Nuclear Cybersecurity Management–Transitioning from Project to Program-Spreadsheets to Database
With the Milestone 8 full implementation date here, nuclear power plants (NPP) face a host of new challenges. Among those challenges is how they might go about validating their completed CDA assessments and sustaining their cybersecurity program. Regardless of their current state, they must ask themselves these important questions: What is our long-term strategy for managing our NEI 08-09 program, and how sustainable is that long-term strategy? In that regard, many NPPs are now realizing that it is time to transition from their project-based approach (spreadsheets or similar) to a program-based approach.
NPPs have worked hard to get to the Milestone 8 finish line. Many have rushed headlong into the process and completed the assessments using their spreadsheet approach and have generated piles of them! The necessity of this approach meant that considerations for long-term implementation strategy and methodology received lower priority than necessary. NPPs must maintain a strong cybersecurity program and remain compliant. With a mountain of spreadsheet assessments and silos of data, it only makes sense to consider implementing a strategic approach to manage all that data.
In working with our NPP customers to help them build a sustainable cybersecurity program, by transitioning from their spreadsheet-based assessments or makeshift systems to a program-approach, we have seen the following concerns come up:
Data Management — In a project-based approach, the main objective was to get through the assessments–to meet the NRC deadline. That meant using a tool that was easily adaptable (Excel, Word, homegrown databases, etc.) and, as a result, little attention was paid to any future data management needs. However, when you’re dealing with a large amount of data generated from CDA assessments and the overall nuclear cybersecurity program, locating specific assessment data from a stack of spreadsheets becomes an extremely painful effort. Going forward, in many cases, engineering will own the program, and there will be nagging questions about knowledge transfer, from the cybersecurity teams to the engineering teams. In addition, there’ll be questions that arise regarding how to manage piles of spreadsheets containing unstructured, and non-systematic data.
Validation — While spreadsheets played their useful role during the first round of assessments, validation of those spreadsheet assessments becomes critical, especially for NRC inspection. Without the validation using a correct tool that can work with a selected SCIS-based assessment methodology, serious logic errors from the manual assessments will go undetected, leading to inspection finding exposures. The other advantage of validation, of course, is that this can be applied strategically to eliminate or reduce the ongoing maintenance activities.
Revision Control — The ability to report on revision control history is another important requirement for the overall management of the program. You can imagine how difficult a task it is trying to achieve revision control using a bunch of spreadsheets. The information about who did what, when and why they did it must be available at your fingertips at all times, and, it must be clearly demonstrable. Proper revision control puts you in a position to defend your current implementation status, and it gives you the history of how you arrived at those decisions. As an added benefit, good revision control gives you the ability to revert to previous revisions whenever necessary and have that information available for reuse in future assessment decisions.
Consistency – Consistency in control assessment answers is extremely important. As much as possible, you need to standardize decisions for each control across the fleet. It’s virtually impossible to put in enough controls using spreadsheets to create that kind of consistency. Having the flexibility to incorporate approved decisions at the control level, across different strategic approaches, provides the structure needed to build consistency of input. With this level of control, the transition from the cyber teams to engineering becomes simplified, the time it takes to review and approve assessments gets significantly reduced, and the NPP’s defensible position with regulators becomes solidified.
Nuclear cybersecurity is here to stay, and the need for sustainable program management is continually increasing as the data from Milestone 8 continues to grow. As the plants become more and more digital, this problem is bound to become even more complicated. A bundle of spreadsheets with scattered data silos is not the answer going forward. Therefore, now more than ever, NPPs’ focus should on building a program with the right processes, strategies, and tools for the future.