Skip to main content

On Chatham House and Nuclear Cyber Security

The following is a guest post by Bill Gross, Manager, Security Integration and Coordination at Nuclear Energy Institute.

On October 6, 2015 the U.S. Department of Homeland Security (DHS) issued an unclassified version of a report assessing cyber security for the Nuclear Reactors, Materials, and Waste sector. The report was developed with input from the Idaho National Laboratory (INL), the DHS Industrial Control Systems Computer Emergency Response Team (ICS-CERT), the U.S. Nuclear Regulatory Commission (NRC) and others.

The report affirms that the nuclear plant cyber security program, “combined with the industry’s exacting standards and culture of back-up safety systems, will make it extremely difficult for an external adversary to cause a radioactive release.”

It is a breath of fresh air to see such conclusions from an independent cyber security assessment.

The recognition is well earned. The power plants and the NRC have been aggressive at addressing the cyber threat. A concerted industry-wide effort began shortly after the events of September 11, 2001, establishing a cyber security task force that is still active today. The industry voluntarily adopted a cyber security program in 2006 and implemented the program in 2008. In 2007 the NRC amended their Design Basis Threat requirements to include a cyber attack as an explicit adversary attribute, and followed this with mandatory cyber security programmatic requirements in 2009. The key findings of the DHS report affirm the good work the sector has, and continues to achieve.

But the industry's journey has included several learning opportunities. On May 5, 2015, Chatham House (a recognized highly-influential London-based think tank) issued a report entitled, “Cyber Security at Civil Nuclear Facilities; Understanding the Risks.” The Chatham House report takes a look at status of cyber security for nuclear facilities around the world. The report summarizes several historical digital-related events at U.S. Nuclear Plants. While these events, from 2003, 2006, and 2008, had no safety impact, they informed industry efforts to address the risks associated with increasing reliance on digital technologies in the plants.

Some of the enhancements we have put into place include implementing cyber security training applicable to all plant personnel, including visiting contractors and support personnel. The plants have established multi-disciplinary cyber security assessment teams that include individuals representing a wide range of expertise, including IT, cyber security, instrumentation and control, nuclear security, operations and engineering. The digital components within the facility that must be protected against cyber attacks have been identified. The plants have implemented robust controls over the use of portable media (e.g., thumb drives) and portable devices (e.g., laptops) and apply those controls to both plant personnel and visiting contractors. The plants have implemented “data diodes” that allow the plants to extract performance data from the plant while precluding a cyber attack from outside the plant. Digital assets most necessary for ensuring safety and security have been assessed, and necessary cyber security controls have been implemented. Insider mitigation programs have been enhanced.

We’ve learned from those early lessons, and our sector continues to learn – including relying on up-to-date intelligence. As noted in the DHS report:
DHS coordinates a monthly unclassified threat briefing via teleconference for the Nuclear Reactors, Materials, and Waste Sector. The Sector also receives quarterly classified threat briefings. The monthly and quarterly briefings address both cyber and physical threats to the Sector.
On the one hand, the Chatham House report provides recommendations that are sound, and are generally consistent with the lessons learned in U.S. plants’ decade-plus history of enhancing its cyber posture. It is my personal opinion that the recommendations starting with Chapter 7, “Meeting the Challenges: the Way Forward” are prudent for any utility establishing a cyber security program.

