Nuclear power plants (NPP) in the US who are subject to NEI 08-09 are required to adopt Addendum 1 Markup in their Cyber Security Plans. We’ve released an update for it in our Cyberwiz-Pro application for nuclear cyber security management. The addendum is a revision to the NEI 08-09 Rev 6, mainly affecting Appendix A, D & E of the original document. So, what is the impact of the addendum? More than 44 (bullet points) controls have changed in addition to changes to language found in the Cyber Security Plan Template (Appendix A). When you start looking at how this translates to the Appendix D & E Security Controls (bullet points) about 20 controls have been removed, 19 have been added, and there are text changes to about 5. For example, below is an excerpt of some of the changes to Appendix D 1.2 Account Management:
So how do these changes impact NPPs? To fully address the current full version of NEI 08-09, the Addendum changes must be factored into the plant’s Cyber Security Plan and ultimately the Critical Digital Assets (CDA) assessments process. This becomes a challenge when modifying site procedures, modifying assessment processes, storing, tracking and preserving historical records. These challenges then become even more dependent on the database utilized for managing the Cyber Security Program and CDA assessments. To manage the activities and address the process level changes without a proper tool can prove to be an arduous task. In other words, utilities need to be concerned with how the text changes, control additions, and deletions impact their existing program and assessments and how they will be addressed now and going forward. The importance of revision control and historical record retention becomes that much more heightened especially as sites are going through Milestone 8 inspections or have them rapidly approaching.
CYBERWIZ-PRO incorporates all the Addendum changes, streamlines the assessment process for the new additions as well as cleans up existing assessments including maintain all historical and baseline assessment data. CYBERWIZ-PRO has already gone through many revisions to NEI 13-10 and the updated application delivers a straightforward way to incorporate the changes, using the built-in automation features. It is safe to assume that this will not be the last of the changes expected to support the US Nuclear Cyber Security Programs’.
Want to read more and see the marked-up version of the Addendum? You can read about it on the NRC’s website here.
NPPs are using CYBERWIZ-PRO from WizNucleus to gain control of their NEI 08-09 Cyber Security Program and remain compliant. It is a purpose-built application that helps reduce the overall cost of sustaining a nuclear plant’s NEI 08-09 cybersecurity program. NPPs can ensure comprehensive fleet-wide consistency, accuracy and centrally manage a variety of life cycle security management activities, including Critical Digital Asset (CDA) assessments and CSAT approvals, with integrated configuration management.