You cannot implement a cyber security program that you don’t understand.
This is the fundamental problem that cmplid:// was designed to solve. Every cyber security program is complex and therefore there is no “easy button,” as much as we’d like to think there is. Planning for the implementation of a cyber security program includes more than developing a timetable, scheduling resources and tasks, and acquiring technology. The planning must include analysis of the requirements mandated by the program. Too much money, time, and joy are being wasted by people rushing forward with an incomplete understanding of what they need to do, only to have to stop multiple times along the way to change direction.
The nuclear power industry is a perfect example of this. I am going to be honest here: I believe the NRC mandated and the industry accepted a control set that neither understood completely. I say this not to embarrass or blame, but because I think it true and that it must be learned from. The program defined in NRC RG 5.71 and parroted in NEI 08-09 is filled with confusing language, unnecessary controls, and mistakes that are consuming time and money, distracting from far more useful activities, and causing a great deal of angst and wasted resources.
I believe that while there surely are cyber-related risks to nuclear power reactors, they are largely mitigated appropriately by the controls applied in Milestones 1-7. Particularly useful were milestones 2, 3, and 4 (with caveats). Milestones 6 & 7 were largely symbolic, Milestone 5 was intended well, but not very useful, and Milestone 1 was generally implemented in a way that introduced great inefficiency at many licensees.
In the next few blog posts I will provide a few examples of these issues and try to offer some of the lessons I’ve learned in the last 6 years I have been working on nuclear cyber security projects.