Friday News and Notes
- Microsoft announced they will be releasing tools to help software vendors with the Security Development Lifecycle including the SDL Threat Modeling Tool, the SDL Optimization Model, and the SDL Pro Network. Read an interview with past S4 keynote, Microsoft’s Steve Lipner.
- The US House had another hearing on cyber security. This time on the job that DHS was doing and related to a GAO report, DHS Faces Challenges in Establishing a Comprehensive National Capability. I have a hard time siding with Congress or the GAO reports they charter on these cyber security issues. The problems are hard, the Congress lacks the time and background to understand the issues, and it is to easy to grandstand on an issue like this. Listening to Congressional pronouncements on these topics make be more rather than less nervous.
- ISA Expo is on for Houston next month – - even after the problems Hurricane Ike has caused Houston. ISA99 will have working meetings during ISA Expo.
- FERC is trying to determine if nuclear power plants not subject to NRC regulation must comply with the NERC CIP’s. I’m not sure how many plants fall into this current regulatory hole.
Author: Dale Peterson
Posted: September 19th, 2008 under Uncategorized.
Comments: 2
Comments
Comment from Orlando Stevenson
Time: September 20, 2008, 4:23 pm
To be clear, FERC is apparently concerned about nuclear plants having sufficient regulatory attention to continuity of power with NRC oversight alone. NRC’s focus is safe operation of such facilities, including a myriad of supporting plant specific programs undergoing ongoing scrutiny – with cyber security program a newer addition leveraging and being integrated into the program mix. This is shaping up to having “two masters” for the industry and non-trivial complications – especially with cyber security – that will need to be worked out.
Comment from Michael Toecker
Time: September 22, 2008, 12:19 pm
The statement regarding FERC and the NRC needs a little clarification. The issue is not whether *nuclear power plants* not subject to NRC regulations must comply with CIP (all commercial nuclear power plants are subject in one way or another to NRC oversight), but that specific *systems* within the nuclear plant may not be subject to NRC oversight.
Quick background and not-all-inclusive blanket statement: A nuke plant is similar to a coal-fired power plant in that the fossil plant uses a boiler to generate steam and a nuclear reactor uses uranium fuel rods. The nuclear reactor can be viewed as a black box, with certain designed inputs and outputs. That black box, with it’s included systems, are governed by NRC due to the safety and security necessary around nuclear materials. Outside that black box, that’s the area FERC and NRC are attempting to determine.
The issue is what is being done with the systems outside the black box, the non-nuclear side as plant personnel call it. If these systems were essential to the reliable operation of the plant, they would need to be protected from a CIP perspective.
These non-nuclear systems might be under the control of the control system that is monitoring the reactor (and could fall under the NRC umbrella), or these systems could have their own separate control system (falling under the NERC CIP umbrella).
Mike Toecker
Write a comment