Cyber Security in Digital Instrumentation and Controls
On this page
- 10 CFR 73.54, Protection of Digital Computer and Communication Systems and Networks
- Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities
- Regulatory Guide 1.152, Rev. 3, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants
- Cooperative Agreements and Research
Cyber security is the protection of digital assets including digital instrumentation and control systems or equipment. Cyber security at nuclear power plants promotes performance-based programmatic approaches supported by defense-in-depth strategies, including efforts to detect, prevent, delay, mitigate, and recover from cyber attacks.
In 2009, the NRC published cyber security rule, 10 CFR 73.54 "Protection of Digital Computer and Communication Systems and Network". The cyber security rule is a performance-based programmatic requirement that ensures that the functions of digital computers, communication systems, and networks associated with safety, important-to-safety, security, and emergency preparedness are protected from cyber-attacks.
10 CFR 73.54, Protection of Digital Computer and Communication Systems and Networks
NRC’s Office of Nuclear Security and Incident Response (NSIR) and the Regional Offices are responsible for evaluating licensees’ adherence to the provisions of 10 CFR 73.54. This regulation requires, in part, that U.S. Nuclear Regulatory Commission (NRC) licensees provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design-basis threat (DBT), as described in 10 CFR 73.1, "Purpose and Scope."
In particular, 10 CFR 73.54(a)(1) requires licensees to protect digital computer and communications systems and networks associated with the following categories of functions, from those cyber attacks identified in 10 CFR 73.54(a)(2):
- Safety-related and important-to-safety functions
- Security functions
- Emergency preparedness functions, including offsite communications, and
- Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.
10 CFR 73.54(a)(2) requires the licensee to protect such systems and networks from those cyber attacks that would act to modify, destroy, or compromise the integrity or confidentiality of data or software; deny access to systems, services, or data; and impact the operation of systems, networks, and equipment.
Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities
The NRC issues regulatory guides to describe and make available to the public methods that the NRC staff considers acceptable for use in implementing specific parts of the agency’s regulations, techniques that the staff uses in evaluating specific problems or postulated accidents, and data that the staff needs in reviewing applications for permits and licenses. Regulatory guides are not substitutes for regulations, and compliance with them is not required. Methods and solutions that differ from those set forth in regulatory guides will be deemed acceptable if they provide a basis for the findings required for the issuance or continuance of a permit or license by the Commission. Regulatory guides are issued after consideration of comments received from the public.
Regulatory Guide 5.71 provides guidance to applicants and licensees on satisfying the requirements of 10 CFR 73.54. The information contained within this guide represents the results of research conducted by the NRC Office of Nuclear Regulatory Research concerning cyber security program development and the collective body of knowledge and experience that has been developed through prior NRC cyber related activities. In addition, this guide embodies the findings by standards organizations and agencies, such as the International Society of Automation, IEEE, and NIST, as well as guidance from the U.S. Department of Homeland Security.
This regulatory guide applies to operating reactors licensed in accordance with 10 CFR Part 50, “Domestic Licensing of Production and Utilization Facilities” (Ref. 2), and 10 CFR Part 52, “Licenses, Certifications, and Approvals for Nuclear Power Plants” (Ref. 3). Licensees and applicants should consider this guidance in preparing an application for a combined operating license under 10 CFR Part 52.
Regulatory Guide 1.152, Rev. 3, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants
In addition to endorsing provisions of IEEE Standard 7-4.3.2-2003 as being applicable to compliance with cited regulations, Regulatory Guide 1.152, Revision 3 contains regulatory criteria on the establishment of a Secure Development and Operational Environment for digital safety systems. The establishment of a Secure Development and Operational Environment (SDOE) refers to: (1) appropriate physical, logical and programmatic controls during the safety system development phases (i.e., concepts, requirements, design, implementation, testing) to detect and prevent the inclusion of unwanted, unneeded and undocumented functionality and (2) appropriate physical, logical and administrative controls within a facility to ensure that the integrity, reliability, and functionality of digital safety systems are not degraded by undesirable behavior of connected systems or events initiated by inadvertent access to the system. These SDOE actions may include adoption of protective design features into the digital safety system design to preclude non-malicious inadvertent access to the system and/or protection against undesirable behavior from connected systems when operational. Note that while these SDOE features may also serve a cyber security function, cyber security is evaluated under the provisions of 10 CFR 73.54.
The NRC engages with other Federal agencies, including the U.S. Department of Homeland Security, the Federal Energy Regulatory Commission, and the North American Electric Reliability Corporation (NERC) on cyber security efforts. In 2010, the NRC signed a Memorandum of Understanding with NERC to clarify the regulatory roles and responsibilities of each organization, including inspection protocols and enforcement actions.