It is generally accepted that the effort required to comply with 10CFR73.54, "Protection of Digital Computer and Communication Systems and Networks" is much greater than initially anticipated. For example, instead of cyber security programs addressing handfuls of plant digital assets (CDAs), hundreds if not thousands of CDAs must be addressed. This situation is aggravated by the regulatory framework of 10CFR73.54 excluding risk management attributes of other cyber-security risk frameworks. Although this current situation has been improved by using a consequence-based methodology for CDA assessments, a more effective resolution will require fundamental changes to current regulatory requirements via rulemaking. Recognizing the Federal rulemaking process is lengthy, this paper outlines a near-term, risk-informed approach that improves cyber security program efficiency and increases program focus on public safety. This approach complies with WCFR73.54 and builds upon Industry's current CDA assessment methodology, facilitating incorporation into existing plant programs. With a December 2017 deadline for 10CFR73.54 compliance, incorporating a risk-informed approach into cyber security programs is realistically a post Milestone 8 program optimization initiative. Although this risk-informed approach is not a substitute for rulemaking, it does improve program performance in the near-term and is a meaningful step towards the long-term solution of rulemaking.
展开▼
