Nuclear plants have thousands of Critical Digital Assets (CDAs), but not all are operational safety-related assets. Nuclear Energy Institute’s NEI 13-10 is an effort to reduce the workload associated with Cyber Security Assessment. NEI 13-10 is a guidance document that allows Licensees to group CDAs as Direct, EP or Indirect based on the importance of a CDA to a plant’s safety operation and emergency planning. NEI 13-10 Revision 4 expands on the previous revisions.
- NEI 13-10 Revision 1 introduced the grouping of CDAs using Consequence Assessment template, and it incorporated examples and templates for deciding the application of security controls based on the CDA classification. This classification is determined by performing a Consequence Assessment.
- NEI 13-10 Rev. 2 added Section 6, “Cyber Security Control Assessment of Direct CDAs”; this enabled Licensees to address a smaller set of NEI 08-09 controls for direct CDA’s that fit into the defined classes.
- NEI 13-10 Rev. 3 expanded on the previous two releases and incorporated some lessons learned, among other things.
- NEI 13-10 Rev. 4 added additional guidance and classes in Appendix D to further enhance the existing grouping and type assessment guidance.
NEI 13-10 provides important guidance when streamlining the control application process. Not only will it assist in reducing the initial assessment burden for certain CDA’s, but it may also reduce the remediation efforts for devices that are no longer classified as Direct CDA’s. However, the plants are still required to identify, document and assess all CDAs and with many of the CDA’s still categorized as direct, some cases will result in millions of assessment decision points! There are many streamlining techniques Licensees may use to reduce the input such as the application of common controls, inheritance, type assessment (batching as in WizNucleus Cyberwiz-Pro) and others. But what is needed is a way to extend the type assessment concept from NEI 13-10 to all the CDA’s. Currently, the type assessment and classes in NEI 13-10 can be applied only to a small set of CDAs, but if you find a way to expand the NEI 13-10 type assessment to all the CDA’s, that will help licensees to create a sustainable program that can easily address standard changes, personnel changes, repeat assessments, audit reporting and more.
CWP enables application of the type assessment techniques for all the CDAs, smartly accounting for their uniqueness and differences while taking full advantage of all the similarities among even the most complex and configurable set of CDAs.