U S NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REGULATORY RESEARCH REGULATORY GUIDE July 2015 Division 5 Technical Lead Brad Bergemann REGULATORY GUIDE 5 83 Draft was issued as part of DG-5019 Revision 2 of Regulatory Guide 5 62 dated January 2011 CYBER SECURITY EVENT NOTIFICATIONS A INTRODUCTION Purpose This regulatory guide RG describes approaches and methodologies that the staff of the U S Nuclear Regulatory Commission NRC considers acceptable for use by nuclear power reactor licensees when categorizing certain cyber security events and the process for conducting notifications and submitting written security follow-up reports to the NRC for cyber security events Applicable Rules and Regulations The regulations in Title 10 of the Code of Federal Regulations 10 CFR “Physical Protection of Plants and Materials ” Part 73 Ref 1 Section 73 77 “Cyber Security Event Notifications” requires licensees subject to the provisions of 10 CFR 73 54 “Protection of Digital Computer and Communication Systems and Networks” to notify the NRC Headquarters Operations Center via the Emergency Notification System ENS as described below • Section 73 77 a 1 requires licensees to notify the NRC within one hour after discovery of a cyber attack that adversely impacted safety-related or important-to-safety functions security functions or emergency preparedness functions including offsite communications or that compromised support systems and equipment resulting in adverse impacts to safety security or emergency preparedness functions within the scope of 10 CFR 73 54 • Section 73 77 a 2 requires licensees to notify the NRC within four hours i After discovery of a cyber attack that could have caused an adverse impact to safetyrelated or important-to-safety functions security functions or emergency preparedness functions including offsite communications or that could have compromised support systems and equipment which if compromised could have adversely impacted safety security or emergency preparedness functions within the scope of 10 CFR 73 54 Written suggestions regarding this guide or development of new guides may be submitted through the NRC’s public Web site under the Regulatory Guides document collection of the NRC Library at http www nrc gov reading-rm doc-collections reg-guides contactus html Electronic copies of this regulatory guide previous versions of this guide and other recently issued guides are available through the NRC’s public Web site under the Regulatory Guides document collection of the NRC Library at http www nrc gov reading-rm doc-collections The regulatory guide is also available through the NRC’s Agencywide Documents Access and Management System ADAMS at http www nrc gov reading-rm adams html under ADAMS Accession No ML14269A388 The regulatory analysis may be found in ADAMS under Accession No ML14170B076 and the staff responses to the public comments on DG-5019 may be found under ADAMS Accession No ML14136A214 ii After discovery of a suspected or actual cyber attack initiated by personnel with physical or electronic access to digital computer and communication systems and networks within the scope of 10 CFR 73 54 iii After notification of a local State or other Federal agency of an event related to implementation of the licensee’s cyber security program for digital computer and communication systems and networks within the scope of 10 CFR 73 54 that does not otherwise meet a notification under 10 CFR 73 77 a • Section 73 77 a 3 requires licensees to notify the NRC within eight hours after receipt or collection of information regarding observed behavior activities or statements that may indicate intelligence gathering or pre-operational planning related to a cyber attack against digital computer and communication systems and networks within the scope of 10 CFR 73 54 • Section 73 77 b requires licensees to use their site corrective action program CAP to record vulnerabilities weaknesses failures and deficiencies in their cyber security program as well as record notifications made under paragraph a of 10 CFR 73 77 within twenty four hours of their discovery • Section 73 77 c provides the process for conducting cyber security event notifications to the NRC • Section 73 77 d provides the process for submitting written security follow-up reports to the NRC for cyber security event notifications • Section 73 77 d 3 requires licensees to prepare written security follow-up reports on NRC Form 366 • Appendix A to 10 CFR Part 73 “U S Nuclear Regulatory Commission Offices and Classified Mailing Addresses ” contains contact information for the NRC Headquarters Operations Center and directions on communicating classified events to the NRC Related Guidance • Regulatory Guide 5 69 “Guidance for the Application of Radiological Sabotage Design-Basis Threat in the Design Development and Implementation of a Physical Security Program that Meets 10 CFR 73 55 Requirements” SGI provides background on cyber attacks up to and including the design basis threat DBT of radiological sabotage as described in 10 CFR 73 1 Ref 3 • U S Department of Homeland Security “Terrorist Threats to the U S Homeland Reporting Guide for Critical Infrastructure and Key Resource Owners and Operators ” OUO provides additional guidance and examples of suspicious events including events related to cyber activity Ref 4 Purpose of Regulatory Guides The NRC issues regulatory guides to describe to the public methods that the staff considers acceptable for use in implementing specific parts of the agency’s regulations to explain techniques that the staff uses in evaluating specific problems or postulated accidents and to provide guidance to RG 5 83 Rev 2 Page 2 applicants Regulatory guides are not substitutes for regulations and compliance with them is not required Methods and solutions that differ from those set forth in regulatory guides will be deemed acceptable if they provide a basis for the findings required for the issuance or continuance of a permit or license by the Commission Paperwork Reduction Act This regulatory guide contains information collection requirements covered by 10 CFR Part 73 that the Office of Management and Budget OMB approved under OMB control number 3150-0002 The NRC may neither conduct nor sponsor and a person is not required to respond to an information collection request or requirement unless the requesting document displays a currently valid OMB control number B DISCUSSION This new guide addresses cyber security event notification requirements These notification requirements contribute to the NRC’s analysis of the reliability and effectiveness of licensees’ cyber security programs Furthermore they will play an important role in the NRC’s continuing effort to provide high assurance that digital computer communication systems and networks are adequately protected against cyber attacks up to and including the design basis threat Background Prompt notification of a cyber attack could be vital to the NRC’s ability to take immediate action in response to a cyber attack and if necessary notify other NRC licensees Government agencies and critical infrastructure facilities to defend against a multiple sector cyber attack Notifications conducted and written reports submitted by licensees will be used by the NRC to respond to emergencies monitor ongoing events assess trends and patterns and identify precursors of more significant events Timely notifications assist the NRC in achieving its strategic communication mission by enabling NRC to inform the U S Department of Homeland Security DHS and federal intelligence and law enforcement agencies of cyber security-related events that could 1 endanger public health and safety or the common defense and security 2 provide information for threat-assessment processes or 3 generate public or media inquiries In accordance with 10 CFR 73 54 licensees’ cyber security programs are required to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the design basis threat of radiological sabotage as described in 10 CFR 73 1 Further licensees are required to protect digital computer and communication systems and networks associated with safety-related and important-to-safety functions security functions emergency preparedness functions including offsite communications and support systems and equipment which if compromised would adversely impact safety security or emergency preparedness SSEP functions Additionally in accordance with 10 CFR 73 54 a 2 licensees are required to protect the systems and networks associated with SSEP functions against cyber attacks that would adversely impact the integrity or confidentiality of data and or software deny access to systems services and or data and adversely impact the operation of systems networks and associated equipment Furthermore in staff requirements memorandum SRM “COMWCO-10-0001 Regulation of Cyber Security at Nuclear Power Plants” Ref 5 the Commission determined that as a matter of policy 10 CFR 73 54 should be interpreted to include structures systems and components SSC in the balance of plant BOP that have a nexus to radiological health and safety at NRC-licensed nuclear power plants Therefore cyber security RG 5 83 Rev 2 Page 3 events related to BOP SSCs that could directly or indirectly affect reactivity of a nuclear power plant are also required to be reported or recorded in accordance with the requirements of 10 CFR 73 77 The NRC has established notification requirements for certain cyber security activities because they may be indicative of preoperational malevolent activities and malevolent actors have demonstrated the capability to simultaneously attack multiple independent targets The NRC forwards appropriate reports of these cyber security activities to DHS federal law enforcement agencies and the intelligence community as part of the national threat assessment process as outlined in the National Cyber Incident Response Plan Analysis of individual cyber security events at separate facilities or activities may reveal to the NRC law enforcement authorities or the intelligence community potential threats or patterns that warrant increasing the security posture for NRC-regulated facilities and activities other government facilities and activities and other national critical-infrastructure facilities The DHS considers licensees to be “key resource owners and operators ” Licensees can find additional guidance and examples of suspicious events to include events related to cyber activity in the U S Department of Homeland Security’s “Terrorist Threats to the U S Homeland Reporting Guide for Critical Infrastructure and Key Resource Owners and Operators ” Consistent with 10 CFR 73 77 a cyber security event must be reported within the time specified in 10 CFR 73 77 a These timeframes are within specified hours after for example discovery of a cyber attack or suspected attack The NRC understands that the licensee may conduct a preliminary assessment if signs of a cyber attack are not obvious e g antivirus protection alert intrusion detection system alert in order to rule out other common degradations or failures such as mechanical or electrical The NRC staff encourages licensees to report cyber security events and subsequently retract them if appropriate e g not meeting the threshold of a reportable event rather than delaying the initial notification to gather more information and thus have greater confidence in whether or not to make a notification If a licensee has questions about whether to report or record a cyber security event the licensee can if time permits discuss the cyber security event with their appropriate NRC regional or Headquarters security staff before making an official report or record However if the questions cannot be resolved licensees should report all cyber security events within the most appropriate timeframe specified in 10 CFR 73 77 rather than waiting for confirmation that the event is one that must be reported The NRC staff has developed this guide based on examples taken from prior experience with cyber security events and interactions between NRC staff and licensees This guide is intended to provide assistance to licensees in evaluating whether a broad range of potential cyber security events should be reported or recorded under the provisions of 10 CFR 73 77 The specific cyber security events listed in this guide are examples of reportable or recordable cyber security events As such the NRC staff does not consider these lists to be exhaustive or exclusive Many of the examples listed herein have been created from actual cyber security events at NRC-regulated facilities or from licensee discussions with NRC staff on whether a particular cyber security event was reportable recordable or neither The NRC staff notes that the evaluation of cyber security events is very fact specific Therefore for virtually every example provided the addition or subtraction of a single aspect not explicitly detailed in this guide could easily move it into a higher or lower reporting timeframe Accordingly licensees should always consider their particular circumstances before determining how to comply with 10 CFR 73 77 Licensees should report suspected or actual cyber security events including those substantiated by observations by staff or law enforcement personnel evidence of the presence of unknown personnel unauthorized access or modification of critical digital assets CDAs telephone and other electronic contacts suspicious documents and files and testimony of credible witnesses Licensee’s corporate and contractor personnel may also be sources of this information Licensees should consider obtaining access to the NRC’s Protected Web Server PWS to obtain routine threat bulletins and analyses the NRC receives from the Federal Bureau of Investigation FBI and the DHS on critical national infrastructure RG 5 83 Rev 2 Page 4 and key resources Licensees desiring access to the NRC’s PWS should make their request through the security staff in their applicable NRC regional office Notifications conducted under 10 CFR 73 77 should focus on the occurring or suspected cyber security event not the resolution final analysis suspected motivation of any participants or technical evaluations While those actions should be considered part of the response function and should eventually be reported they should not affect the timely notification of the occurring event Harmonization with International Standards The NRC staff reviewed guidance from the International Atomic Energy Agency IAEA International Organization for Standardization ISO and International Electrotechnical Commission IEC and did not identify any standards that provided useful guidance to NRC staff applicants or licensees C STAFF REGULATORY GUIDANCE 1 Cyber Security Event Notifications Licensees subject to the provisions of 10 CFR 73 54 are required to notify the NRC Headquarters Operations Center of the below events via the ENS in accordance with the requirements of 10 CFR 73 77 c 1 1 One-hour Notifications As stated in 10 CFR 73 77 a 1 licensees are required to notify the NRC within one hour after discovery of a cyber attack that adversely impacted safety-related or important-to–safety functions security functions or emergency preparedness functions including offsite communications or that compromised support systems and equipment resulting in adverse impacts to safety security or emergency preparedness functions within the scope of 10 CFR 73 54 Licensees should evaluate events that are not reportable under this requirement for reporting or recording under the other provisions of 10 CFR 73 77 One-hour Notification Examples a A cyber attack that adversely impacted e g interruption the normal operation of