1、REVISED FEBRUARY 2015N290.7-14Cyber security for nuclear power plants and small reactor facilitiesLegal Notice for StandardsCanadian Standards Association (operating as “CSA Group”) develops standards through a consensus standards development process approved by the Standards Council of Canada. This
2、 process brings together volunteers representing varied viewpoints and interests to achieve consensus and develop a standard. Although CSA Group administers the process and establishes rules to promote fairness in achieving consensus, it does not independently test, evaluate, or verify the content o
3、f standards.Disclaimer and exclusion of liabilityThis document is provided without any representations, warranties, or conditions of any kind, express or implied, including, without limitation, implied warranties or conditions concerning this documents fitness for a particular purpose or use, its me
4、rchantability, or its non-infringement of any third partys intellectual property rights. CSA Group does not warrant the accuracy, completeness, or currency of any of the information published in this document. CSA Group makes no representations or warranties regarding this documents compliance with
5、any applicable statute, rule, or regulation.IN NO EVENT SHALL CSA GROUP, ITS VOLUNTEERS, MEMBERS, SUBSIDIARIES, OR AFFILIATED COMPANIES, OR THEIR EMPLOYEES, DIRECTORS, OR OFFICERS, BE LIABLE FOR ANY DIRECT, INDIRECT, OR INCIDENTAL DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES, HOWSOEVER CAUSED, INCLUDIN
6、G BUT NOT LIMITED TO SPECIAL OR CONSEQUENTIAL DAMAGES, LOST REVENUE, BUSINESS INTERRUPTION, LOST OR DAMAGED DATA, OR ANY OTHER COMMERCIAL OR ECONOMIC LOSS, WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR ANY OTHER THEORY OF LIABILITY, ARISING OUT OF OR RESULTING FROM ACCESS TO OR POSSESSI
7、ON OR USE OF THIS DOCUMENT, EVEN IF CSA GROUP HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES.In publishing and making this document available, CSA Group is not undertaking to render professional or other services for or on behalf of any person or entity or to p
8、erform any duty owed by any person or entity to another person or entity. The information in this document is directed to those who have the appropriate degree of experience to use and apply its contents, and CSA Group accepts no responsibility whatsoever arising in any way from any and all use of o
9、r reliance on the information contained in this document.CSA Group is a private not-for-profit company that publishes voluntary standards and related documents. CSA Group has no power, nor does it undertake, to enforce compliance with the contents of the standards or other documents it publishes.Int
10、ellectual property rights and ownershipAs between CSA Group and the users of this document (whether it be in printed or electronic form), CSA Group is the owner, or the authorized licensee, of all works contained herein that are protected by copyright, all trade-marks (except as otherwise noted to t
11、he contrary), and all inventions and trade secrets that may be contained in this document, whether or not such inventions and trade secrets are protected by patents and applications for patents. Without limitation, the unauthorized use, modification, copying, or disclosure of this document may viola
12、te laws that protect CSA Groups and/or others intellectual property and may give rise to a right in CSA Group and/or others to seek legal redress for such use, modification, copying, or disclosure. To the extent permitted by licence or by law, CSA Group reserves all intellectual property rights in t
13、his document.Patent rightsAttention is drawn to the possibility that some of the elements of this standard may be the subject of patent rights. CSA Group shall not be held responsible for identifying any or all such patent rights. Users of this standard are expressly advised that determination of th
14、e validity of any such patent rights is entirely their own responsibility.Authorized use of this documentThis document is being provided by CSA Group for informational and non-commercial use only. The user of this document is authorized to do only the following:If this document is in electronic form
15、: load this document onto a computer for the sole purpose of reviewing it; search and browse this document; and print this document if it is in PDF format.Limited copies of this document in print or paper form may be distributed only to persons who are authorized by CSA Group to have such copies, an
16、d only if this Legal Notice appears on each such copy.In addition, users may not and may not permit others to alter this document in any way or remove this Legal Notice from the attached standard; sell this document without authorization from CSA Group; or make an electronic copy of this document.If
