Title: A PROVEN APPROACH FOR EFFECTIVE COMPUTER SECURITY SELF-ASSESSMENTS AT NUCLEAR FACILITIES

A proven method for conducting cybersecurity self-assessments at nuclear power plants is now available for international use. This method was originally developed by Pacific Northwest National Laboratory, under the sponsorship of the U.S. Nuclear Regulatory Commission (NRC), for use at U.S. nuclear power plants. The “Method,” described in NUREG/CR-6847 “Cyber Security Self-Assessment Method for U.S. Nuclear Power Plants,” was originally a limited release document that was withheld from public disclosure but is now publicly available. The Method provides a systematic, phased, and risk-informed approach to help decision makers and security specialists understand their relative cybersecurity posture. Completed Method assessments may be used to support or validate selection of computer security controls to mitigate cyber threats as well as demonstrate compliance with regulations or statutes enacted by competent authorities. The Method assesses the cybersecurity posture of key systems at a nuclear facility with a focus on protection of design base functions. It considers both physical and digital elements of system vulnerabilities and the resulting potential consequences from exploitation. It is well-suited for addressing blended cyberattacks. A semi-quantitative analytical approach is used in the evaluation of potential vulnerabilities, consequences, and risks and provides a technical basis for the selection of security controls to mitigate cyberattacks. The Method’s application at U.S. nuclear power plants has been very encouraging. The only nuclear plant in the United States that did not have adverse findings during its initial NRC computer security inspection prepared for inspection through the diligent application of this self-assessment method and the implementation of recommendations that came out of that self-assessment. Nuclear facilities around the world might find application of the Method extremely helpful for making cost-effective, risk-based decisions regarding computer security and for preparing to pass computer security inspections by their competent authorities.