Canadian Centre for Occupational Health and Safety
Symbol of the Government of Canada

Format: PDF
Language: English

Product Description

An errata to this standard is available.

To download any updates and/or register for email notification of future udpates click here


This is the first edition of CSA N290.7, Cyber security for nuclear power plants and small reactor facilities.

The CSA N-Series of Standards provides an interlinked set of requirements for the management of nuclear facilities and activities. CSA N286 provides overall direction to management to develop and implement sound management practices and controls, while the other CSA nuclear Standards provide technical requirements and guidance that support the management system. This Standard works in harmony with CSA N286 and does not duplicate the generic requirements of CSA N286; however, it may provide more specific direction for those requirements.

This Standard reflects the operating experience of the Canadian nuclear power industry.

Users of this Standard are reminded that the design, manufacture, construction, commissioning, operation, and decommissioning of nuclear facilities in Canada are subject to the provisions of the Nuclear Safety and Control Act and its supporting Regulations.


This Standard covers the cyber security of new and existing nuclear power plants (NPPs) and small reactor facilities.

Note: This Standard may provide guidance for nuclear facilities other than NPPs and small reactor facilities, using a graded approach.

This Standard addresses cyber security at nuclear power plants and small reactor facilities for the following computer systems and components:

a) systems important to nuclear safety;

b) nuclear security;

c) emergency preparedness;

d) production reliability;

e) safeguards; and

f) auxiliary assets or systems which, if compromised, exploited, or failed, could adversely impact Item (a), (b), (c), (d) or (e).

This Standard pertains to the securing of essential computer systems and components against cyber attacks resulting in loss of availability, degradation or loss of ability to perform their intended function, compromise of their integrity, and loss of confidentiality of their information.

This Standard does not apply to business systems (e.g., work management), and offline engineering systems (e.g., analytical, scientific, and design computer programs as per CSA N286.7).

In this Standard, "shall" is used to express a requirement, i.e., a provision that the user is obliged to satisfy in order to comply with the standard; "should" is used to express a recommendation or that which is advised but not required; and "may" is used to express an option or that which is permissible within the limits of the standard.

Notes accompanying clauses do not include requirements or alternative requirements; the purpose of a note accompanying a clause is to separate from the text explanatory or informative material.

Notes to tables and figures are considered part of the table or figure and may be written as requirements.

Annexes are designated normative (mandatory) or informative (nonmandatory) to define their application.