[Federal Register Volume 81, Number 105 (Wednesday, June 1, 2016)]
[Proposed Rules]
[Pages 34916-34919]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-12926]
�========================================================================
�Proposed Rules
� Federal Register
�________________________________________________________________________
�
�This section of the FEDERAL REGISTER contains notices to the public of
�the proposed issuance of rules and regulations. The purpose of these
�notices is to give interested persons an opportunity to participate in
�the rule making prior to the adoption of the final rules.
�
�========================================================================
�
��Federal Register / Vol. 81, No. 105 / Wednesday, June 1, 2016 /
Proposed Rules��
[[Page 34916]]
NUCLEAR REGULATORY COMMISSION
10 CFR Part 73
[Docket No. PRM-73-17; NRC-2013-0214]
Programmable Logic Computers in Nuclear Power Plant Control
Systems
AGENCY: Nuclear Regulatory Commission.
ACTION: Petition for rulemaking; denial.
-----------------------------------------------------------------------
SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is denying a
petition for rulemaking (PRM), filed by Mr. Alan Morris (petitioner) on
March 14, 2013, as supplemented most recently on December 19, 2013. The
petition was docketed by the NRC on February 7, 2014, and was assigned
Docket No. PRM-73-17. The petitioner requested that the NRC require
that his ``new-design programmable logic computers [PLCs]'' be
installed in the control systems of nuclear power plants to block
malware attacks on the industrial control systems of those facilities.
In addition, the petitioner requested that nuclear power plant staff be
trained ``in the programming and handling of the non-rewriteable
memories'' for nuclear power plants. The NRC is denying the petition
because the petitioner did not present any significant new information
or arguments that would support the requested changes, nor has he
demonstrated that a need exists for a new regulation requiring the
installation of his new-design PLCs in the control systems of NRC-
licensed nuclear power plants.
DATES: The docket for the petition for rulemaking PRM-73-17 is closed
on June 1, 2016.
ADDRESSES: Please refer to Docket ID NRC-2013-0214 when contacting the
NRC about the availability of information regarding this petition. You
may obtain publicly-available documents related to the petition using
any of the following methods:
Federal Rulemaking Web site: Go to http://www.regulations.gov and search for Docket ID NRC-2013-0214. Address
questions about NRC dockets to Carol Gallagher; telephone: 301-415-
3463; email: [email protected]. For technical questions, contact
the individual listed in the FOR FURTHER INFORMATION CONTACT section of
this document.
NRC's Agencywide Documents Access and Management System
(ADAMS): You may obtain publicly-available documents online in the
ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``ADAMS Public Documents'' and
then select ``Begin Web-based ADAMS Search.'' For problems with ADAMS,
please contact the NRC's Public Document Room (PDR) reference staff at
1-800-397-4209, 301-415-4737, or by email to [email protected]. The
ADAMS accession number for each document referenced in this document
(if that document is available in ADAMS) is provided the first time
that a document is referenced. In addition, for the convenience of the
reader, the ADAMS accession numbers are provided in a table in the
section of this document entitled, Availability of Documents.
NRC's PDR: You may examine and purchase copies of public
documents at the NRC's PDR, Room O1-F21, One White Flint North, 11555
Rockville Pike, Rockville, Maryland 20852.
FOR FURTHER INFORMATION CONTACT: Natreon Jordan, Office of Nuclear
Reactor Regulation, telephone: 301-415-7410, email:
[email protected], U.S. Nuclear Regulatory Commission, Washington,
DC 20555-0001.
SUPPLEMENTARY INFORMATION:
I. The Petition
Section 2.802 of title 10 of the Code of Federal Regulations (10
CFR), ``Petition for rulemaking,'' provides an opportunity for any
interested person to petition the Commission to issue, amend, or
rescind any regulation. A Sec. 2.802 petition was filed by the
petitioner on March 14, 2013, and was supplemented several times
through December 19, 2013. (ADAMS Accession No. ML14016A458). On
February 7, 2014 (79 FR 7406), the NRC published a notice of receipt of
PRM-73-17. The petitioner requested that the NRC amend its regulations
that protect digital computer and communication systems and networks.
