The nuclear energy industry is subject to a high degree of regulation. The U.S. Nuclear Regulatory Commission (NRC) has developed comprehensive safety regulations known as the Compilation of Federal Regulations (CFR). Title 10, Section 73.54 of the CFR specifically addresses cybersecurity requirements for “digital computers and communications systems and networks”.

To meet high standards for cybersecurity in digital and communication systems, the Nuclear Energy Institute (NEI) has developed two guidance documents, NEI 08-09 and NEI 18-08. Both are consistent with Section 73.54 of CFR Part 10, establishing a robust cybersecurity foundation for nuclear facilities and emphasizing a risk-oriented approach to cybersecurity management.

CFR Section 73.54

This section establishes a security framework for nuclear materials and facilities, implementing stringent protection measures within nuclear facilities. It requires operators to deploy robust physical protection systems, ensure system integrity and redundancy, and implement strict access control procedures. This section adopts a comprehensive strategy, covering not only physical protection but also defense against malicious attacks from peripheral media such as USB drives, DVDs, and floppy disks.

NEI 08-09

NEI 08-09 provides a complete framework for establishing cybersecurity plans for nuclear reactors. Its content includes identifying critical digital assets (CDAs), preventing internal and external threats, and mitigating system vulnerabilities, including portable and mobile media.

NEI 18-08

NEI 18-08 provides new protection guidelines for evolving cybersecurity standards. Because nuclear facilities often contain multiple airlocks, and data transmission between these areas relies heavily on portable and mobile media, facilities must be equipped with scan stations or scanning terminals (commonly known as kiosks).

This document focuses on blocking PMMD attack paths and provides guidance on how to mitigate the risks of such threats. It also covers risk-oriented management processes and protection strategies for new digital systems such as IoT devices.

To establish a compliant and effective cybersecurity plan, the following key elements should be incorporated:

Risk Identification

Risk identification is the first step in developing a cybersecurity plan and must cover both OT (Operations Technology) and IT (Information Technology) systems within the facility. Common risks include internal and external threats, potential hardware/software vulnerabilities, and threats from peripheral devices and portable media.

Defense in Depth

NEI 08-09 indicates that cybersecurity plans should employ multi-layered defenses, such as restricting device use, protecting critical systems through network segregation, and conducting real-time monitoring and malware scanning.

Access Control

Only authorized personnel should be allowed to use portable media within secure areas, and unauthorized devices should be prohibited from accessing critical networks.

Strict Management of Peripheral Media Use Policies

In addition to establishing scanning stations, USB use should be limited to approved devices and monitored using endpoint protection software.

Device Isolation

Device suspected of being infected or unauthorized must be isolated. Peripheral media used for maintenance should be removed before and after use to prevent cross-contamination. In addition to physical isolation, management can also be achieved through a NAC (Network Access Control) system.

Protecting Cloud Devices and Mobile Applications

Even in highly isolated environments, cloud-connected devices are not entirely unavoidable. Zero Trust architecture and access management policies can enhance cybersecurity.

In air-isolated environments, kiosks are frequent targets for attackers. The following are common PMMD attack methods that must be considered during cybersecurity planning:

**Kiosk Physical Access:** If attackers gain access to the underlying hardware or unprotected ports, the kiosk’s operating system and scanning software will be at risk.

**Wired Network Connection:** Even when deployed in isolated areas, kiosks are often maintained via wired connections, potentially becoming a conduit for malware injection.

**Wireless Network Connection:** Wireless connections are more easily intercepted and compromised by unauthorized users than wired connections.

**Retrievable Media Access:** Kiosk media ports need continuous monitoring to prevent misuse and protect the scanning engine from tampering.

**Supply Chain Access:** In addition to post-deployment risks, attacks can occur during equipment manufacturing or delivery. Pre-installed malware is more covert and increases the difficulty of detection.

The following measures help prevent PMMD attacks and enhance nuclear facility cybersecurity:

• Device control policies in OT environments: Implement strict device access policies for portable media and mobile devices in OT environments, allowing only approved devices to connect, and monitor them using solutions such as MetaDefender Endpoint™. Furthermore, organizations should enforce policies requiring the encryption of all portable media to protect data integrity in the event of device loss or theft.
• Authorizing, monitoring, and controlling removable devices: Peripheral and mobile devices connected to the network must be authenticated before accessing critical networks. This procedure ensures that only fully scanned and secure devices can interact with facility systems. Solutions such as MetaDefender Kiosk™, featuring MetaDefender Media Firewall™ technology and available in various form factors for different locations, have proven effective in ensuring the security of data transfer operations at nuclear facilities.
• Monitoring and auditing: Continuously monitoring device activity and comprehensively logging data transfers helps identify anomalous activity or unauthorized access attempts. Maintaining device connectivity logs also facilitates security audits.
• Mandatory Scanning and Malicious Software Detection: Mandatory scanning of all portable and mobile multimedia devices entering the facility is crucial for checking all devices for malware before granting network access. In addition to fixed scanning tools, portable bare-metal scanners (such as MetaDefender Drive™) can detect hidden malware (such as rootkit infections) and help strengthen network security initiatives.
• Cybersecurity Education and Awareness Enhancement: Strengthen employees’ awareness of the risks associated with portable multimedia use and provide ongoing training. NEI guidelines encourage educating employees about best practices, such as avoiding the use of unknown USB drives and ensuring personal devices are not connected to critical systems.
• Emergency Response Planning: In the event of a PMMD incident, immediately initiate isolation procedures, notify the team, and begin system recovery operations.

Nuclear facilities often operate in airlocks, making data transmission between facilities and endpoints via portable multimedia essential, but this also increases the risk of PMMD attacks. To comply with regulations and enhance cybersecurity, it is necessary to implement peripheral devices and removable media protection solutions such as MetaDefender Kiosk, MetaDefender Media Firewall, MetaDefender Endpoint™, and MetaDefender Drive to achieve a malware detection rate of up to 99.2%, comprehensively protecting critical facilities.

Original link: https://ithome.com.tw/pr/168694