Tilting at Windmills

July 15, 2016 • Richard Dahl • 10 CFR 73.54

My last few blog posts (here, here and here) have been critical of the state of the Cyber Security Program being implemented at US nuclear plants. I realize that, it was my intention. There are opportunities for improvement as I have said. I believe that the Nuclear Cyber Security issues I have critiqued are due to the inexperience and steep learning curve faced by the NRC and the nuclear power industry at the beginning of this initiative and I am sure that “if they had known then…”

Mistakes in the development of RG 5.71/NEI 08-09

July 14, 2016 • Richard Dahl • 10 CFR 73.54

Mistakes happen to all humans in all endeavors. The purpose of this post is NOT to criticize or shame anyone, but rather to point out some opportunities for improving NEI 08-09 Rev 7. The current version of that document (the basis for the Cyber Security Plans at nuclear licensees in the US) has a number of issues. I spoke about the overall issues here and in my previous post I spoke about specific controls included that provide no value.

Examples of Unnecessary RG 5.71/NEI 08-09 Controls

July 6, 2016 • Richard Dahl • 10 CFR 73.54

In my previous post I expressed my opinion that the Nuclear Cyber Security Plans at US licensees have some deficiencies. In this post I want to talk about a couple of examples of the unnecessary controls within RG 5.71 and NEI 08-09. These controls, and perhaps others, should be removed from the next revision of NEI 08-09, as it should be obvious they are not necessary to protect SSEP functionality at any nuclear plant.

D 2.10 Non-Repudiation: This technical cyber security control ensures the protection of CDAs and audit records against an individual falsely denying they performed a particular action.

Nuclear Cyber Security Opportunities for Improvement

July 6, 2016 • Richard Dahl • 10 CFR 73.54

You cannot implement a cyber security program that you don’t understand.

This is the fundamental problem that cmplid:// was designed to solve. Every cyber security program is complex and therefore there is no “easy button,” as much as we’d like to think there is. Planning for the implementation of a cyber security program includes more than developing a timetable, scheduling resources and tasks, and acquiring technology. The planning must include analysis of the requirements mandated by the program.

cmplid:// goes international!

January 19, 2016 • Richard Dahl • Customer

cmplid:// is now being used by a large professional services firm in Japan to assist in the development of the cyber security program for a nuclear plant operator there. The cyber security program is being designed to protect against plausible “attack scenarios” and is based on the guidance in the International Atomic Energy Agency’s Nuclear Security Series No. 17: Computer Security at Nuclear Facilities. We are extremely excited about this opportunity, which presents a significantly different use-case for cmplid://,

NEI Workshop

January 19, 2016 • Andy Dahl • Workshop

cmplid:// will be exhibiting at the NEI Cyber Security Implementation Workshop in Seattle, March 1-3, 2016. There we will be demonstrating what true cyber security management automation looks like. Stop by to view a live demonstration of the solution and talk with us about how our technology can provide a mechanism to integrate cyber security into normal operations, saving you time and effort. Also, ask how cmplid:// and our integration partners can combine to offer an economical turn-key assessment project,

» Read more about: NEI Workshop »

cmplid:// installed at first customer

January 18, 2016 • Andy Dahl • Customer

cmplid:// began the data-import process for our first customer the week of January 11th, 2016. They have already completed a large number of Direct CDA assessments and that information will be imported into cmplid:// for historical record. Additionally, we began the planning for the import of all CDAs and other resources within scope and new assessment logic for the NEI 13-10 described CDA types (Indirect, EP, BOP). Moving from spreadsheet based analysis to cmplid://’s native analysis engine provides significant opportunities to increase both the effectiveness and efficiency of managing the security program.

Schedule a Demo

January 14, 2016 • Andy Dahl • Marketing

Cmplid is a Security Management Automation solution, that helps you document and explain what you’re doing for your Cyber Security Program and what you need to do, while keeping it all consistent within an enterprise available database.

Designed to provide ongoing assistance to organizations in implementing, assessing, and managing their security programs.

cmplid:// is the first of its kind Security Management Automation solution.

NITSL Workshop

July 13, 2015 • Andy Dahl • Workshop

Minneapolis, MN

July 13-15 2015

cmplid:// will be joining Sheffield Scientific at the NITSL Workshop, stop by on vendor night to hear about the combined solutions offered by cmplid:// and Sheffield Scientific or to see a demo of the cmplid:// solution. For more information: www.nitsl.org

» Read more about: NITSL Workshop »

Latest News