Voglio sapere a riguardo di…

jbell on DSKJLSW7X2PROD with PROPOSALS

Federal Register / Vol. 86, No. 151 / Tuesday, August 10, 2021 / Proposed Rules with determining if certain equipment should be protected by the cyber security rule, the NRC has found the guidance in NEI 1310 and NEI 1004
to be acceptable for use in identifying systems and assets subject to the cyber security rule. NEI 1004 provides industry with a risk-informed methodology for determining which digital assets should be considered CDAs. NEI 1310 provides guidance for developing a consequence-based, graded approach to comply with the regulations in 73.54. This approach provides for the application of certain minimum cyber security controls to specifically identified CDAs, and a method to assess alternate means for protecting certain classes of equipment from cyber attack.
Furthermore, the NRC has reviewed NEI
proposals for risk-informing the identification of CDAs for EP, BOP, important-to-safety and safety-related digital assets. NEI has stated its intent to incorporate these revisions into its guidance documents and to submit them to the NRC for endorsement.
Comment Category 11: Suggested alternatives to granting the petition.
Several comment submissions suggest the NRC should reassess the adequacy of the cyber security rule and should work with external stakeholders to consider other approaches such as a risk-informed, graded approach, or international ISA99 industrial standards. Several comment submissions provide specific examples of alternate approaches to the cyber security rule. One commenter also asserts that concepts such as redundancy, diversity, and commoncause failures should be reexamined in the context of cyber security.
NRC Response to Category 11
Comments: In 2019, the NRC performed an assessment of the Power Reactor Cyber Security Program. The program assessment identified opportunities to further risk-inform the cyber security guidance in lieu of pursuing changes to the cyber security rule. For example, the NRC has reviewed NEI proposals for risk-informing the identification of CDAs for EP, BOP, important-to-safety and safety-related digital assets. NEI has stated its intent to incorporate these revisions into its guidance documents and to submit them to the NRC for endorsement.
Comment Category 12: NRC should impose additional requirements for cyber security.
One commenter asserts that unintentional or non-malicious cyber incidents are not adequately addressed in NRC guidance documents, and that the NRC should have a requirement to include unintentional cyber incidents.

VerDate Sep<11>2014

16:29 Aug 09, 2021

Jkt 253001

Also, the commenter asserts that engineers and technicians that are experts in instrumentation and control I&C, electrical engineering, and plant maintenance should be part of the cyber security team, and that the NRC should consider the use of digital I&C and electrical systems for nuclear plant safety applications. The commenter asserts that the training for engineers to be able to identify potential cyber incidents is minimal, and that the current NRC requirements for cyber security are not conservative when compared to safety requirements.
NRC Response to Category 12
Comments: The NRC notes that the NRCs cyber security requirements do not distinguish between intentional and unintentional cyber attacks. Licensees are required to protect against any cyber attack that could adversely impact critical digital assets associated SSEP
functions. The NRCs existing cyber security regulations in 73.54 provide high assurance that digital computer and communication systems and networks associated with SSEP
functions are protected against a cyber attack. The NRCs cyber security framework also requires that the licensees cyber security staff have the appropriate training.
Comment Category 13: Examples of cyber security incidents that illustrate need for more requirements.
One commenter who opposes the PRM asserts that the current NRC cyber security requirements need to be strengthened, and that granting the PRM
would lessen protection against cyber attacks. The commenter provides examples of cyber security incidents supporting his concern, and further asserts that: 1 The NRC cyber security review of the Oconee I&C upgrade was not adequate, and the NRC should accordingly reassess the adequacy of the cyber security rule because control systems are not adequately protected by the current scope of 73.54; 2 a comprehensive review is needed to understand the potential system interactions of the different devices in a reactor facilitys safety and non-safety systems, and these system vulnerabilities should be covered by 73.54; 3 air-gapped security measures are not necessarily adequate since it is possible that a well-meaning insider could unintentionally connect infected portable media to a plant system or component, and the commenter provides examples of how a reactor facility could be compromised using an unintentional insider as a vector for a cyber attack; 4 integrity checking does not offer protection against malicious manipulations until complemented with
PO 00000

Frm 00009

Fmt 4702

Sfmt 4702

43607

authenticity checking; and 5 malware has been shown to affect certain cyber vulnerable systems such as human machine interfaces that are used in reactor facilities.
NRC Response to Category 13
Comments: The NRC agrees that granting the PRM could lessen protection against cyber attacks. For the reasons set forth in the Reasons for Denial section of this document, the NRC has decided to deny the PRM. The commenter is requesting that the NRC
take action to strengthen its cyber security requirements to increase protection of digital computer and communication systems and networks at nuclear power plants. The NRC has determined that the current cyber security requirements are robust and provide reasonable assurance that critical digital assets are adequately protected to prevent a cyber attack.
Comment Category 14: Specific Disagreement with petitioners changes.
Two comment submissions that oppose the PRM assert that the petitioners proposed changes do not adequately protect safety and security of nuclear power plants, and that the petitioners proposed changes are not conservative. The comment submissions assert that cyber threats to safety-related and important-to-safety functions can cause, or contribute to, core melt scenarios. The comment submissions also assert that a reduction in cyber security requirements for EP systems is unacceptable because it would not then be possible to meet existing regulations concerning notification of emergency responders if these systems were compromised.
One commenter further asserts that limiting the 73.54 cybersecurity requirements to the prevention of significant core damage and spent fuel sabotage would not provide effective protection for other safety-critical systems. This commenter also asserts that only the strongest, layered defenses are likely to discourage reconnaissance and attack vector development, and that granting the PRM would 1 eviscerate the NRCs strong cybersecurity regulations and technical guidance; and, 2 exacerbate dependence of nuclear facilities on offsite AC power, therefore producing greater exposure to long-term loss of offsite power risks.
NRC Response to Category 14
Comments: The NRC generally agrees with these comments. Cyber attacks on safety-related and important-to-safety functions may cause, or contribute to, radiological sabotage e.g., core melt scenarios. If the provisions in 73.54a1iii requiring the protection of digital computer and
E:FRFM10AUP1.SGM

10AUP1