My last few blog posts (here, here and here) have been critical of the state of the Cyber Security Program being implemented at US nuclear plants. I realize that, it was my intention. There are opportunities for improvement as I have said. I believe that the Nuclear Cyber Security issues I have critiqued are due to the inexperience and steep learning curve faced by the NRC and the nuclear power industry at the beginning of this initiative and I am sure that “if they had known then…”
Mistakes happen to all humans in all endeavors. The purpose of this post is NOT to criticize or shame anyone, but rather to point out some opportunities for improving NEI 08-09 Rev 7. The current version of that document (the basis for the Cyber Security Plans at nuclear licensees in the US) has a number of issues. I spoke about the overall issues here and in my previous post I spoke about specific controls included that provide no value.
In my previous post I expressed my opinion that the Nuclear Cyber Security Plans at US licensees have some deficiencies. In this post I want to talk about a couple of examples of the unnecessary controls within RG 5.71 and NEI 08-09. These controls, and perhaps others, should be removed from the next revision of NEI 08-09, as it should be obvious they are not necessary to protect SSEP functionality at any nuclear plant.
D 2.10 Non-Repudiation: This technical cyber security control ensures the protection of CDAs and audit records against an individual falsely denying they performed a particular action.
You cannot implement a cyber security program that you don’t understand.
This is the fundamental problem that cmplid:// was designed to solve. Every cyber security program is complex and therefore there is no “easy button,” as much as we’d like to think there is. Planning for the implementation of a cyber security program includes more than developing a timetable, scheduling resources and tasks, and acquiring technology. The planning must include analysis of the requirements mandated by the program.
cmplid:// is now being used by a large professional services firm in Japan to assist in the development of the cyber security program for a nuclear plant operator there. The cyber security program is being designed to protect against plausible “attack scenarios” and is based on the guidance in the International Atomic Energy Agency’s Nuclear Security Series No. 17: Computer Security at Nuclear Facilities. We are extremely excited about this opportunity, which presents a significantly different use-case for cmplid://,
cmplid:// will be exhibiting at the NEI Cyber Security Implementation Workshop in Seattle, March 1-3, 2016. There we will be demonstrating what true cyber security management automation looks like. Stop by to view a live demonstration of the solution and talk with us about how our technology can provide a mechanism to integrate cyber security into normal operations, saving you time and effort. Also, ask how cmplid:// and our integration partners can combine to offer an economical turn-key assessment project,
cmplid:// began the data-import process for our first customer the week of January 11th, 2016. They have already completed a large number of Direct CDA assessments and that information will be imported into cmplid:// for historical record. Additionally, we began the planning for the import of all CDAs and other resources within scope and new assessment logic for the NEI 13-10 described CDA types (Indirect, EP, BOP). Moving from spreadsheet based analysis to cmplid://’s native analysis engine provides significant opportunities to increase both the effectiveness and efficiency of managing the security program.
Cmplid is a Security Management Automation solution, that helps you document and explain what you’re doing for your Cyber Security Program and what you need to do, while keeping it all consistent within an enterprise available database.
Designed to provide ongoing assistance to organizations in implementing, assessing, and managing their security programs.
cmplid:// is the first of its kind Security Management Automation solution.
July 13-15 2015
cmplid:// will be joining Sheffield Scientific at the NITSL Workshop, stop by on vendor night to hear about the combined solutions offered by cmplid:// and Sheffield Scientific or to see a demo of the cmplid:// solution. For more information: www.nitsl.org