The petitioner requested that the NRC specifically require that ``new-
design programmable logic computers,'' with his patented write-once,
read-many (WORM) media, be installed in the control systems of nuclear
power plants in order to ``block malware attacks on the industrial
control systems of those facilities.'' The petitioner also requested
that nuclear power plant staff ``be trained to maintain and secure
records of all memory programming,'' and recommended ``maintenance in
secure storage of programmed memories, as specified in this petition,
which may be again employed, as the control systems of critical
facilities are essentially steady-state.'' The petitioner stated that
the proposed action would ``[r]educe impact on quality of the natural
and social environments by stopping disastrous events at critical
facilities.''
The NRC staff sent a letter to the petitioner on June 12, 2014
(ADAMS Accession No. ML14120A006), asking the petitioner to provide
additional information. Staff specifically asked the petitioner:
To indicate the inadequacies that he identified in the
NRC's current regulatory approach (i.e., performance-based,
programmatic) and framework (i.e., NRC's cyber security rule at Sec.
73.54 and Regulatory Guide (RG) 5.71, ``Cyber Security Programs for
Nuclear Facilities'') that would be remedied by the proposed
rulemaking. Specifically, what cyber threat or vulnerability is not
addressed by the current NRC regulations and guidance?
If one of the PLCs with his patented WORM media has been
installed in any operating facility (nuclear or non-nuclear)? Are these
PLCs alone sufficient to protect against cyber threats? What other
cyber controls may be required at nuclear power plants if a PLC with
his patented WORM media is installed?
The petitioner responded to the NRC letter in a series of emails
dated June 18, 2014, and June 19, 2014. (ADAMS Accession Nos.
ML14181B296, ML14181B276, ML14181B286, and ML14181B270).
Based on the petition and the petitioner's responses to requests
for additional information, the NRC staff identified three issues
raised by the petitioner:
[[Page 34917]]
Issue 1: PLCs currently installed in U.S. nuclear power plants are
vulnerable to malware attacks that could negatively affect or challenge
plant safety and control systems. The petitioner stated that malware
can ``maliciously reprogram the re-writeable memories of the present
programmable logic computers'' in the control systems of nuclear power
plants.
Issue 2: By using the petitioner's patented PLC design, nuclear
power plant safety and control systems would be safe from malware
attacks.
Issue 3: Nuclear power plant staff should be trained to maintain
and secure records of all memory programming, and recommends
maintenance in secure storage of programmed memories that may be again
employed, as ``the control systems of critical facilities are
essentially steady-state.''
The NRC staff decided not to seek public comment on PRM-73-17
because no additional information was needed for the NRC staff's
evaluation of the petitioner's claim.
II. Reasons for Denial
The NRC is denying the petition because the petitioner did not
present any significant new information or arguments that would support
the requested changes, nor has he demonstrated a need for a new
requirement for his new-design of PLCs in nuclear power plant control
systems. This section provides detailed responses to the issues raised
in the petition.
Issue 1: PLCs that are currently installed in nuclear power plant
control systems are vulnerable to malware attacks that could negatively
affect or challenge plant safety and control systems.
NRC Response: The NRC disagrees with Issue 1 because the petitioner
does not take into account the comprehensive NRC cyber security program
requirements for nuclear power plants in Sec. 73.54. Section 73.54,
``Protection of digital computer and communication systems and
networks,'' which is known as the NRC's ``cyber security rule,''
requires licensees to protect digital systems in nuclear power plants
from cyber attacks. The cyber security rule presumes that any digital
system (including PLC designs) is vulnerable to various cyber attacks.
The regulations in Sec. 73.54 establish a series of performance-based
requirements to ensure that the functions of digital computers,
communication systems, and networks are protected from cyber attack. In
particular, Sec. 73.54(a)(1) requires nuclear power plant licensees to
protect digital computers, communications systems, and networks
associated with the following:
Safety-related and important-to-safety functions;
security functions;
emergency preparedness functions, including offsite
communications; and
support systems and equipment which, if compromised, would
adversely impact safety, security, or emergency preparedness (SSEP)
functions.
