Unofficial transfer (c) Soyuzpravoinform LLC

ORDER OF THE STATE INSPECTION OF NUCLEAR REGULATION OF UKRAINE

of March 22, 2022 No. 223

About approval of Requirements to cyberprotection of information and managing systems of nuclear power plants for ensuring nuclear and radiation safety

According to articles 8 and 24 of the Law of Ukraine "About use of nuclear energy and radiation safety", the subitem 7 of item 4 of the Regulations on the state inspection of the nuclear regulation of Ukraine approved by the resolution of the Cabinet of Ministers of Ukraine of August 20, 2014 No. 363, I order:

1. Approve Requirements to cyberprotection of information and managing systems of nuclear power plants for ensuring nuclear and radiation safety which are attached.

2. (Boris Stolyarchuk) to provide to department on safety issues of nuclear installations submission of this order on state registration in the Ministry of Justice of Ukraine in accordance with the established procedure.

3. This order becomes effective from the date of its official publication.

4. I reserve control of execution of this order.

Approved by the Order of the State inspection of nuclear regulation of Ukraine of March 22, 2022 No. 223

Requirements to cyberprotection of information and managing systems of nuclear power plants for ensuring nuclear and radiation safety

I. General provisions

1. These Requirements establish requirements to cyberprotection of information and managing systems of nuclear power plants, their components (software and hardware complexes, technical means of automation) and the software of the specified systems, during their development, implementation, operation and modification, for the purpose of ensuring nuclear and radiation safety.

2. In these Requirements terms are used in such values:

authentication - verification process of identification data of the user or check of data source, messages and teams;

authorization - provision process by information and/or managing system to certain user or user group (after successful authentication) the rights to accomplishment of certain actions, and also verification process (confirmations) of these rights in attempt of accomplishment of these actions;

products of third-party development - the program or hardware products made by the third party concerning developer of information and/or managing system, its components or the software;

remote access - process of access for the user to information and/or managing system of nuclear power plant, to its components and/or the software which provides remote use of data, information resources and/or functions of this system;

recovery - the process directed to return of information and/or managing system of nuclear power plant, its components, the software to operating state after total or partial loss of functionality;

vulnerability - lack of information and/or managing system of nuclear power plant, its components and/or the software which can be used for cyberthreat realization;

cyberprotection in depth - approach to cyberprotection of information and/or managing systems of nuclear power plant in case of which for ensuring cyberprotection several consecutive levels and cyberprotection measures are unrolled;

the demilitarized zone - the physical or logical network segment containing public services which is separated internal services and resources of nuclear power plant and is used for the purpose of introduction of additional protective barrier to local area network;

the differentiated approach - application of measures of cyberprotection of information and / or managing system of nuclear power plant is pro rata to cyberprotection level;

availability - property which guarantees that the authorized user will always get access to data and opportunity to use them;

cyberprotection zone - group of information and/or managing systems of nuclear power plant with identical levels of cyberprotection which is selected for general managerial control, communication and application of identical protective measures;

cyber attack to information and/or managing system of nuclear power plant (further - cyber attack) - actions which are made by electronic communications (including information and communication technologies, program, software and hardware tools, other technical and technological means and the equipment) and are directed to compromise of information and/or managing system of nuclear power plant with use of vulnerabilities;

cyberthreat to information and/or managing system of nuclear power plant (further - cyberthreat) - the available and potentially possible phenomena and factors which can become the potential reason of cyberincident which can entail harming information and/or managing system of nuclear power plant;

cyberprotection of information and/or managing systems of nuclear power plant (further - cyberprotection) - complex of administrative, technical and program measures and means which purpose is prevention, identification and response to cyber attacks and cyberthreats;

cyberincident with information and/or managing system of nuclear power plant (further - cyberincident) - event in case of which emergence compromises information and/or managing system of nuclear power plant, its components or the network equipment are exposed;

compromise - violation of confidentiality, integrity, availability of data and/or functioning and characteristics of information and/or managing system of nuclear power plant;

access control - process of the providing authorized, the authorized access to information and/or managing system of nuclear power plant or its components;

confidentiality - property which guarantees that information remains unavailable or unsolved for unauthorized users;

the user - physical person or software process which can interact with information and/or managing system of nuclear power plant via the provided interface;

culture of safety of cybernetic protection (further - culture of cyberprotection) - set of characteristics and features of organization activity and behavior of individuals which determine that ensuring cyberprotection is one of the priority purposes and internal requirement which leads to consciousness, responsibility and self-checking in case of accomplishment of all works influencing cyberprotection;

border - demarcation point which physically or logically divides cyberprotection zones;

the network interface - the interface via which communication between information and/or managing systems of nuclear power plant, their components or networks containing in different zones of cyberprotection is performed;

network - system of electronic communications which provides data exchange between technical means of one or several information and/or managing systems of nuclear power plant;

network architecture - complete structure of network which determines all information and managing systems of nuclear power plant, their components, the network equipment, cables, the used network topologies, data exchange protocols;

monitoring - process of systematic control of current status of information and/or managing systems of nuclear power plant, their components and the software;

negative impact - influence on information and/or managing system of nuclear power plant, its components or the software which leads to loss or violation of functions, decrease in reliability, capability of response to cyberincidents;

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info