Mistakes happen to all humans in all endeavors. The purpose of this post is NOT to criticize or shame anyone, but rather to point out some opportunities for improving NEI 08-09 Rev 7. The current version of that document (the basis for the Cyber Security Plans at nuclear licensees in the US) has a number of issues. I spoke about the overall issues here and in my previous post I spoke about specific controls included that provide no value.
10 CFR 73.54
In my previous post I expressed my opinion that the Nuclear Cyber Security Plans at US licensees have some deficiencies. In this post I want to talk about a couple of examples of the unnecessary controls within RG 5.71 and NEI 08-09. These controls, and perhaps others, should be removed from the next revision of NEI 08-09, as it should be obvious they are not necessary to protect SSEP functionality at any nuclear plant.
D 2.10 Non-Repudiation: This technical cyber security control ensures the protection of CDAs and audit records against an individual falsely denying they performed a particular action.
You cannot implement a cyber security program that you don’t understand.
This is the fundamental problem that cmplid:// was designed to solve. Every cyber security program is complex and therefore there is no “easy button,” as much as we’d like to think there is. Planning for the implementation of a cyber security program includes more than developing a timetable, scheduling resources and tasks, and acquiring technology. The planning must include analysis of the requirements mandated by the program.