the facility through the unauthorized use of or tampering with digital computer and communication systems and networks b A cyber attack that adversely impacted the capability to shut down the reactor and maintain it in a safe shutdown condition remove residual heat control the release of radioactive material or mitigate the consequences of an accident even if the affected system was not required to perform its function during the period of impact c A cyber attack that adversely impacted the capability to detect delay assess or respond to malevolent activities For example a cyber attack that disrupts a security function responsible for the implementation of the site’s physical protection program and or protective strategy such as an intrusion detection and assessment system a physical barrier e g active vehicle barrier delay barrier an access control system an alarm station or a communication system RG 5 83 Rev 2 Page 5 d A cyber attack that adversely impacted the capability to call for or communicate with offsite assistance e A cyber attack that adversely impacted emergency response capabilities to implement appropriate protective measures in the event of a radiological emergency f 1 2 A cyber attack that adversely impacted a support system that falls within the scope of 10 CFR 73 54 even if the affected system was not required to perform its function during the period of impact Four-hour Notifications As stated in 10 CFR 73 77 a 2 i licensees are required to notify the NRC within four hours after discovery of a cyber attack that could have caused an adverse impact to safety-related or importantto-safety functions security functions or emergency preparedness functions including offsite communications or that could have compromised support systems and equipment which if compromised could have adversely impacted safety security or emergency preparedness functions within the scope of § 73 54 These could be attacks that exploit a CDA critical system CS or a protected network i e a network that is isolated air gapped or behind a data diode that contains one or more CDAs that could have but did not cause an adverse impact to SSEP functions For example activity logs antivirus protection or an intrusion detection system indicated the presence of malware or unauthorized access activity occurred on a CDA CS or protected network For cyber attacks that reach unprotected networks i e not isolated or behind a data diode containing CDAs or that are mitigated by boundary and or CDA cyber security controls and no exploitation of a CDA occurs notification to the NRC would not be needed under 10 CFR 73 77 a 2 i As stated in 10 CFR 73 77 a 2 ii licensees are required to notify the NRC within four hours after discovery of a suspected or actual cyber attack initiated by personnel with physical or electronic access to digital computer and communication systems and networks within the scope of 10 CFR 73 54 These are attacks that are initiated by employees contractors or vendors that have physical or electronic access to a CDA CS or a protected network This could include corporate Information Technology IT personnel that may not have unescorted access to the plant but do have electronic access to digital computer and communication systems and networks within the scope of 10 CFR 73 54 It could also include personnel that do have unescorted access to the plant but may not have electronic access to digital computer and communication systems and networks within the scope of 10 CFR 73 54 These attacks should be reported within four hours regardless of their impact on SSEP functions As stated in 10 CFR 73 77 a 2 iii licensees are required to notify the NRC within four hours after notification of a local state or other federal agency e g law enforcement Federal Bureau of Investigation of an event related to the licensee’s implementation of their cyber security program for digital computer and communication systems and networks within the scope of 10 CFR 73 54 that does not otherwise require a notification under 10 CFR 73 77 a Licensees should evaluate events that are not reportable under this requirement for reporting or recording under the other provisions of 10 CFR 73 77 Four-hour Notification Examples a A CDA that was isolated or on a protected network was found to be connected to an unprotected network wired or wireless and cyber security controls e g activity logs antivirus protection RG 5 83 Rev 2 Page 6 an intrusion detection system etc indicated the presence of malware or unauthorized access activity had occurred b An unauthorized transmitter e g wireless router modem or unauthorized portable media e g memory stick smart phone was attached or connected to a CDA and cyber security controls e g activity logs antivirus protection an intrusion detection system etc indicated the presence of malware or unauthorized access activity had occurred to the CDA c The degradation or failure of a CDA or of the cyber security controls that protect CDAs that is indicative of unauthorized activity e g cyber attack physical tampering and could have but does not have an immediate or adverse impact on SSEP functions because for example the CDA has an analog backup This does not include common degradations or failures such as mechanical or electrical d An active cyber attack e g virus or worm logic bomb on a CDA CS or protected network that could have but did not cause an adverse impact to SSEP functions or that could have compromised support systems and equipment which if compromised could have adversely impacted SSEP functions e A cyber attack that caused an adverse impact to a CDAs and or CSs confidentiality integrity or availability could have but did not cause an adverse impact to SSEP functions or that could have compromised support systems and equipment which if compromised could have adversely impacted SSEP functions For example if a remote digital control to an active vehicle barrier has been disabled e g loss of communications but the barrier is in the denial position and has not and will not allow unauthorized access as a result of the cyber attack f 1 3 Control of a mobile or portable CDA is lost or misplaced and there are signs of exploitation For example a CDA used for maintenance and testing is misplaced or lost if the CDA is recovered and shows signs of tampering e g physical tampering malware installed etc or CDAs that are maintained and tested by the lost or misplaced CDA show signs of exploitation malware unauthorized access activity etc Eight-hour Notifications As stated in 10 CFR 73 77 a 3 licensees are required to notify the NRC within eight hours after receipt or collection of information regarding observed behavior activities or statements that may indicate intelligence gathering or pre-operational planning related to a cyber attack against digital computer and communication systems and networks that fall within the scope of 10 CFR 73 54 Generally eight-hour notifications should include behavior activities or statements that are coordinated and or targeted Additionally licensees should evaluate events that are not reportable under this requirement for reporting or recording under the other provisions of 10 CFR 73 77 Eight-hour Notification Examples a Personnel or persons with an uncommon level of interest or making abnormal inquiries related to specific attributes of the licensee’s cyber security program e g CDAs CSs cyber security controls or vulnerabilities associated with the cyber security program Such interests or inquiries could occur onsite or offsite e g cyber security symposium by personnel vendors or contractors or non-employees that do not have a need-to-know e g are not part of or support RG 5 83 Rev 2 Page 7 the licensee’s cyber security program This does not include generic public or media inquiries related to plant operations safety etc i e these inquiries are targeted