17、 you do not agree with any of the terms and conditions contained in this Legal Notice, you may not load or use this document or make any copies of the contents hereof, and if you do make such copies, you are required to destroy them immediately. Use of this document constitutes your acceptance of th
18、e terms and conditions of this Legal Notice.Revision HistoryN290.7-14, Cyber security for nuclear power plants and small reactor facilitiesRevision Issued: Errata Febraury 2015 Revision symbol (in margin)Technical CommitteeStandards Update ServiceN290.7-14December 2014Title: Cyber security for nucle
19、ar power plants and small reactor facilitiesTo register for e-mail notification about any updates to this publication go to shop.csa.ca click on CSA Update ServiceThe List ID that you will need to register for updates to this publication is 2422885.If you require assistance, please e-mail techsuppor
20、tcsagroup.org or call 416-747-2233.Visit CSA Groups policy on privacy at csagroup.org/legal to find out how we protect your personal information.ISBN 978-1-77139-459-0 2014 CSA Group All rights reserved. No part of this publication may be reproduced in any form whatsoever without the prior permissio
21、n of the publisher.Published in December 2014 by CSA Group A not-for-profit private sector organization 178 Rexdale Boulevard, Toronto, Ontario, Canada M9W 1R3 To purchase standards and related publications, visit our Online Store at shop.csa.caor call toll-free 1-800-463-6727 or 416-747-4044.TMA tr
22、ade-mar k of the Canadian S tandards Association, operating as “CSA Group”Cyber security for nuclear power plants and small reactor facilitiesN290.7-14N290.7-14Cyber security for nuclear power plants and small reactor facilitiesDecember 2014 2014 CSA Group 1ContentsTechnical Committee on Reactor Con
23、trol Systems, Safety Systems and Instrumentation for NPP (N290A) 3Subcommittee on Cyber security for Nuclear Power Plants and Small Reactor Facilities (N290.7) 6Preface 81 Scope 92 Reference publications 103 Definitions and abbreviations 103.1 Definitions 103.2 Abbreviations 134 Cyber security progr
24、am 134.1 General requirements 134.2 Elements of the program 144.3 Establishing, implementing, reviewing, and maintaining the program 144.3.1 Establishing 144.3.2 Implementing 144.3.3 Reviewing and maintaining 144.4 Interface with other programs and processes 154.4.1 General 154.4.2 Interface with ph
25、ysical security 164.4.3 Interface with personnel security 164.4.4 Interface with training 164.4.5 Interface with information protection 164.4.6 Interface with incident response 164.4.7 Interface with supply chain 164.4.8 Interface with new design and design modifications 164.4.9 Interface with opera
26、tions and maintenance 174.4.10 Interface with information technology 174.4.11 Interface with corrective action process 175 Roles and responsibilities 175.1 General 175.1.1 Cyber security program roles 175.1.2 Cyber security program sponsor 175.1.3 Cyber security program owner 175.1.4 Cyber security
27、program specialist 185.1.5 CEA owners 186 Identification and classification of CEAs 186.1 Assessment and identification 186.2 Classification 19N290.7-14Cyber security for nuclear power plants and small reactor facilitiesDecember 2014 2014 CSA Group 27 Cyber security architecture 208 Controls 218.1 A
28、pplicability 218.2 Policies and procedures 228.3 Technical controls groups 238.3.1 Access control and account management 238.3.2 Event monitoring, event management, and audit 238.3.3 System and communications protection 238.3.4 Identification and authentication of users 248.3.5 System hardening 248.
29、4 Operational controls group 248.4.1 Media and information protection 248.4.2 Personnel security and screening 248.4.3 System and information integrity 248.4.4 Maintenance 258.4.5 Physical protection 258.4.6 Incident response and recovery 258.4.7 Contingency and continuity planning 258.4.8 Awareness
30、 and training 258.4.9 Change control and configuration management 268.5 Management controls groups 268.5.1 System and services acquisition 268.5.2 Security assessment and risk management 269 Lifecycle management 269.1 General 269.2 Secure development environment 269.3 Preliminary design 279.4 Detail
31、ed design 279.5 Test/validation during development and commissioning 289.6 Installation 289.7 Supply chain 289.8 Operations and maintenance 289.8.1 General 289.8.2 Modification 289.8.3 Tools and development facilities 299.9 Decommissioning 29Annex A (informative) Definitions for cyber security contr
32、ols 30N290.7-14Cyber security for nuclear power plants and small reactor facilitiesDecember 2014 2014 CSA Group 3Technical Committee on Reactor Control Systems, Safety Systems and Instrumentation for NPP (N290A)J. Grava CANTECH Associates Ltd., Owen Sound, Ontario Category: General InterestChairR.K.
