CSA N290.7:21

Preface

This is the second edition of CSA N290.7, Cyber security for nuclear facilities. It supersedes the previous edition published in 2014 under the title Cyber security for nuclear power plants and small reactor facilities. Changes to this edition include: a) replacement of the term “vulnerability” with “susceptibility”; b) replacement of the previous Clause 7 (Cyber security architecture) with a new Clause 7 (Defensive cyber security architecture) which defines a Defensive Cyber Security Architecture concept based on groupings (called Zones) of cyber assets having the same or similar requirements for cyber security; c) revision of Clause 8 (Security controls) to improve the criteria for CEA control applicability (eliminated Table 1) in response to industry experience with the previous edition; d) enhanced the Supply Chain requirements in Clause 9 (Lifecycle management); e) inclusion of a new Clause 10 (Cyber security incident response); and f) removal of the former Annex A (Definitions for cyber security controls) and inclusion of applicable content in the body of the Standard as guidance. The CSA N-Series Standards provide an interlinked set of requirements for the management of nuclear facilities and activities. CSA N286 provides overall direction to management to develop and implement sound management practices and controls, while the other CSA Group nuclear Standards provide technical requirements and guidance that support the management system. This Standard works in harmony with CSA N286 and does not duplicate the generic requirements of CSA N286; however, it may provide more specific direction for those requirements. This Standard reflects the operating experience of the Canadian nuclear power industry. Users of this Standard are reminded that the design, manufacture, construction, commissioning, operation, and decommissioning of nuclear facilities in Canada are subject to the provisions of the Nuclear Safety and Control Act and its supporting Regulations.

Scope

1.1 This Standard covers the cyber security of new and existing nuclear power plants (NPPs) and small reactor facilities. Note: This Standard may provide guidance for nuclear facilities other than NPPs and small reactor facilities, using a risk-informed graded approach.

1.2 This Standard addresses cyber security for systems and components which perform or impact: a) functions important to nuclear safety; b) nuclear security functions; c) emergency preparedness functions; d) safeguard functions; and e) those auxiliary functions which, if compromised, exploited, or failed, could adversely impact Item a), b), c), or d). Note: This Standard may be applied to other functions, such as those related to production reliability.

1.3 This Standard pertains to the securing of cyber essential assets to protect against cyber attacks resulting in consequential degradation or loss of ability to perform their intended function, the compromise of their availability, integrity, and the loss of confidentiality of information that they store, process, or transmit.

1.4 This Standard does not apply to business systems (e.g., work management) and offline engineering systems, except for business systems that are part of the secure development environment at the time of development.

1.5 In this Standard, “shall” is used to express a requirement, i.e., a provision that the user is obliged to satisfy in order to comply with the standard; “should” is used to express a recommendation or that which is advised but not required; and “may” is used to express an option or that which is permissible within the limits of the standard. Notes accompanying clauses do not include requirements or alternative requirements; the purpose of a note accompanying a clause is to separate from the text explanatory or informative material. Notes to tables and figures are considered part of the table or figure and may be written as requirements. Annexes are designated normative (mandatory) or informative (nonmandatory) to define their application.