Development of an Approach for the Creation of a Cyber Security Program for Fuel Cycle Facilities regulated by the Nuclear Regulatory Commission

In March 2009, the Nuclear Regulatory Commission (NRC) established a cyber security rule for nuclear power plants, 10 CFR 73.54. This rule is a performance based approach for the protection of digital computer and communications systems for protection against a cyber attack. The NRC is currently in the process of developing a regulatory approach to cyber security at fuel cycle facilities. Fuel cycle facilities with Category I quantities of special nuclear material must protect against cyber attacks as part of the design basis threat. Other fuel cycle facilities do not have this regulation. The fuel cycle licensees were asked to provide information on the current status of their cyber security programs, especially in the context of critical functions: safety, physical security, emergency preparedness, material control and accountability, and information security. NRC staff is working closely with licenseesto determine the path forward for cyber security of fuel cycle facilities. Current topics of discussion include the establishment of a consequence threshold and identifying the specific cyber threat to fuel cycle facilities. The NRC is considering the issuance of orders, as appropriate, followed by the development of specific cyber security regulations.