Skip to main content

Cyber Security and Defending What’s Important

We read all the time about various data breaches that cause – potentially, anyway – a good deal of pain. Probably the best known example recently was the theft of over 40 million credit card numbers from Target last year, which has led to a lawsuit from the companies that had to replace all those cards and a class action suit from disgruntled customers.

We’ve no brief on Target’s cyber security strategy, except that we expect it to get a full review. But it certainly suggests the value of a good cyber security program:  defending what must be defended to ensure the public good.

Cyber security at nuclear energy plants – and all essential infrastructure - is extremely important because the potential for malicious mischief is very high – not from thieves as much as terrorists and others who want to cripple the electricity grid or cause a radioactive release. Stealing credit cards can be discomforting, but attacking a nuclear facility could have grave impacts.

For these and other reasons, nuclear facilities have been working on cyber security for about as long as digital items have filtered into them – most essential parts of a plant are analog in nature – and developed approaches to handling them even before the Nuclear Regulatory Commission became involved in the issue.

The NRC’s rulemaking on the issue are, for the most part, judicious and on-point, but they are also very broad in nature. The nuclear industry wants primary attention on cyber security threats that involve public safety and plant integrity – obvious enough, but in guarding against such threats, one must identify what is and is not essential.

Consequently, NEI submitted a petition to the NRC last June to reconsider the scope of the cyber security rule. (Comments on the petition are due today.) But if public safety is the issue, shouldn’t everything be coequal?

Nobody should doubt that the health and safety of the public is a paramount motivation for the industry and the Nuclear Regulatory Commission. Unsafe nuclear plants – or any large industrial operation – carry no benefits for operators or customers.

But both the industry and the NRC recognize that rules must be properly “scoped;” that is, they have to take in those elements that the rule is meant to cover and nothing more. If the rule is too broadly scoped, then the facility runs the risk of wasting resources  while creating no true value.

That can seem a little abstract, so let’s get concrete. As written, the cyber security rule covers items such as fax machines, hand-held calibration devices, radios and pagers, and calculators used by emergency preparedness personnel. These don’t have any potential to impact human safety nor could their misuse damage essential systems. They are basic business tools that an Information Technology department knows how to protect. The same is true of the computers that have no connection to the plant’s processes but are used for things like word processing or creating dull slide shows. If the NRC has to hear about a fax machine going down, it wastes time at both the plant and the agency.

Not wasting time and effort on the inessential also facilitates defense-in-depth. This just means protecting the same item in multiple ways. For example, cars keep their passengers alive in a crash through crash-resistant bumpers, crumple zones, seat belts, air bags, anti-lock breaking systems and even proximity sensors! Ideally, these work in tandem so that one tool does not interfere with any other tool and render it ineffective.

In a cyber security program, defense-in-depth includes implementing systems to prevent attacks, to detect an attack in progress and  to respond to an attack. These methods are intended to recover a system quickly and minimize any impact from the attack. They are also integrated, as in an automobile, to allow multiple methods to prevent, detect and recover from an attack.

So what NEI is asking is that the rule covers what the rule must cover to ensure public safety and the reliability of the facility, but not everything that has the slightest digital footprint. This is how physical design basis threats are handled in rulemaking. Cyber threats are also considered design basis threats, which means their damage impacts essential plant components. Bringing the cyber security rule into line with the other design basis threat rules creates a cleaner, more effective set of regulations. It ensures that what is protected is fully protected and that time is not wasted on trying to defend a fax machine.

---

We’ve written several posts on cyber security. It’s an important but somewhat under appreciated topic. Look here for more Nuclear Notes coverage.

---

Sometimes, under covered would be preferable to bad coverage, which is what ABC News supplied in a an exceptionally alarmist story in November:

A destructive “Trojan Horse” malware program has penetrated the software that runs much of the nation’s critical infrastructure and is poised to cause an economic catastrophe, according to the Department of Homeland Security.

National Security sources told ABC News there is evidence that the malware was inserted by hackers believed to be sponsored by the Russian government, and is a very serious threat.

The hacked software is used to control complex industrial operations like oil and gas pipelines, power transmission grids, water distribution and filtration systems, wind turbines and even some nuclear plants. Shutting down or damaging any of these vital public utilities could severely impact hundreds of thousands of Americans.

But none of the components at a nuclear power plant interact with external networks and cannot be impacted by malware of this kind. Additionally, the industry was aware of this threat because the Department of Homeland Security briefed it. ABC could have found this out by calling NEI or any nuclear facility (or any energy-related industrial outlet, I expect, though I can’t speak for them), but why wreck a good story with a drive to get at the truth? NEI let ABC know the salient information on Twitter, but no change to the story.

Bill Gross, NEI’s senior project manager, engineering, nuclear generation, contributed substantially to this post.

Comments

Popular posts from this blog

A Design Team Pictures the Future of Nuclear Energy

For more than 100 years, the shape and location of human settlements has been defined in large part by energy and water. Cities grew up near natural resources like hydropower, and near water for agricultural, industrial and household use.

So what would the world look like with a new generation of small nuclear reactors that could provide abundant, clean energy for electricity, water pumping and desalination and industrial processes?

Hard to say with precision, but Third Way, the non-partisan think tank, asked the design team at the Washington, D.C. office of Gensler & Associates, an architecture and interior design firm that specializes in sustainable projects like a complex that houses the NFL’s Dallas Cowboys. The talented designers saw a blooming desert and a cozy arctic village, an old urban mill re-purposed as an energy producer, a data center that integrates solar panels on its sprawling flat roofs, a naval base and a humming transit hub.

In the converted mill, high temperat…

Seeing the Light on Nuclear Energy

If you think that there is plenty of electricity, that the air is clean enough and that nuclear power is a just one among many options for meeting human needs, then you are probably over-focused on the United States or Western Europe. Even then, you’d be wrong.

That’s the idea at the heart of a new book, “Seeing the Light: The Case for Nuclear Power in the 21st Century,” by Scott L. Montgomery, a geoscientist and energy expert, and Thomas Graham Jr., a retired ambassador and arms control expert.


Billions of people live in energy poverty, they write, and even those who don’t, those who live in places where there is always an electric outlet or a light switch handy, we need to unmake the last 200 years of energy history, and move to non-carbon sources. Energy is integral to our lives but the authors cite a World Health Organization estimate that more than 6.5 million people die each year from air pollution.  In addition, they say, the global climate is heading for ruinous instability. E…

Sneak Peek

There's an invisible force powering and propelling our way of life.
It's all around us. You can't feel it. Smell it. Or taste it.
But it's there all the same. And if you look close enough, you can see all the amazing and wondrous things it does.
It not only powers our cities and towns.
And all the high-tech things we love.
It gives us the power to invent.
To explore.
To discover.
To create advanced technologies.
This invisible force creates jobs out of thin air.
It adds billions to our economy.
It's on even when we're not.
And stays on no matter what Mother Nature throws at it.
This invisible force takes us to the outer reaches of outer space.
And to the very depths of our oceans.
It brings us together. And it makes us better.
And most importantly, it has the power to do all this in our lifetime while barely leaving a trace.
Some people might say it's kind of unbelievable.
They wonder, what is this new power that does all these extraordinary things?