Changes to Regulation of Cyber Security for Canadian Nuclear Facilities and Activities

Abstract of the technical paper/presentation presented at:
International Conference on Computer Security in the Nuclear World: Security for Safety
19-23 June, 2023

Prepared by:
John Sladek
Justin Sigetich
Canadian Nuclear Safety Commission

Abstract:

In 2021, the CNSC proposed amendments [R-1] to the Nuclear Security Regulations (NSR) [R-2]  to regulate nuclear security using a performance objective-based approach thereby allowing licensees greater flexibility in the measures and approaches that they use to meet nuclear security requirements. The CNSC will also be updating the nuclear security regulatory documents (REGDOCs) to provide guidance on how these requirements can be met.

The CNSC has also proposed changes [R-3] to strengthen existing requirements and to create new requirements for protection of sensitive information and computer-based systems that perform or impact upon nuclear safety, nuclear security, emergency preparedness and management, and safeguard functions (SSEPS).
These proposed regulatory changes include:

• Requiring all licensees subject to the NSR to assess their vulnerability to cyber threats and to include cyber threats in their threat and risk assessments (TRA). The objective of this requirement is to ensure that licensees can detect and respond to cyber-attacks targeting sensitive information and SSEPS functions.
• Requiring licensees subject to the NSR to develop cyber security programs as part of their nuclear security programs and implement measures to manage the risk identified in their TRAs
• Establishing computer security requirements for licensees that are not subject to the NSR, such as licensees having category 1 and 2 sealed sources.
• To develop REGDOCs to provide requirements and guidance for protection of sensitive information.
• To develop REGDOCs to provide requirements and guidance for protection of SSEPS functions.

This paper will describe how cyber security is regulated in Canada, the consultative process for updating regulations and REGDOCs, and provide an update on the proposed changes which are currently in process.

• [R-1] Canadian Nuclear Safety Commission, Cyber Security and the Protection of Digital Information (DIS 21-03), CNSC, Ottawa, Canada, 2021, https://www.letstalknuclearsafety.ca/dis-21-03
• [R-2] Nuclear Safety and Control Act: Nuclear Security Regulations (2015) SOR/2000/209 https://laws-lois.justice.gc.ca/PDF/SOR-2000-209.pdf
• [R-3] Canadian Nuclear Safety Commission, Cyber Security and the Protection of Digital Information (DIS 21-02), CNSC, Ottawa, Canada, 2021, /eng/pdfs/Discussion-Papers/21-02/DIS-21-02_-_Proposals_to_Amend_the_Nuclear_Security_Regulations_(NSR)_Discussion_Paper_(revised_version).pdf

To obtain a copy of the abstract’s document, please contact us at cnsc.info.ccsn@cnsc-ccsn.gc.ca or call 613-995-5894 or 1-800-668-5284 (in Canada). When contacting us, please provide the title and date of the abstract.