b Unauthorized personnel in a static position in vicinity of the plant protected area that are in possession and operating equipment e g laptop Yagi antenna capable of scanning for wireless networks This does not include devices such as personal electronic devices e g smartphones carried by visitors that are configured to search or join wireless networks i e these activities are targeted c The recognition of the theft or suspicious loss of smart cards tokens or other “two factor” authentication devices required for accessing a CDA or CS d The detection of forged or fabricated smart cards tokens or other “two factor” authentication devices required for accessing a CDA CS or performing authorization activities e The detection of falsified identification badges key cards or other access-control devices that allow unauthorized individuals access to a CDA or CS f A targeted spear phishing email payload followed-up with a telephone call to the targeted individual attempting to trigger the spear phishing email social engineering g The recognition of the exfiltration of data intelligence gathering from an unprotected network from an unknown source in conjunction with malware payload that was surreptitiously delivered and executed by the unknown source without licensee knowledge h A website posting or notification indicating a planned cyber attack against the plant 2 24-hour Recordable Events As stated in 10 CFR 73 77 b licensees are required to use their site CAP to record vulnerabilities weaknesses failures and deficiencies in their 10 CFR 73 54 cyber security program as well as record notifications made under paragraph a of 10 CFR 73 77 within twenty-four hours of their discovery This includes items or events such as 1 when a system component or cyber security control has been reduced to the degree that it is rendered ineffective for the intended purpose e g cessation of proper functioning 2 a defect in equipment personnel or procedure that degrades the function or performance of the cyber security program necessary to meet the requirements of 10 CFR 73 54 3 a feature or attribute in a system’s design implementation operation or management that could render a CDA open to exploitation or an SSEP function susceptible to adverse impact Licensees should utilize the site CAP to perform periodic evaluations to identify any noticeable trends and or increases in failures and deficiencies in their cyber security program e g equipment vulnerabilities and failures procedural and or training weaknesses and deficiencies to assist in identifying and developing program improvements 24-hour Recordable Event Examples a A cyber vulnerability assessment that was not performed within the period specified in the licensee’s Cyber Security Plan e g quarterly RG 5 83 Rev 2 Page 8 b Improper usage of digital computer and communication systems and networks associated with SSEP functions or support systems and equipment which if compromised could adversely impact SSEP functions This could include training and procedure deficiencies involving a CDA cyber security controls or SSEP functions without an adverse impact to their function e g connection of unauthorized portable media to a CDA which resulted in no exploitation e g no malware transferred no unauthorized activity access occurred c A design flaw or vulnerability in an implemented cyber security control that could have allowed unauthorized access to a CDA or substantively eliminated or significantly reduced the licensee’s response capabilities This is not intended to capture vendor discovered issues that are immediately fixed patched corrected However flaws or vulnerabilities discovered by a licensee should be recorded e g a licensee scan discovers a vulnerability in cyber security hardware or software that has not been previously identified Note If a licensee believes the vulnerability or design flaw could pose an industry-wide risk the licensee should consider immediate notification using the voluntary notification process so the NRC can notify other licensees of the vulnerability or design flaw d A cyber security event that could have allowed undetected or unauthorized access or modification to a CDA but was not exploited in an attack For example a cyber security control or alarm was temporarily disabled or accessed for maintenance and not enabled or secured immediately upon completion of the activity 3 Notification Process As stated in 10 CFR 73 77 c each licensee is required to make notifications required by 10 CFR 73 77 a to the NRC Headquarters Operations Center via the ENS If the ENS is inoperative or unavailable the licensee shall make the notification via commercial telephone service or other dedicated telephonic system or any other methods that will ensure a report is received by the NRC Headquarters Operations Center within the specified timeframe Commercial telephone numbers for the NRC Headquarters Operations Center are specified in appendix A to Part 73 “U S Nuclear Regulatory Commission Offices and Classified Mailing Addresses ” Notifications can be annotated on an “Event Notification Worksheet” NRC Form 361 Licensees may obtain an event number and time during notifications If an LER is required the licensee may include this information in the LER to provide a cross-reference to the notification making the event easier to trace The individual responsible for conducting the notification should be properly trained and sufficiently knowledgeable of the event to report it correctly The NRC records all conversations with the NRC Operations Center The recordings are saved for one month in case there is a public or private inquiry Additionally if needed licensees should conduct additional notifications describing substantive changes additions or modifications to the initial notification in a timely manner after taking immediate actions to protect the facility or stabilize operations in accordance with emergency and contingency response procedures More than one event can be reported in a single ENS or LER if 1 the events are related i e they have the same general cause or consequence and 2 they occurred as a single activity over a reasonably short time e g within four or eight hours for ENS notifications or within 60 days for a LER Generally a LER is intended to address a specific event and unrelated events should not be reported in one LER However multiple notifications may be addressed in a single telephone call RG 5 83 Rev 2 Page 9 Discussion of an event requiring notification under 10 CFR 73 77 with the NRC staff e g resident inspector does not constitute the required notification to the NRC Headquarters Operations Center Nor does identification or discovery of events by the NRC staff relieve a licensee from the requirements to notify the NRC Headquarters Operations Center within the timeframes specified in 10 CFR 73 77 a 3 1 Notifications Containing Safeguards Information Under 10 CFR 73 22 f 3 licensees may make notifications of cyber security events specified in 10 CFR 73 77 which are considered to be extraordinary conditions containing Safeguards Information to the NRC Headquarters Operations Center without using a secure communications system Licensees should not delay notification of such events beyond one-hour after discovery to wait for secure communications However if available a licensee should use a secure communications system to make the notification and protect the Safeguards Information contained in the report from unintentional or inadvertent disclosure Additionally licensees should apply this exception to actual events only As such it should not be applied to simulated events communicated as part of a drill or exercise or to routine events e g the retraction of a previous security report as invalid 3 2 Notifications Containing Classified Information Licensees making notifications under 10 CFR 73 77 that