United States Nuclear Regulatory Commission - Protecting People and the Environment

Cyber Security in Digital Instrumentation and Controls

On this page

To top of page

Background

The purpose of cyber security is to detect and then eliminate or mitigate vulnerabilities in the digital system that could be exploited either from outside or inside of the digital system protected area. The process of defending against this class of failures is made more challenging by the rapidly evolving "industry" that continues developing new attack methods. Various individuals and undocumented organizations develop viruses, worms, and associated computer programs. Others concentrate on developing methods for gaining access to protected data and systems with the intent to disrupt system operations or illegally obtain information from the systems.

To top of page

10 CFR 73.54, "Protection of Digital Computer and Communication Systems and Networks"

NRC’s Office of Nuclear Security and Incident Response (NSIR) and the Regional Offices are responsible for evaluating licensees’ adherence to the provisions of 10 CFR 73.54. This regulation requires, in part, that U.S. Nuclear Regulatory Commission (NRC) licensees provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design-basis threat (DBT), as described in 10 CFR 73.1, "Purpose and Scope."

In particular, 10 CFR 73.54(a)(1) requires licensees to protect digital computer and communications systems and networks associated with the following categories of functions, from those cyber attacks identified in 10 CFR 73.54(a)(2):

  • safety-related and important-to-safety functions
  • security functions
  • emergency preparedness functions, including offsite communications, and
  • support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.

10 CFR 73.54(a)(2) requires the licensee to protect such systems and networks from those cyber attacks that would act to modify, destroy, or compromise the integrity or confidentiality of data or software; deny access to systems, services, or data; and impact the operation of systems, networks, and equipment.

To top of page

Regulatory Guide 5.71, "Cyber Security Programs for Nuclear Facilities"

Regulatory Guide 5.71 provides guidance to applicants and licensees on satisfying the requirements of 10 CFR 73.54. The information contained within this guide represents the results of research conducted by the NRC Office of Nuclear Regulatory Research (RES) concerning cyber security program development and the collective body of knowledge and experience that has been developed through prior NRC cyber related activities.  In addition, this guide embodies the findings by standards organizations and agencies, such as the International Society of Automation, IEEE, and NIST, as well as guidance from the U.S. Department of Homeland Security (DHS).

This regulatory guide applies to operating reactors licensed in accordance with 10 CFR Part 50, “Domestic Licensing of Production and Utilization Facilities” (Ref. 2), and 10 CFR Part 52, “Licenses, Certifications, and Approvals for Nuclear Power Plants” (Ref. 3). Licensees and applicants should consider this guidance in preparing an application for a combined operating license under 10 CFR Part 52.

To top of page

Regulatory Guide 1.152, Rev. 3, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants"

In addition to endorsing provisions of IEEE Standard 7-4.3.2-2003 as being applicable to compliance with cited regulations, Regulatory Guide 1.152, Revision 3 contains regulatory criteria on the establishment of a Secure Development and Operational Environment for digital safety systems.  The establishment of a Secure Development and Operational Environment (SDOE) refers to: (1) measures and controls taken to establish a secure environment for development of the digital safety system against undocumented, unneeded and unwanted modifications and (2) protective actions taken against a predictable set of undesirable acts (e.g., inadvertent operator actions or the undesirable behavior of connected systems) that could challenge the integrity, reliability, or functionality of a digital safety system during operations. These SDOE actions may include adoption of protective design features into the digital safety system design to preclude inadvertent access to the system and/or protection against undesirable behavior from connected systems when operational.  Note that while these SDOE features may also serve a cyber security function, cyber security is evaluated under the provisions of 10 CFR 73.54.

To top of page

Cooperative Agreements and Research

The NRC is engaging other Federal agencies, most notably the U.S. Department of Homeland Security and the Federal Energy Regulatory Commission, as well as the North American Electric Reliability Corporation in an effort to leverage related cyber security work that these agencies have completed or are conducting.

To top of page

Page Last Reviewed/Updated Tuesday, July 16, 2013