Cyber-Security Rulemaking for Fuel Cycle Facilities

In 2014, the U.S. Nuclear Regulatory Commission (NRC) staff issued SECY 14-0147, "Cyber Security for Fuel Cycle Facilities," dated December 30, 2014 (Note: this document is not publicly available because it contains sensitive, security-related information). In SECY-14-0147, the NRC staff concluded that cyber security requirements for fuel cycle facility licensees need to be addressed because of: (1) an increasing and persistent cyber security threat; (2) the potential exploitation of vulnerabilities through a variety of attack vectors; (3) the inherent difficulty of detecting the compromise of digital assets; and (4) the potential consequences associated with a cyber attack. In the staff requirements memorandum (SRM) to SECY 14-0147, "Staff Requirements – SECY 14 0147 – Cyber Security for Fuel Cycle Facilities," dated March 24, 2015, the Commission directed the NRC staff to proceed directly with a cyber security rulemaking to apply a disciplined, graded approach to the identification of digital assets and a graded, consequence based approach to their protection.

The NRC is developing a proposed rule to establish new cyber security regulations in Part 73 of Title 10 of the Code of Federal Regulations (10 CFR), "Physical Protection of Plants and Materials," for fuel cycle facilities. This proposed rule would add one new section in 10 CFR 73.53, "Cyber Security for Fuel Cycle Facilities" and make conforming changes to 10 CFR parts 40 (10 CFR 40.31 and 40.35), 70 (10 CFR 70.22 and 70.32) and 73 (10 CFR 73.8 and 73.46). The proposed requirements of this new section would apply to each applicant or licensee subject to the requirements 10 CFR Part 70, "Domestic Licensing of Special Nuclear Material," Supbart H, "Additional Requirements for Certain Licensees Authorized To Possess a Critical Mass of Special Nuclear Material." The proposed rule would also apply to each fuel cycle applicant or licensee of a uranium hexafluoride conversion or deconversion facility licensed under 10 CFR Part 40, "Domestic Licensing of Source Material." The proposed rule would require these licensees to develop and maintain a cyber security program consistent with the new regulations.

For more information, please see the following topics on this page:

• Background
• Status of Rulemaking
• Public Involvement
• Public Meetings and Materials

Background

In recent years, the threat of cyber attacks has steadily risen, both globally and nationally. The U.S. Government has observed an increase in: (1) the number of cyber attacks; (2) the level of sophistication of such attacks; (3) the potential of these attacks to impact numerous digital assets, including digital assets at fuel cycle facilities; and (4) the emergence of these attacks to produce kinetic effects. Additionally, these attacks can be conducted anonymously from remote locations throughout the world.

In response to the terrorist attacks of September 11, 2001, the NRC issued a series of security orders, including Interim Compensatory Measures (ICM) Orders issued to fuel cycle facility licensees in 2002 and 2003 which contained a generic cyber security measure. The ICM orders lacked guidance on implementation of the generic cyber security measure, focusing on computer systems that conduct and maintain communications during emergency response actions.

In 2007, the Commission promulgated a rulemaking entitled, "Design Basis Threat" (72 Federal Register [FR] 12705), which required licensees to protect against acts of radiological sabotage and to prevent theft or diversion of special nuclear material. The rulemaking included a requirement for licensees to consider a cyber security threat as an element of the design basis threats (DBTs), but no specific guidance was provided.

In March 2009, the NRC further addressed cyber security for power reactors in a stand-alone section in 10 CFR 73.54. The development of associated guidance for implementing the requirements in 10 CFR 73.54 resulted in the publication of RG 5.71, "Cyber Security Programs for Nuclear Facilities."

In June 2012, the NRC staff completed SECY-12-0088, "The Nuclear Regulatory Commission Cyber Security Roadmap," which established the NRC staff’s approach for evaluating the need for cyber security requirements for the following four categories of NRC licensees and facilities: (1) fuel cycle facilities, (2) non-power reactors, (3) independent spent fuel storage installations, and (4) byproduct materials licensees.

In 2014, the NRC staff sought Commission approval to implement additional cyber security requirements for fuel cycle facilities. In the SRM to SECY-14-0147, the Commission directed the NRC staff to proceed directly with a cyber security rulemaking to apply a disciplined, graded approach to the identification of vital digital assets and a graded, consequence-based approach to their protection.

Status of Rulemaking

Projected Schedule

Following the Commissions issuance of the SRM to SECY-14-0147, the following milestone dates were established and are being tracked by SECY.

Metric Deadlines for Fuel Cycle Cyber Security Proposed Rulemaking

Interactions with the Advisory Committee on Reactor Safeguards (ACRS)

As part of the proposed rule development, the NRC staff briefed the Digital Instrumentation and Control Systems sub-committee of the Advisory Committee on Reactor Safeguards (ACRS) on the draft version of the proposed rule and related draft regulatory guide. The November 2, 2016 meeting was open to the public and a transcript of the meeting is available. A follow-up briefing was provided to the ACRS DI&C sub-committee on February 23, 2017 and a transcript is available for the public portion of the meeting. Additional information on ACRS-related meetings are available on the NRC public website under "Advisory Committee on Reactor Safeguards Document Collections".

Public Involvement

The NRC has a long-standing practice of conducting regulatory activities in an open manner. Rulemaking documents are available to the public on the Federal Government’s Regulations website under docket number NRC-2015-0179. The Part 73.53 cyber security rulemaking effort is also tracked under the Cumulative Effects of Regulation (CER) website. The NRC staff maintains the status of proposed regulatory actions on the CER Integrated Schedule which is updated quarterly. The NRC staff also conducts periodic public meetings as part of CER to inform industry and the public on the status of regulatory activities.

The NRC staff will seek comments on the proposed rule and proposed regulatory guide once they are made available for public comment in the Federal Register (FR), subject to Commission approval.  The NRC staff typically holds a public meeting during the comment period to facilitate sharing of comments on the proposed rule and related guidance.

For general information about the available opportunities for public involvement in NRC activities, see Public Meetings and Involvement, Hearing Opportunities and License Applications, and NUREG/BR-0215, "Public Involvement in the Regulatory Process." For other security-related meetings, please see Public Meetings on Nuclear Security and Safeguards.

Public Meetings and Materials

The NRC staff have held a number of public meetings to discuss agency activities related to the cyber-security initiative for fuel cycle facilities. Documents associated with these meetings are available below.