33、 Black TransCanada, Toronto, Ontario Category: Service IndustryVice-Chair B.J. Coulas Hatch Ltd., Mississauga, Ontario SecretaryB.D. Babcock North York, Ontario Category: General InterestM. Buckler Bruce Power, Tiverton, Ontario AssociateQ.B. Chou Canadian Power Utility Services Ltd (CPUS), Toronto,
34、 Ontario Category: Service IndustryV. Chugh AMEC NSS, Toronto, Ontario Category: Service IndustryR. Clavero Ministry of Energy, Government of Ontario, Toronto, Ontario AssociateJ. Coady Bruce Power L.P., Tiverton, Ontario Category: Owner/Operator/ProducerC.J. Conway Atomic Energy of Canada Limited (
35、AECL), Chalk River, Ontario Category: Owner/Operator/ProducerJ.M. Cuttler Cuttler however, it may provide more specific direction for those requirements.This Standard reflects the operating experience of the Canadian nuclear power industry.Users of this Standard are reminded that the design, manufac
36、ture, construction, commissioning, operation, and decommissioning of nuclear facilities in Canada are subject to the provisions of the Nuclear Safety and Control Act and its supporting Regulations.This Standard has been prepared by the Technical Subcommittee on Cyber Security for Nuclear Power Plant
37、s and Small Reactor Facilities under the jurisdiction of the Technical Committee on Reactor Control Systems, Safety Systems, and Instrumentation of Nuclear Power Plants and the Standards Steering Committee on Nuclear Standards, and has been approved by the Technical Committee.Notes: 1) Use of the si
38、ngular does not exclude the plural (and vice versa) when the sense allows.2) Although the intended primary application of this Standard is stated in its Scope, it is important to note that it remains the responsibility of the users of the Standard to judge its suitability for their particular purpos
39、e.3) This Standard was developed by consensus, which is defined by CSA Policy governing standardization Code of good practice for standardization as “substantial agreement. Consensus implies much more than a simple majority, but not necessarily unanimity”. It is consistent with this definition that
40、a member may be included in the Technical Committee list and yet not be in full agreement with all clauses of this Standard.4) To submit a request for interpretation of this Standard, please send the following information to inquiriescsagroup.org and include “Request for interpretation” in the subje
41、ct line: a) define the problem, making reference to the specific clause, and, where appropriate, include an illustrative sketch;b) provide an explanation of circumstances surrounding the actual field condition; andc) where possible, phrase the request in such a way that a specific “yes” or “no” answ
42、er will address the issue. Committee interpretations are processed in accordance with the CSA Directives and guidelines governing standardization and are available on the Current Standards Activities page at standardsactivities.csa.ca.5) This Standard is subject to a review within five years from th
43、e date of publication. Suggestions for its improvement will be referred to the appropriate committee. To submit a proposal for change, please send the following information to inquiriescsagroup.org and include “Proposal for change” in the subject line: a) Standard designation (number);b) relevant cl
44、ause, table, and/or figure number;c) wording of the proposed change; andd) rationale for the change.N290.7-14Cyber security for nuclear power plants and small reactor facilitiesDecember 2014 2014 CSA Group 9N290.7-14Cyber security for nuclear power plants and small reactor facilities1 Scope1.1 This
45、Standard covers the cyber security of new and existing nuclear power plants (NPPs) and small reactor facilities.Note: This Standard may provide guidance for nuclear facilities other than NPPs and small reactor facilities, using a graded approach.1.2 This Standard addresses cyber security at nuclear
46、power plants and small reactor facilities for the following computer systems and components:a) systems important to nuclear safety;b) nuclear security;c) emergency preparedness;d) production reliability;e) safeguards; andf) auxiliary assets or systems which, if compromised, exploited, or failed, cou
47、ld adversely impact Item (a), (b), (c), (d) or (e).1.3 This Standard pertains to the securing of essential computer systems and components against cyber attacks resulting in loss of availability, degradation or loss of ability to perform their intended function, compromise of their integrity, and lo
48、ss of confidentiality of their information.1.4 This Standard does not apply to business systems (e.g., work management), and offline engineering systems (e.g., analytical, scientific, and design computer programs as per CSA N286.7).1.5 In this Standard, “shall” is used to express a requirement, i.e.
49、, a provision that the user is obliged to satisfy in order to comply with the standard; “should” is used to express a recommendation or that which is advised but not required; and “may” is used to express an option or that which is permissible within the limits of the standard.Notes accompanying clauses do not include requirements or alternative requirements; the purpose of a note accompanying a clause is to separate from the text explanatory or informative material.Notes to tables and figures are considered part of the table or figure and may be written as r