

Sfmt 4702

power plants. The petitioner further notes that as a result of this policy determination, SSCs in the BOP were no longer subject to the Federal Energy Regulatory Commissions FERC
Critical Infrastructure Protection reliability standards. The petitioner states that this policy determination expanded the scope of the cyber security program to include digital assets not strictly necessary to prevent radiological sabotage.
NRC Response to Assertion D:
The NRC agrees with the petitioner that on October 21, 2010, the Commission made a policy determination to apply the NRCs cyber security regulations to SSCs in a nuclear power plants BOP that have a nexus to radiological health and safety. The petitioner asserts that this policy determination expanded the scope of 73.54a to include digital assets not strictly necessary to be protected to prevent radiological sabotage.
As the petitioner notes, the Commissions October 2010 policy determination applied the NRCs cyber security regulations to BOP digital assets that by themselves, even if compromised, could not directly cause significant core damage or spent fuel sabotage. For the same reasons set forth in the NRCs response to the petitioners Assertions B and C, the NRC does not agree with the petitioners statement that this policy determination resulted in an expansion of the scope of either the 2006 proposed rule or the 2009 final rule.
From its inception, the 2006 proposed cyber security rule would have required licensees to protect those digital assets associated with SSEP that, if compromised, could either directly or indirectly cause radiological sabotage resulting in significant core damage or spent fuel sabotage. As the Commission stated in SRMCOMWCO100001, it has determined as a matter of policy that the NRCs cyber security rule at 10
CFR 73.54 should be interpreted to include SSCs in the BOP that have a nexus to radiological health and safety at NRC-licensed nuclear power plants.
In SECY100153, Cyber Security Implementation of the Commissions Determination of Systems and Equipment within the Scope of Title 10
of the Code of Federal Regulations, Section 73.54, dated November 19, 2010, the staff informed the Commission that it considered SSCs in the BOP that have a nexus to radiological health and safety to be those that could, if compromised, directly or indirectly affect reactivity of a nuclear power plant, and are therefore within the scope
E:FRFM10AUP1.SGM

10AUP1