Challenges During the Implementation of Cyber Security at Nuclear Power Plants
Main Article Content
Abstract
Requirements for the protection of digital computer and communications systems and networks for U.S. Nuclear Power Plants (NPPs) are documented in 10 CFR 73.54. Guidance to meet the requirements is provided by the Nuclear Energy Institute (NEI) NEI 08-09 Rev. 6 "Cyber Security Plan for Nuclear Power Reactors" and by the Nuclear Regulatory Commission (NRC) in RG 5.71 "Cyber Security Programs for Nuclear Facilities". There are many challenges that need consideration during the application of these requirements at several U.S. plants.
- Integration of Requirements into the Design Process: As new designs add components to the scope of a NPP’s Cyber Security Program, integration of the Cyber Security Assessment process into the plant design process is critical to ensure that new components are configured in compliance with the regulatory requirements before installation.
- Identification and Classification of Existing Critical Digital Assets: It is critical to identify and classify the entire scope of Critical Digital Assets (CDAs) ahead of the Cyber Security assessment phase. NEI 10-04 Rev. 2 provides related guidance. CDAs not identified timely can be difficult to identify later, and may lead to gaps in the assessment and remediation phases.
- Program Development: Development and modification of processes affected by the Cyber Security Program should be high priority as the Cyber Security Program is implemented. Programs including configuration management, vulnerability management, and training impact each other and should be considered carefully.
- Lifecycle Management for Digital Equipment: The digital equipment lifecycle is much shorter and more difficult to manage than analog and mechanical equipment. Sufficient digital equipment spares should be acquired anticipating the manufacturer will end production prior to future modifications.
Article Details
Section
Articles