Effective Practices for Computer Security Regulations in Nuclear Industry
Explore guidelines for developing computer security regulations in the nuclear industry, addressing the unique challenges and considerations involved. Learn about regulatory approaches, phased implementation strategies, and stakeholder engagement for creating a robust security framework.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Good Practices for Creation of a Computer Security Regulation for the Nuclear Industry Greg White Seth Bromberger 10-14 February 2019 LLNL-PRES-795684 1
House Why did we write this? The nuclear and radiological communities are facing increased pressure to create and adopt computer security regulations This requires the involvement of computer security personnel This might be their first time helping write a regulation Regulation writing experts aren t typically computer security experts 2
House When writing a new computer security regulation for the nuclear industry Understand what regulations and laws are already enacted in your country Computer security Computer crime Protection of critical infrastructure Nuclear security Understand your country's processes and standards for regulations development Start with referencing someone else s computer security regulation Save effort Better coverage of topics Learn from others Good list at the end of this presentation But please don t just copy and rename it Understand your own environment, challenges, resources and program maturity 3
House Process Consider a phased approach Start simple (with initial requirements that prompted the push for regulation) Revise and strengthen every 1-2 years Bring together a diverse team of experts, representing all stakeholders Get concurrence of stakeholders Regulator or Competent Authority Sites Other interested parties Beta test, pilot program or tabletop exercise the draft regulation before enactment Involve regulator/competent authority, sites, and other interested parties Use this to gather feedback and understand costs and impacts Give sites some time to become compliant 4
House Regulatory Approaches 1. 2. 3. 4. 5. Compliance-based (aka Prescriptive) Risk-informed Performance-based Process-based Combinations of the above Consider starting with Compliance-based and moving to other approaches as the regulation matures and grows Encourage sites to continue existing computer security measures even though these measures are not in the regulation Don t inhibit or penalize sites from exceeding regulatory requirements 5
House Understand Costs Every line in a regulation has costs Regulator / Competent Authority: oversight costs Sites: implementation and assessment costs All sides have initial costs and recurring costs Personnel, equipment, money, expertise, management attention, etc. How are both sides going to pay for it? What is the lead time to get additional funding? 6
House Regulation good practices For each requirement in the regulation Number it so that it is easier to refer to it (for example, 1.0.2) Use normative (prescriptive) language What is the requirement? What does the site produce (report, list, etc.) to prove compliance to the regulator? Move and reference non-requirements to an appendix or separate document (methodological recommendations) Background information Instructional material Computer security theory and fundamentals Documentation production Include Acronyms and Definitions to drive adoption of a standard set of terms 7
House Reference Documents IAEA Nuclear Security Series No. 17 (2011) Computer Security at Nuclear Facilities, https://www.iaea.org/publications/8691/computer-security-at-nuclear-facilities ISO/IEC 27002-2013 (2013) Information technology. Means of Security. Code of Practice on Information Security Management, https://www.iso.org/standard/54533.html Nuclear Energy Institute (2010) Cyber Security Plan for Nuclear Power Reactors, https://www.nrc.gov/docs/ML1011/ML101180437.pdf Nuclear Energy Institute (2012) Identifying Systems and Assets Subject to the Cyber Security Rule, https://www.nrc.gov/docs/ML1218/ML12180A081.pdf U.S. NIST (2014) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, https://www.nist.gov/facilitys/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf U.S. NRC (2010) Cyber Security Programs for Nuclear Facilities, https://scp.nrc.gov/slo/regguide571.pdf U.S. DHS (2015) Nuclear Sector Cybersecurity Framework Implementation Guidance for U.S. Nuclear Power Reactors, https://www.dhs.gov/publication/nuclear-sector-cybersecurity-framework-implementation-guidance U.S. NIST (2012) Guide for Conducting Risk Assessment, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf U.S. DHS (2012) National Strategy for Global Supply Chain Security, https://obamawhitehouse.archives.gov/sites/default/files/national_strategy_for_global_supply_chain_security.pdf U.S. DOE (2014) Cybersecurity Procurement Language for Energy Delivery Systems, https://www.energy.gov/sites/prod/files/2014/04/f15/CybersecProcurementLanguage-EnergyDeliverySystems_040714_fin.pdf 8
House Contacts Greg White, white6@llnl.gov Seth Bromberger, bromberger1@llnl.gov 9
