Cyber Security - Compliance to the New CSA 290.7 Standard

Since 2008, the Canadian Nuclear Safety Commission (CNSC), similar to regulators of other critical industries, has requested their licensees to implement cyber security programs and conduct self-assessments without the benefit of an industry specific cyber security standard that provides common metrics for coverage and effectiveness of their programs. However, for the nuclear industry, a new CSA standard 290.7 entitled "Cyber security for nuclear power plants and small reactor facilities", released in December 2014, will have the CNSC looking to facility operators to be compliant to the new standard. This paper will discuss initiatives at Canadian Nuclear Laboratories to develop of a suite of tools, techniques, and best practices that can be used by the regulator and industry for assessing compliance and effectiveness of cyber security technology and implementations.