Already on NEI 13-10 Revision 4? Read about that here.
The target date for submittal to the NRC for endorsement for NEI 13-10 Rev. 3 is September 30th. The expected roll out to the industry is in November followed by implantation workshops in Q1 of 2016. Some of the biggest challenges that come with waiting for updated Requirements are: the slowing of assessment progress at your site, the uneasiness and effort of dealing with all the procedural changes, and the decision on how to interpret and implement those new requirements.
The latest revision of 13-10, specifically section 6, intends to cover all limited capability CDAs and while also limiting the number of controls to be addressed incorporating some examples of how you implement controls. The document breaks down limited capability devices by Class or in other words, separate groupings or bins. The challenge is that some of these classes appear to be close together making the procedural aspect of correctly sorting devices a challenge.
The major points of assessment concerns for the Class A.2 group highlighted at NITSL are:
- The current proposed guidance will result in physical security protections for CDAs that differs from how licensees currently protect other plant equipment.
- Attack vector analyses for the SS and BoP applications yields different assessments for the same CDA; this does not support goal of guidance that produces consistent repeatable results.
Fortunately there are some ways to minimize the issues of different assessment results for the same CDAs while keeping procedural changes to a minimum and that is using a solution that is built for the job. For example, Cyberwiz-Pro from WizNucleus allows users to define in the software specific classes, like the A.2 group above, automating input decisions while maintaining all assessment records specific to an individual device.
Staying on top of the ever changing cyber security standards is a tremendous job and in the end you need a company that is in it for the long haul.