News

In 2018, the focus of the USA Cyber Security Project Team was preparing for the NRC Full Implementation Inspections (Milestone 8). The regulator had decided to conduct these inspections over a three-year period. In 2017, they conducted two pilot inspections to refine their inspection methodology and validate their inspection procedure. Their inspection procedure was established to look at all major areas of the cyber security program. The two pilot inspections were completed at the South Texas Project and Monticello. Since both of these are USA sites, the USA Cyber Security Team gained a lot of knowledge regarding the conduct and scope of the NRC inspections. The Inspection results were good at both sites with no significant issues identified.

In 2018, the regulator performed eighteen full implementation Inspections. The USA Cyber Security Project Team Plants inspected were Hope Creek, Salem, and Susquehanna. The USA Cyber Security Team had access to and analyzed each of the inspection findings from the inspections performed throughout the industry. The Cyber Security Team maintains a database of the issues identified at all plants. Issues identified are then reviewed against the USA Cyber Security Team’s standards and each plant’s program.

Analyzing the data from the NRC Inspections gave us insight into what problems were showing up most frequently. The two most frequent Findings were in regard to Kiosk assessments and controls implementation. The two most frequent minor Findings are on portable media/mobile devices and associated documentation. The two most frequent observations were on assessment quality and documentation.

In preparation for the upcoming NRC Inspections the Cyber Team performed USA Cyber Security Peer Assessments in 2018 at Cooper, Cook, Fermi II, Columbia, Susquehanna, and Prairie Island. During the team’s November 13-14, 2018 Face-to-Face meeting in Overland Park, Kansas, the team determined that it was necessary to revise our USA Cyber Security Peer Assessment Procedure. Although the NRC Inspection Procedure was written to look at all programmatic areas of Cyber Security, the actual inspections were more focused on problem areas they were seeing during previous inspections and areas where the actual cyber security requirements were less defined. The team revised the USA assessment procedure to match what the team was seeing from the Regulator. The USA Cyber Security Peer Assessment Procedure was revised to include inspection Operating Experience (OE), a detailed look into several selected Critical Digital Assets (Safety Related, Security, Emergency Plan), a detailed look into several recent major modifications, and the addition of any specific items the assessed site desired.

In 2019 there are three USA Member sites having NRC Inspections, Cooper, Prairie Island, and Fermi II. Cooper was completed in February and that assessment went well. In 2020 there are three additional USA Member sites having NRC Inspections; Comanche Peak, Cook, and Columbia.

From the beginning of the Cyber Security Project, there has been a difference of opinion in some areas between the regulator and the industry on what good cyber protection looks like. The USA Cyber Security Project Team stays involved with resolving open industry issues with the Regulator. The team maintains this involvement through the Nuclear Energy Institute (NEI)I Cyber Security Task Force. In 2018 and 2019 we have worked on Kiosk evaluations, critical group membership, vulnerability and risk management, ongoing monitoring and assessment, and alternate controls.

The team will continue to prepare our members for NRC Inspections and be involved in resolving industry cyber issues.