CSA N290.7:21 Cyber security for nuclear facilities, Updated Canadian National Standard

Abstract of the technical paper/presentation presented at:
International Conference on Computer Security in the Nuclear World: Security for Safety
19-23 June, 2023

Prepared by:
John Sladek
Justin Sigetich
Canadian Nuclear Safety Commission

Abstract:

In December 2014, the CSA group published Canadian national standard, N290.7-14 (Cyber security for Nuclear Power Plants and Small Reactor Facilities) [R-1].  This standard reflected the operating experience of the Canadian nuclear power industry. The CNSC required licensees operating nuclear power plants and those holding nuclear research and test establishment licences to bring their cyber security programs into alignment with this new standard. 
The second edition of this standard, N290.7:21, Cyber Security for Nuclear Facilities, was published in December 2021.  The changes to this standard:

• reflected experience gained in implementing N290.7-14
• addressed recommendations from the IAEA International Physical Protection Advisory Service mission to Canada in 2015 [R-3], and
• incorporated new and updated IAEA guidance (NSS 17-T [R-4][R-5], NSS 33-T, and NSS 42-G[R-6])

The cyber security threat to Canadian nuclear facilities continues to evolve and an effective cyber security program plays a vital role in the safe and secure operations of nuclear facilities. The latest CSA N290.7 revision drives continuous improvement of cyber security to address those threats and to align cyber security at Canadian nuclear facilities with applicable international recommendations, guidance and best practice.

The changes to this edition included:

• new requirements for establishing a defensive cyber security architecture that provides for defense-in-depth
• improvements to the criteria for the applicability of CEA control
• enhanced requirements for cyber security in the supply chain
• addition of normative requirements for incident response.

This new edition can be applied in a graded manner for the site preparation, design, construction, commissioning, operation, and decommissioning of all Canadian nuclear facilities, including small modular reactors (SMRs).

This paper will describe lessons learned during the implementation of N290.7-14, highlight major regulatory components of the standard, and provide information on how the most recent edition will be incorporated into the Canadian regulatory framework for nuclear facilities. 

References:

• [R-1] Canadian Standards Association (2014), Cyber Security for Nuclear Power Plants and Small Reactor Facilities (CSA Standard N290.7-14), CSA Group, Toronto, Canada, 2015.
• [R-2] Canadian Standards Association (2021), (CSA Standard N290.7:21), Cyber Security for Nuclear Facilities, The CSA Group, Toronto Canada, 2021.
• [R-3] International Atomic Energy Agency (2015), International Physical Protection Advisory Service Mission Report: Canada, IAEA, Vienna, Austria, 2016, http://www.nuclearsafety.gc.ca/eng/pdfs//IPPAS/Canadas-IPPAS-Mission-Report-2015-eng.pdf .
• [R-4] International Atomic Energy Agency (2021), Technical Guidance: Computer Security Techniques for Nuclear Facilities (NSS 17-T), IAEA, Vienna, Austria, 2021.
• [R-5] International Atomic Energy Agency (2018), Technical Guidance: Computer Security of Instrumentation and Control Systems at Nuclear Facilities (NSS 33-T), IAEA, Vienna Austria, 2018.
• [R-6] International Atomic Energy Agency (2021), Implementing Guide: Computer Security for Nuclear Security (NSS 42-G), IAEA, Vienna Austria, 2021.

To obtain a copy of the abstract’s document, please contact us at cnsc.info.ccsn@cnsc-ccsn.gc.ca or call 613-995-5894 or 1-800-668-5284 (in Canada). When contacting us, please provide the title and date of the abstract.