As required by Sec. Sec. 73.54(b)(2) and 73.55(b)(8), a nuclear
power plant licensee must establish, implement, and maintain a cyber
security program that protects any digital system, network, or
communication system associated with SSEP functions. Licensees are
required to submit their cyber security plans to NRC for review and
approval. Once approved, these plans become part of the licensee's
licensing basis, and compliance with the plans is evaluated by the NRC
during periodic inspections. Civil penalties may be imposed in the
event that licensees are found in violation of their approved cyber
security plans. The NRC-approved cyber security plans, which are
implemented through the licensee's cyber security programs,
significantly reduce the possibility that a PLC installed at a nuclear
power plant would be vulnerable to a malware attack that would
negatively impact or challenge the plant's safety and control systems.
The NRC inspects the implementation of the licensee's cyber security
programs, at specified intervals, to confirm that they are being
implemented in accordance with the NRC-approved cyber security plans.
To properly understand the petitioner's concerns, the NRC staff
asked the petitioner to indicate the inadequacies he had identified in
the NRC's current regulatory approach and framework that would be
remedied by the NRC's undertaking of his proposed action. The NRC staff
asked, specifically, ``What cyber threat or vulnerability is not
addressed by the current NRC regulations and guidance?'' The petitioner
stated ``the inadequacies in the NRC's current regulatory approach are
that the regulations do not address correction for the vulnerability to
corruption of the rewriteable PLC memories.'' The NRC staff disagrees
with the petitioner's assertion because the cyber security rule does,
in fact, require licensees to have the capability to detect, prevent,
respond to, mitigate, and recover from cyber attacks under Sec.
73.54(c)(2). To comply with this requirement, nuclear power plant
licensees must implement an overall site defensive strategy to protect
critical digital assets (CDAs) from cyber attacks, as well as
implementing operational and management security controls.
Issue 2: By using the petitioner's patented PLC design, nuclear
power plant safety and control systems would be safe from malware
attacks.
NRC Response: The NRC staff disagrees with Issue 2 because the
proposed vulnerability to malware attacks described in the petition is
already addressed in the current NRC regulations. In addition, the
``new-design'' PLCs recommended in the petition have not been proven to
offer protection from cyber attacks.
The approach recommended in the petition presumes that a ``one size
fits all'' solution would be adequate for the wide variety of
industrial control systems and safety systems used in nuclear power
plants. However, it does not take into account other attacks that could
be made (e.g., man-in-the-middle attacks where an attacker inserts
malicious commands between the PLC and the controlled devices). The
objective of the petitioner's PLC design, which was to correct a
proposed vulnerability (i.e., to ``block malware attacks on the
industrial control systems of those facilities''), is already
accomplished by the defense-in-depth strategy in the current regulatory
framework. As required by Sec. 73.54(c)(2), nuclear power plant
licensees must design their cyber security programs to apply and
maintain an integrated defense-in-depth protective strategy to ensure
that licensees have the capability to detect, prevent, respond to,
mitigate, and recover from cyber attacks. The approach used by nuclear
power plant licensees may vary in that NRC regulations are generally
not prescriptive, and allow licensees and applicants to propose
different methods for meeting the requirements. To comply with the
requirements in Sec. 73.54(c)(2), licensees must implement an overall
site defensive strategy to protect CDAs from cyber attacks as well as
implementing operational and management security controls.
Defense-in-depth strategies are a documented collection of
complementary and redundant security controls that establish multiple
layers of protection to safeguard CDAs. Under a defense-in-depth
strategy, the failure of a single protective strategy would not result
in the compromise of an SSEP function. One example of a defense-in-
depth strategy involves setting up multiple security boundaries to
protect CDAs and networks from cyber attack. In this way, multiple
protection levels must fail for a cyber attack to progress and impact a
critical system or network.
[[Page 34918]]
Even if a failure occurred (e.g., such as through a violation of
policy), or if a protection mechanism was bypassed (e.g., by a new
virus that is not yet identified as a cyber attack), other mechanisms
would still be in place to detect and respond to a cyber attack on a
CDA, to mitigate the impacts of the cyber attack, and to recover normal
operations of the CDA and its system before an adverse impact could
happen.
In addition to the fact that a need has not been justified for use
of the petitioner's new-design PLCs, the approach recommended in the
petition has not been proven by the petitioner to be effective in
preventing cyber attacks. Based on email correspondence, the petitioner
states that the proposed ``new-design programmable logic computers''
currently are not used in any facility (nuclear or otherwise). As such,
the petitioner was unable to present any evidence that his PLCs would
be effective in preventing cyber attacks. Furthermore, no information
was provided by the petitioner as to how the ``new-design programmable
logic computers'' would comply with the requirements in Sec. 73.54 for
use in the safety systems and control systems of a nuclear power plant.