contain classified National Security Information NSI or Restricted Data RD should notify the NRC Headquarters Operations Center using a secure communications system equivalent at a minimum to the classification level of the notification Licensees making classified notifications should contact the NRC Headquarters Operations Center at the commercial telephone numbers specified in appendix A to Part 73 and request a number to a secure telephone If the licensee’s secure communications capability is unavailable e g because of the nature of the event the licensee should provide as much information to the NRC as is required by 10 CFR 73 77 without revealing or discussing any classified information The licensee should also indicate to the NRC at the beginning of the notification that its secure communications capability is unavailable in order to prevent the inadvertent disclosure of classified information If the nature of the cyber security event warrants NRC Emergency Response Management may direct the licensee to use any available non-secure communications method to immediately communicate classified information to the NRC regarding cyber security event notifications required by 10 CFR 73 77 If so directed the licensee should provide the classified information to the NRC over the best available non-secure system i e the NRC staff considers using an available non-secure land-line as preferable to using an available non-secure cellular or satellite system In the written security follow-up report for the classified cyber security event notification over non-secure communications the licensee should document the direction given by the NRC the reason for the unavailability of a secure communications capability and the specific classified information that was communicated to or from the NRC over the non-secure communications The written security follow-up report should be appropriately marked and classified by the licensee The NRC will use the information in the written security follow-up report to assess the level of impact of the compromise of classified information communicated by the licensee or the NRC over non-secure communications in accordance with Executive Order 13526 “Classified National Security Information” Ref 6 3 3 Continuous Communications For some cyber security events notifications conducted under 10 CFR 73 77 a 1 the NRC may request that the licensee maintain an open and continuous communication channel with the NRC RG 5 83 Rev 2 Page 10 Headquarters Operation Center Human-to-human communication may be beneficial in order to provide for follow-up questions and clarifications requests for information or actions and to facilitate NRC response activities Note Because notifications have specified timeframes and are based on “after discovery of” an event the NRC realizes that the initial notification may be conducted by an individual not knowledgeable about cyber-related activities However a cyber security event requiring notification to the NRC should prompt activation of the Cyber Security Incident Response Team CSIRT After ensuring safe and secure operations of the plant a member of the CSIRT i e knowledgeable about cyber-related activities as well as the current cyber security event should follow-up the initial notification if there are any additions or modifications to the initial notification 3 4 Retraction of Notifications Licensees desiring to retract a previous cyber security event notification that they have determined through analysis or investigation to be non-reportable e g does not meet the threshold of a one four or eight hour notification must notify the NRC Headquarters Operations Center by telephone in accordance with 10 CFR 73 77 c 5 and indicate the notification being retracted and the basis for the retraction Cyber security events may be retracted at any time following the notification to the NRC However if a written security follow-up report has already been submitted licensees should refer to the additional guidance in Section 4 3 below on documenting retractions 3 5 Declaration of Emergencies Licensees reporting cyber security events under 10 CFR 73 77 that also involve the declaration of an Emergency Classification e g Notification of Unusual Event NOUE Alert Site Area Emergency or General Emergency in accordance with their NRC-approved Emergency Response Plan should follow the appropriate regulations regarding the declaration of an emergency In other words emergency declarations have primacy over cyber security event notifications Consequently to reduce unnecessary burden and duplication licensees should make a single report of the events that are subject to both emergency response and cyber security event notifications Licensees should indicate in their notification all of the applicable reporting requirements for the event However a licensee may need to report additional information regarding a cyber security event that would not be included in an emergency response notification 3 6 Elimination of Duplication Licensees are not required to make separate notifications for cyber security events that also result in the declaration of an emergency In such circumstances licensees should make the emergency notifications in accordance with existing regulations e g 10 CFR 50 72 Duplicate notifications are not required for other types of events e g notification of a local state or other federal agency that meet the threshold of more than one of NRC’s reporting regulations However when making such a notification the licensee should indicate to the NRC that the notification is also to report a cyber security event under a specific paragraph of 10 CFR 73 77 3 7 Content of Notifications Licensees should be prepared to provide following information if available at the time of the notification a caller name and callback number RG 5 83 Rev 2 Page 11 b facility name and location c emergency classification if declared d current event status e g in progress recovered e event date and time discovery of and actual occurrence if known f event description including the following information if available or known 1 2 3 4 5 6 cyber security controls involved affected if any system s involved affected SSEP functions BOP functions CDAs CS method used to identify the event e g security controls audit failed equipment what occurred during the event why the event occurred if known how the event occurred if known g safety security EP responses and corrective actions taken h offsite assistance e g requested or not requested arrived status 3 8 i media interest if any including licensee issued press releases j source of information e g U S Computer Emergency Readiness Team law enforcement if a law enforcement agency provide contact telephone number Voluntary Notifications Licensees are permitted and encouraged to report any cyber-related event or condition that does not meet the criteria for required reporting if the licensee believes that the event or condition might be of safety or security significance or of generic interest or concern to the NRC or other licensees Assurance of safe operation of all plants depends on accurate and complete reporting by each licensee and of all events having potential safety security significance For example a cyber–related event or condition identified and mitigated outside the plant network with no impact on SSEP functions may be indicative of a recently identified or known cyber threat Such activities should be voluntarily reported to the NRC to support Federal situational awareness activities Licensees may make voluntary ENS notifications about cyber-related events or conditions that the licensee believes might be of interest to the NRC The NRC responds to any voluntary notification of an event or condition as its safety or security significance warrants regardless of the licensee’s classification of the reporting requirement