scope:

This Standard covers the cyber security of new and existing nuclear power plants (NPPs) and small reactor facilities.

Note: This Standard may provide guidance for nuclear facilities other than NPPs and small reactor facilities, using a graded approach. 

This Standard addresses cyber security at nuclear power plants and small reactor facilities for the following computer systems and components:

a) systems important to nuclear safety;

b) nuclear security;

c) emergency preparedness;

d) production reliability;

e) safeguards; and

f) auxiliary assets or systems which, if compromised, exploited, or failed, could adversely impact Item (a), (b), (c), (d) or (e). 

This Standard pertains to the securing of essential computer systems and components against cyber attacks resulting in loss of availability, degradation or loss of ability to perform their intended function, compromise of their integrity, and loss of confidentiality of their information. 

This Standard does not apply to business systems (e.g., work management), and offline engineering systems (e.g., analytical, scientific, and design computer programs as per CSA N286.7). 

In this Standard, "shall" is used to express a requirement, i.e., a provision that the user is obliged to satisfy in order to comply with the standard; "should" is used to express a recommendation or that which is advised but not required; and "may" is used to express an option or that which is permissible within the limits of the standard.

Notes accompanying clauses do not include requirements or alternative requirements; the purpose of a note accompanying a clause is to separate from the text explanatory or informative material.

Notes to tables and figures are considered part of the table or figure and may be written as requirements.

Annexes are designated normative (mandatory) or informative (nonmandatory) to define their application.