Issue 3: Nuclear power plant licensee staff should be trained to
maintain and secure records of all memory programming, and recommends
maintenance in secure storage of programmed memories that may be again
employed, as ``the control systems of critical facilities are
essentially steady-state.''
NRC Response: The NRC staff disagrees with Issue 3 because the
petition does not take into account the awareness and training
requirements each nuclear power plant licensee must perform as part of
their comprehensive cyber security program as required in Sec. 73.54.
Under Sec. 73.54(d)(1), each licensee is required to ensure, as
part of its cyber security program, that appropriate facility
personnel, including contractors, are aware of the cyber security
requirements and receive the necessary training to perform their
assigned duties and responsibilities. As an example, licensees may
comply with the awareness and training requirements by performing the
following actions:
Develop, disseminate, and periodically review and update
the site cyber security training and awareness plan. This plan defines
the purpose, scope, roles, responsibilities, and management commitment
to provide high assurance that individuals have received training to
properly perform their job functions;
Perform gap analyses in areas where additional training is
needed in cyber security;
Establish measures to determine whether cyber security
policies and procedures are being followed, and if not, determine
whether a training or awareness issue is the cause and develop measures
to be taken to correct the deficiency;
Develop, disseminate, and periodically review and update
procedures that are used to facilitate and maintain the cyber security
training and awareness program; and
Implement training and awareness security controls.
In addition, Sec. 73.54(d)(3) requires each nuclear power plant
licensee, as part of its cyber security program, to evaluate all
modifications to assets identified in Sec. 73.54(a)(1) (i.e. systems
with SSEP functions) before their implementation. This ensures that the
cyber security performance objectives are maintained. As stated above,
the NRC inspects licensee cyber security programs, at specified
intervals, to confirm that the programs are being implemented in
accordance with the NRC-approved cyber security plans.
III. Conclusion
The NRC has reviewed the petition and appreciates the concerns
raised by the petitioner. For the reasons described in Section II,
``Reasons for Denial,'' of this document, the NRC is denying the
petition under Sec. 2.802. The petitioner did not present any
significant new information or arguments, as part of this petition,
that would support the requested changes, nor has the petitioner
demonstrated that a need exists for a new provision requiring use of
the petitioner's new-design PLCs.
IV. Availability of Documents
The documents identified in the following table are available to
interested persons as indicated. For more information on accessing
ADAMS, see the ADDRESSES section of this document.
------------------------------------------------------------------------
ADAMS
Accession
number/
Date Document Federal
Register
citation
------------------------------------------------------------------------
January 2010................... Regulatory Guide 5.71; ML090340159
``Cyber Security
Programs for Nuclear
Facilities''.
March 14, 2013, as supplemented Petition for Rulemaking ML14016A458
through December 19, 2013. from Mr. Alan Morris
Regarding Programmable
Logic Computers in
Nuclear Power Plant
Control Systems.
January 27, 2014............... Letter to Petitioner ML13308A385
Enclosing Federal
Register Notice--
Receipt of Petition
for Rulemaking.
February 7, 2014............... Federal Register 79 FR 7406
Notice--Receipt of
Petition for
Rulemaking.
June 12, 2014.................. Letter to Petitioner; ML14120A006
``PRM-73-17 Cyber
Malware Attacks on
Programmable Logic
Computers''.
June 18, 2014.................. E-mail from Petitioner; ML14181B296
``PRM-73-17''.
June 18, 2014.................. E-mail from Petitioner; ML14181B276
``RE: PRM-73-17''.
June 18, 2014.................. E-mail from Petitioner; ML14181B286
``RE: PRM-73-17''.
June 19, 2014.................. E-mail from Petitioner; ML14181B270
``RE: PRM-73-17''.
------------------------------------------------------------------------
[[Page 34919]]
Dated at Rockville, Maryland, this 25th day of May, 2016.
For the Nuclear Regulatory Commission.
Annette L. Vietti-Cook,
Secretary of the Commission.
[FR Doc. 2016-12926 Filed 5-31-16; 8:45 am]
BILLING CODE 7590-01-P