From: Joe Weiss To: RulemakingComments Resource Cc: Beall, Robert ; Westreich, Barry ; Felts, Russell ; [email protected] ; McDermott, Brian ; Satorius, Mark ; [email protected] ; CMRSVINICKI Resource ; CMROSTENDORFF Resource ; CHAIRMAN Resource ; CMRBARAN Resource ; CMRBURNS Resource ; Morris, Scott ; Michael Hermann ; Michael Branson ; McKenna William (HSGAC) Subject: Response to Rulemaking - Docket NRC-2014-0165 - Cyber Security Date: Monday, November 24, 2014 4:00:21 PM Attachments: ACS response to NRC cyber rulemaking 11-24-14.pdf Enclosed is my response to the rulemaking on Protection of Digital Computer and Communication Systems and Networks (Docket NRC-2014-0165). I find it unconscionable that with the plethora of cyber threats and malware being unleashed against control systems that NEI would want to have the nuclear utilities reduce their vigilance of cyber security threats to nuclear power plants. Under contract to the Pacific Northwest National Laboratory, I supported the NRC on the development of Regulatory Guide 5.71. I am also a designated US expert to IEC TC45A - Nuclear Plant Cyber Security, the Managing Director of ISA 67 (Nuclear Plant Standards) and ISA99 (Control System Cyber Security). December 2nd I am giving a lecture on Industrial Control Systems (ICS) Cyber Risk and December 9th on ICS Cyber Forensics at the Fraunhofer Institute in Darmstadt, Germany. I have been invited to participate and give a presentation December 8th in Vienna at the IAEA Technical Meeting on Computer Security Topical Area Awareness for Nuclear Facilities. I have also been invited to give a lecture at the Air Force Institute of Technology December 16th. Based on ACTUAL cyber attacks (e.g., Stuxnet), detailed cyber assessments of specific international plants, and newly identified control system cyber vulnerabilities, the existing Rule and Regulatory Guide 5.71 are NOT adequate to assure the security and safety of nuclear power plants. Consequently, not only should the NEI request be denied, but NRC should reassess the adequacy of 73.54 and the NRC approach. The specific details and recommendations are identified in my attached response. Respectfully, Joe Weiss Joe Weiss PE, CISM, CRISC, ISA Fellow, IEEE Senior Member Applied Control Solutions, LLC (408) 253-7934 (408) 253-7974 Fax (408) 832-5396 Cell [email protected] www.realtimeacs.com blog site: www.controlglobal.com/unfettered Book URL: http://www.momentumpress.net/books/protecting-industrial-control-systems-electronic- threats This message (with attachments) may be privileged, confidential, or proprietary. If you are not the intended recipient, please notify the sender and delete it. Do not use it or share it.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
-
From: Joe WeissTo: RulemakingComments ResourceCc: Beall, Robert; Westreich, Barry; Felts, Russell; [email protected]; McDermott, Brian; Satorius, Mark;
[email protected]; CMRSVINICKI Resource; CMROSTENDORFF Resource; CHAIRMAN Resource; CMRBARANResource; CMRBURNS Resource; Morris, Scott; Michael Hermann; Michael Branson; McKenna William (HSGAC)
Subject: Response to Rulemaking - Docket NRC-2014-0165 - Cyber SecurityDate: Monday, November 24, 2014 4:00:21 PMAttachments: ACS response to NRC cyber rulemaking 11-24-14.pdf
Enclosed is my response to the rulemaking on Protection of Digital Computer and CommunicationSystems and Networks (Docket NRC-2014-0165). I find it unconscionable that with the plethora ofcyber threats and malware being unleashed against control systems that NEI would want to have thenuclear utilities reduce their vigilance of cyber security threats to nuclear power plants.
Under contract to the Pacific Northwest National Laboratory, I supported the NRC on the developmentof Regulatory Guide 5.71. I am also a designated US expert to IEC TC45A - Nuclear Plant CyberSecurity, the Managing Director of ISA 67 (Nuclear Plant Standards) and ISA99 (Control System CyberSecurity). December 2nd I am giving a lecture on Industrial Control Systems (ICS) Cyber Risk andDecember 9th on ICS Cyber Forensics at the Fraunhofer Institute in Darmstadt, Germany. I have beeninvited to participate and give a presentation December 8th in Vienna at the IAEA Technical Meeting onComputer Security Topical Area Awareness for Nuclear Facilities. I have also been invited to give alecture at the Air Force Institute of Technology December 16th. Based on ACTUAL cyber attacks (e.g., Stuxnet), detailed cyber assessments of specific internationalplants, and newly identified control system cyber vulnerabilities, the existing Rule and Regulatory Guide5.71 are NOT adequate to assure the security and safety of nuclear power plants. Consequently, notonly should the NEI request be denied, but NRC should reassess the adequacy of 73.54 and the NRCapproach. The specific details and recommendations are identified in my attached response.
Respectfully,Joe Weiss
Joe Weiss PE, CISM, CRISC, ISA Fellow, IEEE Senior Member Applied Control Solutions, LLC (408) 253-7934 (408) 253-7974 Fax (408) 832-5396 Cell [email protected] www.realtimeacs.com blog site: www.controlglobal.com/unfetteredBook URL: http://www.momentumpress.net/books/protecting-industrial-control-systems-electronic-threats
This message (with attachments) may be privileged, confidential, or proprietary. If you are not theintended recipient, please notify the sender and delete it. Do not use it or share it.
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
hms1Typewritten TextPRM-73-1879FR56525
hms1Typewritten Text1
hms1Typewritten Text
Related Documents