If it is determined later that the event is reportable the licensee can change the ENS notification to a required notification under the appropriate 10 CFR 73 77 reporting criterion without adverse consequences as long as the voluntary report met the appropriate timeframe and information required of the required notification Voluntary notifications do not require a written security follow-up report unless later it is determined the event was reportable under 10 CFR 73 77 reporting criteria RG 5 83 Rev 2 Page 12 4 Written Security Follow-up Reports Telephonic notifications to the NRC Headquarters Operations Center for cyber security events specified in paragraphs a 1 a 2 i and a 2 ii of 10 CFR 73 77 require submission of a written security follow-up report to the NRC within 60 days of the notification in accordance with 10 CFR 73 77 d Licensees should follow the procedures set forth in 10 CFR 73 4 when submitting their followup report The NRC does not require licensees who have made a notification to the NRC Headquarters Operations Center for cyber security events specified in 10 CFR 73 77 a 2 iii and a 3 to submit written security follow-up reports In addition cyber security events recorded in the site CAP under 10 CFR 73 77 b do not require written security follow-up reports Written security follow-up reports submitted should be of a format and quality to allow legible reproduction and processing The written security follow-up reports should contain sufficient details information and analysis to allow a knowledgeable individual to understand what occurred during the event For example whether any administrative or technical errors occurred what equipment was involved and or malfunctioned what CDAs and or SSEP functions were affected if the event involved new hardware and or software being installed to include patches and updates or from changes in system settings or configuration Additionally the licensee should indicate whether any immediate corrective actions were taken to include compensatory measures if applicable and any long-term corrective actions that are planned to prevent recurrence In accordance with 10 CFR 73 77 d 12 licensees must retain a copy of any written security follow-up reports submitted to the NRC for at least three years or until the termination of the license whichever comes first 4 1 NRC Form 366 and 366A Nuclear power reactor licensees should submit any written security follow-up reports to the NRC required by 10 CFR 73 77 using NRC Form 366 “Licensee Event Report LER ” and NRC Form 366A “Licensee Event Report Continuation Sheet” if additional pages are needed For licensees utilizing the NRC Form 366 items 1 through 15 should be completed as labeled if known or applicable For example the first item “1 Facility Name” enter the name of the facility e g Indian Point Unit 1 at which the event occurred For item 11 check the block that indicates the appropriate requirement e g 10 CFR 73 77 a 1 If it is a voluntary LER check the “Other” block and indicate “voluntary report” in the space below For item 16 “Abstract” provide a brief description of the cyber event including any failures or degradations that contributed to the event e g user error procedure violation cyber security controls include any CDAs and or SSEP functions that were impacted by the occurrence and to what extent e g temporarily lost remote digital control of the Protected Area Active Vehicle Barrier System due to bad firmware update barriers were in the up position and were controlled manually until previous firmware was re-loaded no unauthorized accesses occurred during this event The NRC Form 366A should be used to provide additional details about the cyber security event to include the content requested from section 4 6 below Generally licensee submitted LERs will be made publically available by the NRC However information that is designated by the licensee as for example proprietary safeguards or classified information will be withheld redacted from the public as appropriate Licensees should create store mark label handle and transmit LERs in accordance with applicable NRC regulations e g 10 CFR 2 390 73 21 73 22 part 95 When designated information e g proprietary safeguards classified is included with the LER it should only be entered in item 17 “Narrative” of NRC Form 366A and not included on the NRC Form 366 In addition the text should clearly indicate what information is designated as proprietary safeguards classified etc RG 5 83 Rev 2 Page 13 4 2 Significant Supplemental Information and Correction of Errors Licensees who discover significant supplemental information after the submission of a written security follow-up report to the NRC should submit a revised written report in accordance with the same process as used to submit the initial written report Additionally licensees who discover errors in a written report previously submitted to the NRC should submit a revised written report in accordance with the same process as used to submit the initial written report A revised written report should replace the previous written report i e the updated report should be complete and should not be limited to only the supplementary or revised information The revised report should indicate the revision number with revision bars to assist the reader 4 3 Retraction of Previous Written Security Follow-up Reports If a licensee subsequently retracts a notification made under 10 CFR 73 77 and has not yet submitted the written security follow-up report required by 10 CFR 73 77 d the NRC does not require the licensee to submit the written security follow-up report However if the licensee has already submitted a written security follow-up report to the NRC before it retracts the notification the licensee should then submit a revised written report to the NRC indicating the initial event has been retracted and the basis for that conclusion This supplemental written security follow-up report is necessary because without the supplemental report retracting the notification the only official agency record on the notification would be the initial written security follow-up report which would not include the retraction 4 4 Written Security Follow-up Reports Containing Safeguards Information Licensees who submit written security follow-up reports to the NRC containing Safeguards Information should create store mark label handle and transmit these written reports in accordance with the requirements in 10 CFR 73 21 and 73 22 Licensees should perform a safeguards designation of such reports Written security follow-up reports should be portion marked to indicate the designation level of the report’s information 4 5 Written Security Follow-up Reports Containing Classified Information Licensees who submit written security follow-up reports to the NRC containing classified NSI or RD should create store mark label handle and transmit these reports in accordance with the requirements of 10 CFR Part 95 “Facility Security Clearance and Safeguarding of National Security Information and Restricted Data” Ref 7 Licensees should perform a derivative classification of such reports in accordance with the classification guide s applicable to their facility or activity Written security follow-up reports should be portion marked to indicate the classification level of the report’s information If the written security follow-up report requires an original classification determination then the licensee should make a provisional classification decision mark handle store and transmit the document according to that provisional decision and forward the document to the NRC for an original classification determination 4 6 Content of Written Security Follow-up Reports Licensees preparing written security follow-up reports should include sufficient information for the NRC to analyze the cyber security event The NRC