On the other hand, the Chatham House report paints a fairly gloomy picture - even of the U.S. facilities that have well-established programs. For example, the document chastises the US plants for trying to clarify that the focus of the cyber security program is on the protection of assets that have a nexus to ensuring safety and security. The report states:
The Nuclear Energy Institute, a lobbying group which represents the nuclear industry’s interests to the US government, put in a request in August 2014 to reduce the number of systems in nuclear plants that would have to be included.
The report fails to assess the efficacy of the industry position - yet later on recommends precisely what the industry request sought to achieve:
It will be important for nuclear facilities to identify the most crucial parts of the plant from a cyber security perspective (notably, their critical cyber assets) in order to grant those the highest levels of protection. As Source 3 states, ‘It needs to be a graded approach; we can’t afford to do everything for every system.’ Prioritization of the cyber risks is therefore key. [Emphasis theirs]
As another example, the report makes the following unsubstantiated claim:
When countries do issue guidance, the cyber security measures that they recommend may not be rigorous enough. In the United States, the guidance issued by the Nuclear Regulatory Commission (NRC) is not sufficient to protect against the cyber security threat.
I disagree with this statement. The NRC’s cyber security rules require the plants to defend against a well-trained, dedicated and determined adversary who is willing to kill or be killed in an effort to achieve a radiological release. The NRC spent years developing guidance that provides acceptable methods to defend against that threat. The NRC’s approved guidance is supported by cyber security standards developed by the National Institute of Standards and Technology (NIST), and embodies the findings by standards organizations and agencies such as the International Society of Automation (ISA), and the Institute of Electrical and Electronics Engineers (IEEE), as well as guidance from the DHS.

The claim appears inconsistent with the DHS assessment, which affirms, “Compliance with the strict regulatory requirements of the Nuclear Reactors, Materials, and Waste Sector makes Sector assets difficult targets for physical or cyber attack.”

The U.S. plants are doing the right things for cyber security, and we welcome the opportunity to share recommended practices and lessons learned with nuclear facilities working to establish cyber security programs.

Comments

Popular posts from this blog

Fluor Invests in NuScale

You know, it’s kind of sad that no one is willing to invest in nuclear energy anymore. Wait, what? NuScale Power celebrated the news of its company-saving $30 million investment from Fluor Corp. Thursday morning with a press conference in Washington, D.C. Fluor is a design, engineering and construction company involved with some 20 plants in the 70s and 80s, but it has not held interest in a nuclear energy company until now. Fluor, which has deep roots in the nuclear industry, is betting big on small-scale nuclear energy with its NuScale investment. "It's become a serious contender in the last decade or so," John Hopkins, [Fluor’s group president in charge of new ventures], said. And that brings us to NuScale, which had run into some dark days – maybe not as dark as, say, Solyndra, but dire enough : Earlier this year, the Securities Exchange Commission filed an action against NuScale's lead investor, The Michael Kenwood Group. The firm "misap

An Ohio School Board Is Working to Save Nuclear Plants

Ohio faces a decision soon about its two nuclear reactors, Davis-Besse and Perry, and on Wednesday, neighbors of one of those plants issued a cry for help. The reactors’ problem is that the price of electricity they sell on the high-voltage grid is depressed, mostly because of a surplus of natural gas. And the reactors do not get any revenue for the other benefits they provide. Some of those benefits are regional – emissions-free electricity, reliability with months of fuel on-site, and diversity in case of problems or price spikes with gas or coal, state and federal payroll taxes, and national economic stimulus as the plants buy fuel, supplies and services. Some of the benefits are highly localized, including employment and property taxes. One locality is already feeling the pinch: Oak Harbor on Lake Erie, home to Davis-Besse. The town has a middle school in a building that is 106 years old, and an elementary school from the 1950s, and on May 2 was scheduled to have a referendu

Wednesday Update

From NEI’s Japan micro-site: NRC, Industry Concur on Many Post-Fukushima Actions Industry/Regulatory/Political Issues • There is a “great deal of alignment” between the U.S. Nuclear Regulatory Commission and the industry on initial steps to take at America’s nuclear energy facilities in response to the nuclear accident in Japan, Charles Pardee, the chief operating officer of Exelon Generation Co., said at an agency briefing today. The briefing gave stakeholders an opportunity to discuss staff recommendations for near-term actions the agency may take at U.S. facilities. PowerPoint slides from the meeting are on the NRC website. • The International Atomic Energy Agency board has approved a plan that calls for inspectors to evaluate reactor safety at nuclear energy facilities every three years. Governments may opt out of having their country’s facilities inspected. Also approved were plans to maintain a rapid response team of experts ready to assist facility operators recoverin