NEI Nuclear Notes

Today in Vienna, the Nuclear Threat Initiative released a report on cyber security at nuclear energy facilities. While we've yet to have the chance to review the research in depth, it's important to note that efforts to address cyber security at nuclear facilities got underway in earnest shortly after the 9-11 attacks in September 2001, when an industry task force to address the issue was formed that exists to this day. As of the end of 2012, working at the behest of the Nuclear Regulatory Commission, every U.S. nuclear plant had implemented a raft of programs to address a wide variety of cyber-threats . So how do those programs measure up? In October 2015, the U.S. Department of Homeland Security published an unclassified version of a report that analyzed cyber security in the broader U.S. nuclear sector , including radioactive materials and waste facilities. The report concluded that the sector's programs, “combined with the industry’s exacting standards and cultur...

The following is a guest post by Bill Gross, Manager, Security Integration and Coordination at Nuclear Energy Institute. On October 6, 2015 the U.S. Department of Homeland Security (DHS) issued an unclassified version of a report assessing cyber security for the Nuclear Reactors, Materials, and Waste sector . The report was developed with input from the Idaho National Laboratory (INL), the DHS Industrial Control Systems Computer Emergency Response Team (ICS-CERT), the U.S. Nuclear Regulatory Commission (NRC) and others. The report affirms that the nuclear plant cyber security program, “combined with the industry’s exacting standards and culture of back-up safety systems, will make it extremely difficult for an external adversary to cause a radioactive release.” It is a breath of fresh air to see such conclusions from an independent cyber security assessment. The recognition is well earned. The power plants and the NRC have been aggressive at addressing the cyber threat...

A pensive Hemsworth. Last week we first took note of the television ad blitz around Blackhat , the new cyber crime thriller directed starring Chris Hemsworth that premieres tomorrow all around the USA. Obviously, the timing for the movie could hardly be better, coming off the recent hacking of the Twitter feed for U.S. Central Command and word that cyber security will be front and center in next Tuesday's State of the Union. Why are we interested? As we mentioned last week, there's an early plot point that involves the hacking of control systems at a nuclear power plant - an eventuality that the industry has taken safeguards against . Thanks to bad timing, we weren't able to get a seat to a press screening on Tuesday night (props to NBC Universal for making a good faith effort to get us inside, we appreciate it), but we'll be paying for a ticket and seeing the film tomorrow afternoon at a theater in Washington a few blocks from the White House. Bill Gross...

While many of us were home for the holidays we couldn't escape the movie trailer for Blackhat , a cyber crime thriller directed by Michael Mann  starring Chris Hemsworth. Set to premiere in the U.S. on January 16, the trailer includes a cyber attack on a nuclear power plant in China. We've dealt with the issue of cyber security with some frequency here at NEI Nuclear Notes. I'd refer our readers back to a post written by NEI's Bill Gross almost two years ago that outlined industry actions in this area to mitigate against the possibility of a cyber attack (emphasis mine). By December 31, 2012, each U.S. nuclear power plant has: Isolated key control systems using either air-gaps or robust hardware based isolation devices. As a result, the key safety, security, and power generation equipment at the plants are protected from any network based cyber attacks originating outside the plant. Enhanced and implemented robust controls over the use of portable media ...

We read all the time about various data breaches that cause – potentially, anyway – a good deal of pain. Probably the best known example recently was the theft of over 40 million credit card numbers from Target last year, which has led to a lawsuit from the companies that had to replace all those cards and a class action suit from disgruntled customers. We’ve no brief on Target’s cyber security strategy, except that we expect it to get a full review. But it certainly suggests the value of a good cyber security program:  defending what must be defended to ensure the public good. Cyber security at nuclear energy plants – and all essential infrastructure - is extremely important because the potential for malicious mischief is very high – not from thieves as much as terrorists and others who want to cripple the electricity grid or cause a radioactive release. Stealing credit cards can be discomforting, but attacking a nuclear facility could have grave impacts. For these and ...