staff recommends that written security follow-up reports contain at a minimum the following information as applicable a date and time of the event including chronological timeline if applicable RG 5 83 Rev 2 Page 14 b date and time of notification to the NRC and or local State and Federal agencies c the reactor’s operating mode at time of event e g shut down operating d SSEP functions directly or indirectly affected by the event e g compromised failed degraded e support systems or equipment directly or indirectly affected that could have compromised SSEP functions e g compromised failed degraded f CDAs and or CS affected by the event compromised failed degraded g security controls involved in the event e g compromised performed as intended h personnel involved or contacted such as contractors security personnel visitors plant staff perpetrators or attackers NRC personnel local State or Federal responders and other personnel specify i method of discovery of the event or information such as routine patrol or inspection test maintenance alarm annunciation audit communicated threat unusual circumstances include details j immediate actions taken in response to the event and any compensatory measures established k description of media interest and press releases l indications or records of previous similar events m procedural or human errors or equipment failures as applicable n cause of the event or the licensee’s analysis of the event including a brief summary in the report and references to any ongoing or completed detailed investigations assessments analyses or evaluations o corrective actions taken or planned including dates of completion p name and phone number of a licensee’s point of contact q For failures degradations or discovered vulnerabilities of the cyber security program licensees should also provide the following information as applicable in addition to items a through p above 1 2 3 4 description of failed degraded or vulnerable equipment systems or controls e g manufacturer and model number procedure number unusual conditions that may have contributed to the failures degradations or discovered vulnerabilities of the equipment systems or controls e g environmental conditions plant outage software update security settings configuration of the components systems or controls that failed or became degraded or vulnerable apparent cause of component system or control failure degradation or vulnerability RG 5 83 Rev 2 Page 15 5 Training of Non-security Staff on Reporting and Recording Requirements The discovery or identification of reportable or recordable events is not limited to members of the licensee’s security organization Employees contractors and vendors with physical or electronic access to digital computer and communications systems and networks within the scope of 10 CFR 73 54 should receive training on cyber security event notifications to foster awareness and to understand their responsibility to immediately notify site-security or management personnel of anomalies failures degradations or vulnerabilities in the cyber security program to include activities that may indicate intelligence gathering or preoperational planning related to cyber attacks Licensees may provide this training during general plant training and periodic refresher training The NRC staff notes that some licensees have also found it beneficial to include training “tips” or elements of the training program in recurring plant publications such as newsletters electronic signs or other organizational reminders RG 5 83 Rev 2 Page 16 D IMPLEMENTATION The purpose of this section is to provide information on how applicants and licensees1 may use this guide and information regarding the NRC’s plans for using this regulatory guide In addition it describes how the NRC staff complies with 10 CFR 50 109 “Backfitting” and any applicable finality provisions in 10 CFR Part 52 “Licenses Certifications and Approvals for Nuclear Power Plants ” Use by Applicants and Licensees Applicants and licensees may voluntarily2 use the guidance in this document to demonstrate compliance with the underlying NRC regulations Methods or solutions that differ from those described in this regulatory guide may be deemed acceptable if they provide sufficient basis and information for the NRC staff to verify that the proposed alternative demonstrates compliance with the appropriate NRC regulations Current licensees may continue to use guidance the NRC found acceptable for complying with the identified regulations as long as their current licensing basis remains unchanged Licensees may use the information in this regulatory guide for actions which do not require NRC review and approval such as changes to a facility design under 10 CFR 50 59 “Changes Tests and Experiments ” Licensees may use the information in this regulatory guide or applicable parts to resolve regulatory or inspection issues Use by NRC Staff The NRC staff does not intend or approve any imposition or backfitting of the guidance in this regulatory guide The NRC staff does not expect any existing licensee to use or commit to using the guidance in this regulatory guide unless the licensee makes a change to its licensing basis The NRC staff does not expect or plan to request licensees to voluntarily adopt this regulatory guide to resolve a generic regulatory issue The NRC staff does not expect or plan to initiate NRC regulatory action which would require the use of this regulatory guide Examples of such unplanned NRC regulatory actions include issuance of an order requiring the use of the regulatory guide requests for information under 10 CFR 50 54 f as to whether a licensee intends to commit to use of this regulatory guide generic communication or promulgation of a rule requiring the use of this regulatory guide without further backfit consideration During regulatory discussions on plant specific operational issues the staff may discuss with licensees various actions consistent with staff positions in this regulatory guide as one acceptable means of meeting the underlying NRC regulatory requirement Such discussions would not ordinarily be considered backfitting even if prior versions of this regulatory guide are part of the licensing basis of the facility However unless this regulatory guide is part of the licensing basis for a facility the staff may not represent to the licensee that the licensee’s failure to comply with the positions in this regulatory guide constitutes a violation If an existing licensee voluntarily seeks a license amendment or change and 1 the NRC staff’s consideration of the request involves a regulatory issue directly relevant to this new or revised regulatory guide and 2 the specific subject matter of this regulatory guide is an essential consideration in the staff’s 1 In this section “licensees” refers to licensees of nuclear power plants under 10 CFR Parts 50 and 52 and the term “applicants ” refers to applicants for licenses and permits for or relating to nuclear power plants under 10 CFR Parts 50 and 52 and applicants for standard design approvals and standard design certifications under 10 CFR Part 52 2 In this section “voluntary” and “voluntarily” means that the licensee is seeking the action of its own accord without the force of a legally binding requirement or an NRC representation of further licensing or enforcement action RG 5 83 Rev 2 Page 17 determination of the acceptability of the licensee’s request then the staff may request that the licensee either follow the guidance in this regulatory guide or provide an equivalent alternative process that demonstrates compliance with the underlying NRC regulatory requirements This is not considered backfitting as defined in 10 CFR 50 109 a 1 or a violation of any of the issue finality provisions in 10 CFR Part 52 Additionally an existing applicant may be required to comply