Skip to main content

Nuclear Power Plant Response to the Cyber Threat

Our nation’s commercial nuclear power plants take the cyber threat seriously.  Our industry has been developing and implementing cyber security programs since shortly after the events of September 11, 2001.  The industry’s efforts culminated in a binding industry initiative to implement a cyber security program consistent with the guidance in a document endorsed by the NRC as an acceptable method for establishing a cyber security program.  All plants implemented this program by mid-2008.

The U.S. Nuclear Regulatory Commission (NRC) is a strong regulator in this area.  The NRC’s efforts to create a cyber security regulatory framework for the plants began shortly after September 11, 2001.  The NRC issued orders after September 11 that required power reactor licensees to implement interim compensatory measures to enhance cyber security at their sites. These security measures required an assessment sufficient to provide protection against the cyber threats at the time of the orders. Subsequently, the NRC amended the Design Basis Treat requirements to include cyber attacks.  In 2009 the NRC ammended their extensive physical protection program regulations to include specific requirements for a cyber security program to protect systems that, if compromised, would adversely impact safety, security or emergency preparedness.

So what does all of this mean?  What have the plants actually done to implement cyber security protective measures in response to the cyber threat?

Every plant submitted a cyber security plan to the NRC that describes how the plant will implement their cyber security program.  The NRC has reviewed and approved each of these plans.

Each plant also submitted an implementation schedule describing the interim milestone actions toward full implementation of the cyber security program.  The NRC has reviewed and approved each of these schedules.  The interim milestones of the schedule prioritize key activities designed to address the most prominent cyber threats to these facilities.

By December 31, 2012, each U.S. nuclear power plant has:
  • Isolated key control systems using either air-gaps or robust hardware based isolation devices. As a result, the key safety, security, and power generation equipment at the plants are protected from any network based cyber attacks originating outside the plant.
  • Enhanced and implemented robust controls over the use of portable media and equipment.  Where devices like thumb drives, CD’s, and laptops are used to interface with plant equipment, measures are in place to minimize the cyber threat.  These measures include such actions as: minimizing the use of devices that are not maintained at the plant; virus scanning devices both before and after being connected to plant equipment; and, implementing additional measures where the source of the data or device originates outside the plant.  As a result, the plants are well protected from attacks like Stuxnet, that propagated through the use of portable media.
  • Enhanced defenses against the insider threat.  Training and insider mitigation programs have been enhanced to include cyber attributes.  Individuals who work with digital plant equipment are subject to increased security screening, cyber security training, and behavioral observation.
  • Implemented cyber security controls to protect equipment deemed most essential for the protection of the public health and safety.  While full implementation of cyber security controls for all digital equipment requiring protection will take some time, plants have prioritized the implementation to cover the assets most essential to the public health and safety.
  • Implemented measures to maintain the effectiveness of the implemented portions of the program.  These measures include maintaining the equipment described above in the plant configuration management program, ensuring changes to the equipment are performed in a controlled way.  A cyber security impact analysis is performed before making changes to the equipment.  The effectiveness of implemented cyber security controls is periodically assessed, and enhancements made where necessary.  Vulnerability assessments are performed to ensure the cyber security posture of the equipment is maintained.
This week the NRC began inspecting plant’s implementation of these milestones.

The balance of the implementation of the cyber security program is ongoing.  And I look forward to keeping the readers of the blog up-to-speed on advancements.

No cyber security program will be 100% perfect.  These interim measures well position the plants to ensure that the public health and safety are maintained, and that the sites will reliably continue to make their significant contribution to the nation’s electrical supply.

Comments

Manolya Rowe said…
Hi Bill, nice post. One comment I like to make is that it is easy to write a cyber security concept, but it is so much more difficult to actually implement the program and make the security happen at the system level. I would like to know, what the NRC finds appropriated enough and what SSP will be approved and what the standert's will be used.
Anonymous said…
"....the NRC amended the Design Basis Treat requirements to include cyber attacks."

Cyber TREATS are much better than cyber THREATS....

Happy Valentine’s day x

Mr Pedant
Rehan Azhar said…
Hi Bill,

I am working on a research report for the nuclear cyber security industry and was hoping I could briefly get your input on a few questions I had. If so, I can call you at your NEI work number.

Best,
Rehan

Popular posts from this blog

How Nanomaterials Can Make Nuclear Reactors Safer and More Efficient

The following is a guest post from Matt Wald, senior communications advisor at NEI. Follow Matt on Twitter at @MattLWald.

From the batteries in our cell phones to the clothes on our backs, "nanomaterials" that are designed molecule by molecule are working their way into our economy and our lives. Now there’s some promising work on new materials for nuclear reactors.

Reactors are a tough environment. The sub atomic particles that sustain the chain reaction, neutrons, are great for splitting additional uranium atoms, but not all of them hit a uranium atom; some of them end up in various metal components of the reactor. The metal is usually a crystalline structure, meaning it is as orderly as a ladder or a sheet of graph paper, but the neutrons rearrange the atoms, leaving some infinitesimal voids in the structure and some areas of extra density. The components literally grow, getting longer and thicker. The phenomenon is well understood and designers compensate for it with a …

Missing the Point about Pennsylvania’s Nuclear Plants

A group that includes oil and gas companies in Pennsylvania released a study on Monday that argues that twenty years ago, planners underestimated the value of nuclear plants in the electricity market. According to the group, that means the state should now let the plants close.

Huh?

The question confronting the state now isn’t what the companies that owned the reactors at the time of de-regulation got or didn’t get. It’s not a question of whether they were profitable in the '80s, '90s and '00s. It’s about now. Business works by looking at the present and making projections about the future.

Is losing the nuclear plants what’s best for the state going forward?

Pennsylvania needs clean air. It needs jobs. And it needs protection against over-reliance on a single fuel source.


What the reactors need is recognition of all the value they provide. The electricity market is depressed, and if electricity is treated as a simple commodity, with no regard for its benefit to clean air o…

Why Nuclear Plant Closures Are a Crisis for Small Town USA

Nuclear plants occupy an unusual spot in the towns where they operate: integral but so much in the background that they may seem almost invisible. But when they close, it can be like the earth shifting underfoot.

Lohud.com, the Gannett newspaper that covers the Lower Hudson Valley in New York, took a look around at the experience of towns where reactors have closed, because the Indian Point reactors in Buchanan are scheduled to be shut down under an agreement with Gov. Mario Cuomo.


From sea to shining sea, it was dismal. It wasn’t just the plant employees who were hurt. The losses of hundreds of jobs, tens of millions of dollars in payrolls and millions in property taxes depressed whole towns and surrounding areas. For example:

Vernon, Vermont, home to Vermont Yankee for more than 40 years, had to cut its municipal budget in half. The town closed its police department and let the county take over; the youth sports teams lost their volunteer coaches, and Vernon Elementary School lost th…