The minority (that is, the Republicans) on the Senate Homeland Security and Governmental Affairs committee released a report that shows a number of federal agencies, including the Nuclear Regulatory Commission, exercising lax cyber security. In some instances, the brew is rather weak – antivirus software has not been updated at some agencies, which probably has Symantec worried - but there’s some substantial stuff in it, too. This sums up the report’s finding on the NRC: Yet just about every aspect of that process [addressing cyber security weaknesses] appears to be broken at the NRC. Problems were identified but never scheduled to be fixed; fixes were scheduled but not completed; fixes were recorded as complete when they were not. The first thing to note is that this has nothing whatever to do with cyber security at nuclear energy facilities. In some ways, this report confuses network security with what is a much broader topic. Government agency network security has be...

President Obama at 2013 SOTU Yesterday President Obama signed an Executive Order aimed at helping nation harden its critical infrastructure against cyber attacks, and introduced it to the nation as part of his State of the Union address . The Order states, "We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards." The partnership model has a history of success, and it is prudent to continue and support this model. The nuclear power industry has an active partnership with the U.S. Department of Homeland Security specifically geared toward enhancing the security of commercial users of nuclear materials. Under HSPD-7, the industry established the Nuclear Sector Coordinating Council (NSCC), and the government established the Government Coordinating Council (GCC).   These groups meet quarterly under the Critic...

Our nation’s commercial nuclear power plants take the cyber threat seriously.  Our industry has been developing and implementing cyber security programs since shortly after the events of September 11, 2001.  The industry’s efforts culminated in a binding industry initiative to implement a cyber security program consistent with the guidance in a document endorsed by the NRC as an acceptable method for establishing a cyber security program.  All plants implemented this program by mid-2008. The U.S. Nuclear Regulatory Commission (NRC) is a strong regulator in this area.  The NRC’s efforts to create a cyber security regulatory framework for the plants began shortly after September 11, 2001.  The NRC issued orders after September 11 that required power reactor licensees to implement interim compensatory measures to enhance cyber security at their sites. These security measures required an assessment sufficient to provide protection against the cyber threats at t...

The Massachusetts Institute of Technology released a report on Monday that discusses the future challenges facing the U.S. electricity grid and several recommendations for how to best manage them. The researchers found that one of the most notable challenges facing the electricity grid is the threat of cyber attack. MIT writes in the report: Perfect protection from cyberattacks is not possible. There will be a successful attack at some point. This is a huge threat to the grid because a cyber attack in one area has the ability to affect other areas very rapidly, which could greatly disrupt power supply all over the country. Cyber attacks are also considered by the Pentagon to be an “ act of war ,” said the MIT researchers at a National Press Club event this week. To best manage this issue, MIT recommends that: The federal government should designate a single agency to have responsibility for working with industry and to have the appropriate regulatory authority to enhance c...

Earlier today, the Financial Times published a story concerning how computer hackers might be able to attack America's electric infrastructure . While the story didn't mention the nuclear energy industry specifically, we thought it would be a good idea to remind everyone that NEI's in-house expert on cyber security, Bill Gross, recently tackled the issue of how the nuclear industry has been responding to these potential threats : The nuclear sector is a leader in the area cyber security. The Nuclear Energy Institute established a Cyber Security Task Force in 2002 to begin developing recommendations and guidance for nuclear facilities to address cyber security threats. In 2006, in the absence of regulations, the nuclear power plants adopted and, by May of 2008, implemented a robust cyber security program. This program was recognized by both NRC and NERC as adequate for the protection of critical systems. In March of 2009, the NRC issued mandatory and comprehensive perfor...

Today the House Republican Cybersecurity Task Force released a set of recommendations on how House Republicans should approach issues associated with cyber security. The recommendations recognize that targeted and limited regulations may be warranted for certain critical infrastructure sectors.  The Task Force recommendations promote the use of existing regulators and recognize the need to coordinate security standards across sectors and within sectors subject to multiple regulators.  This approach is reasonable, and consistent with how the nuclear sector has been addressing cyber issues. The nuclear sector is a leader in the area cyber security.  The Nuclear Energy Institute established a Cyber Security Task Force in 2002 to begin developing recommendations and guidance for nuclear facilities to address cyber security threats.  In 2006, in the absence of regulations, the nuclear power plants adopted and, by May of 2008, implemented a robust cyber security ...