Nuclear Regulatory Commission Cyber Security Requirements Richard Dahl

Nuclear Regulatory Commission
Cyber Security Requirements
Characteristics of a (High) Quality Cyber Security Program
Richard Dahl
Security, Compliance, & Risk
Black & Veatch
“The views expressed herein are my own.”
Richard Dahl
Security Management Professional with more than 21 years in Security
First 5 years as Counterintelligence Agent in US Army
Extensive technical experience
Consulting experience within many industries including
Bulk Electric
Nuclear Power
Security management methodology zealot
Passion for repeatable and consistent processes that produce high quality security
Security Management
Sounds like:
Security Management
Sounds like:
Security Management
Looks like:
Security Management
Looks like:
Characteristics of a Quality
Security Program
Provide a defined, consistent, methodology for
implementing and maintaining security standards.
Able to effectively communicate implementation
guidance for the standards within context.
Hold appropriate parties responsible for the
ownership, operation, and oversight of the
Impediments to Quality
1. Confusing control applicability
2. Inconsistent requirement granularity
3. Inconsistent understanding within organization
Impediment #1
Confusing application
“Cyber Security” appears to be technical issue, but...
Security Requirement
Organizations, Locations,
Networks, Personnel and
Information all require security
control implementation as well. Security is a business issue, not
an IT/OT issue!
Devices / Applications
Impediment #2
Inconsistent requirement granularity
Too Prescriptive (Too Hot)
Too Ambiguous (Too Cold)
Reasonable (Just Right)
Too Prescriptive
D 3.8
Trusted Path
This technical cyber security control configures CDAs
to use trusted communication paths between the
user and the security functions of CDAs, which
includes authentication and re-authentication, at a
Too Ambiguous
D 3.11 Transmission of Security Parameters
This technical cyber security control configures CDAs
to associate security parameters with information
exchanged between CDAs.
D 3.21 Fail in Known State
This cyber security control ensures the following:
CDAs fail in a state that ensures that SSEP functions
are not adversely impacted by the CDAs failure
Impediment #3
Inconsistent implementation within organization
What does D 3.3 mean to you?
D 3.3 Shared Resources
This technical cyber security control: Configures CDAs to
prevent unauthorized and unintended information transfer
via shared system resources.
Does it mean the same to a person...
Down the hall?
At the other plant?
In internal audit
The interpretation of the Standards is what always
happens... it is just not usually documented. Everyone who looks at the cyber security Requirements
interprets their meaning based on their own
understanding of security and their level of technical
competence. The real issue is whether the individual interpretations
are consistent with one another throughout the
Methodology Principles
Resource Based
The standards apply to various resource types
Attribute Informed
The standards are implemented based on
characteristics (attributes) of the resources
Objective Driven
The standards are designed to realize specific security
Resource Based
Resource Types
The types of “things” that the security standards will
actually be implemented on
Depends heavily on the NIST SP 800-53 defined
concept of control inheritance
The control is inheritable, i.e. the control is developed,
implemented, assessed, authorized, and monitored
by entities other than those responsible for the
systems or components [receiving protection]
Attribute Informed
Resource Attribute
Characteristics of a resource that will dictate where (upon which
resources) the security standards must be implemented
Characteristics of a resource that will dictate how (through what
implementing controls) the security standards will be implemented
Describe the following about a resource (with respect to application
of the security standards)
Who uses the resource
Where the resource is used
What the resource is
Why the resource is used
When the resource is used
How the resource is used
Attribute Informed
Attributes used to determine
A resource must be protected according to a particular
security program
Security Posture
Specific security controls will be applied to the resource in
order to meet the requirements of a specific security standard
Defined in a hierarchy to limit analysis
Child attributes need not be considered if parent is not applicable
Resource Attributes
Objective Driven
Security Objective
Purpose of the security standards and the related
consequence(s) of either not implementing the standard
or failure of the implementation
Provide visibility of relationships between standards
Ensures consistent application of security standards
High Quality Security Programs
Quality is achieved and maintained simply by the
execution of normal business activities
Personnel meet the Security Requirements simply by
doing their jobs.
Horizontal integration of security activities
Clearly defined Responsibilities for security activities
Methodology Applications
Risk Management
Ensures the security
posture is appropriate
Compliance Management
Ensures the security
posture is in-place
Vulnerability Management
Ensures the security
posture is functioning
Governance Management
Ensures the security
posture is managed
The impediments to a quality security program:
Confusing resource categories Inconsistent granularity of requirements
Inconsistent understanding within an organization
Can be mitigated through consistent application of
a resource-based, attribute-informed, objective
driven security management methodology
Thank You