with new rules orders or guidance if 10 CFR 50 109 a 3 applies If a licensee believes that the NRC is either using this regulatory guide or requesting or requiring the licensee to implement the methods or processes in this regulatory guide in a manner inconsistent with the discussion in this Implementation section then the licensee may file a backfit appeal with the NRC in accordance with the guidance in NUREG-1409 “Backfitting Guidelines ” Ref 8 and the NRC Management Directive 8 4 “Management of Facility-Specific Backfitting and Information Collection” Ref 9 RG 5 83 Rev 2 Page 18 GLOSSARY This glossary is intended to aid the reader in implementing this guide to meet the requirements set forth in 10 CFR 73 77 Definitions for certain security terms are also found in 10 CFR 73 2 “Definitions” Access control The control of entry or use to all or part of any physical functional or logical component of a CDA Adverse impact A direct deleterious effect on a CDA e g loss or impairment of function reduction in reliability reduction in the ability to detect delay assess or respond to malevolent activities reduction of ability to call for or communicate with offsite assistance and the reduction in emergency response ability to implement appropriate protective measures in the event of a radiological emergency In the case where the direct or indirect compromise of a support system causes a safety-related important-to-safety security or emergency preparedness system or support system to actuate or “fail safe” and not result in radiological sabotage i e causes the system to actuate properly in response to established parameters and thresholds this is not considered to be an adverse impact in the context of 10 CFR 73 54 a Compromise Loss of confidentiality integrity or availability of data or system function Critical digital asset CDA A subcomponent of a critical system that consists of or contains a digital device computer or communication system or network Critical system CS An analog or digital technology based system in or outside of the plant that performs or is associated with a safety-related important-to-safety security or emergency preparedness function These critical systems include but are not limited to plant systems equipment communication systems networks offsite communications or support systems or equipment that perform or are associated with a safety-related important-to-safety security or emergency preparedness function Cyber attack The manifestation of either physical or logical i e electronic or digital threats against computers communication systems or networks that may 1 originate from either inside or outside the licensee’s facility 2 have internal and external components 3 involve physical or logical threats 4 be directed or non-directed in nature 5 be conducted by threat agents having either malicious or non-malicious intent and 6 have the potential to result in direct or indirect adverse effects or consequences to critical digital assets or critical systems This includes attempts to gain unauthorized access to a CDA and or CS’s services resources or information the attempt to compromise a CDA and or CS’s integrity availability or confidentiality or the attempt to cause an adverse impact to a SSEP function Further background on cyber attacks which are up to and including DBT can be found in Sections 1 1 c 1 2 and 1 5 of Regulatory Guide 5 69 and the cyber attack may occur individually or in any combination Integrity Quality of a system reflecting the logical correctness and reliability of the operation of the system the logical completeness of the hardware and software implementing the protection mechanisms and the consistency of the data structures and occurrence of the stored data Additionally integrity includes protection against unauthorized modification or destruction of information Interruption of A departure from normal operations or conditions that if accomplished would result RG 5 83 Rev 2 Page 19 normal operation in a challenge to the facility’s safety security or emergency response systems This may also include an event that causes a significant redistribution of security safety or emergency response resources This could include intentional tampering with systems or equipment that is normally in a standby mode but would need to operate if called upon in an abnormal or emergency situation Section 236 of the AEA 42 U S C Section 2284 treats as sabotage the knowing interruption of normal operation of any such facility through the unauthorized use of or tampering with the machinery components or controls of any such facility or attempting or conspiring to carry out such an act Malware Malicious software designed to infiltrate or damage a CDA CS or protected network without licensee consent Malware includes computer viruses worms Trojan horses Root kits spyware adware and other potentially unwanted programs Mobile code Programs or parts of programs obtained from remote control systems transmitted across a network and executed on a local system without explicit installation or execution by the recipient Patch A fix for a CDA or software program where the actual binary executable and related files are modified Protected network A network that is air gapped or behind a data diode that contains one or more CDAs Recovery Steps taken to restore a system function or device to its original state of operation following a catastrophic or partial loss of functionality or when an original state of operation is challenged by either an event such as a cyber attack or anomaly behavior not expected from normal operation Social engineering Attempts by unauthorized individuals to gain physical or electronic e g password access to systems via impersonation of authorized functions or personnel techniques Tampering Cyber Altering disabling or damaging digital computer and communications systems and networks or cyber security controls for improper purposes or in an improper manner RG 5 83 Rev 2 Page 20 REFERENCES3 1 U S Code of Federal Regulations CFR “Physical Protection of Plants and Materials ” Part 73 Chapter 1 Title 10 “Energy” 2 CFR “Domestic Licensing of Production and Utilization Facilities ” Part 50 Chapter 1 Title 10 “Energy” 3 NRC Regulatory Guide RG 5 69 “Guidance for the Application of Radiological Sabotage Design-Basis Threat in the Design Development and Implementation of a Physical Security Program that Meets 10 CFR 73 55 Requirements ” Washington DC 4 U S Homeland Security’s “Terrorist Threats to the U S Homeland Reporting Guide for Critical Infrastructure and Key Resource Owners and Operators ” dated January 24 2005 ADAMS No ML112280232 5 NRC SRM-10-0001 Regulation of Cyber Security at Nuclear Power Plants Washington DC October 21 2010 ADAMS No ML102940009 6 Executive Order 13526 “Classified National Security Information ” dated December 29 2009 published December 29 2009 75 FR 707 7 CFR “Facility Security Clearance and Safeguarding of National Security Information and Restricted Data ” Part 95 Chapter 1 Title 10 “Energy” 8 U S Nuclear Regulatory Commission Backfitting Guidelines NUREG-1409 Washington DC June 1990 ADAMS No ML 032230247 9 NRC Management Directive 8 4 Management of Facility Specific Backfitting and Information Collection U S Nuclear Regulatory Commission Washington DC 3 Publicly available NRC published documents are available electronically through the NRC Library on the NRC’s public Web site at http www nrc gov reading-rm doc-collections and through the NRC’s Agencywide Documents Access and Management System ADAMS at http www nrc gov reading-rm adams html The documents can also be viewed online or printed for a fee in the NRC’s Public Document Room PDR at 11555 Rockville Pike Rockville MD For problems with ADAMS contact the PDR staff at 301-415-4737 or 800 397-4209 fax 301 415-3548 or email pdr resource@nrc gov RG 5 83 Rev 2 Page 21