Skip to main content

On Chatham House and Nuclear Cyber Security

The following is a guest post by Bill Gross, Manager, Security Integration and Coordination at Nuclear Energy Institute.

On October 6, 2015 the U.S. Department of Homeland Security (DHS) issued an unclassified version of a report assessing cyber security for the Nuclear Reactors, Materials, and Waste sector. The report was developed with input from the Idaho National Laboratory (INL), the DHS Industrial Control Systems Computer Emergency Response Team (ICS-CERT), the U.S. Nuclear Regulatory Commission (NRC) and others.

The report affirms that the nuclear plant cyber security program, “combined with the industry’s exacting standards and culture of back-up safety systems, will make it extremely difficult for an external adversary to cause a radioactive release.”

It is a breath of fresh air to see such conclusions from an independent cyber security assessment.

The recognition is well earned. The power plants and the NRC have been aggressive at addressing the cyber threat. A concerted industry-wide effort began shortly after the events of September 11, 2001, establishing a cyber security task force that is still active today. The industry voluntarily adopted a cyber security program in 2006 and implemented the program in 2008. In 2007 the NRC amended their Design Basis Threat requirements to include a cyber attack as an explicit adversary attribute, and followed this with mandatory cyber security programmatic requirements in 2009. The key findings of the DHS report affirm the good work the sector has, and continues to achieve.

But the industry's journey has included several learning opportunities. On May 5, 2015, Chatham House (a recognized highly-influential London-based think tank) issued a report entitled, “Cyber Security at Civil Nuclear Facilities; Understanding the Risks.” The Chatham House report takes a look at status of cyber security for nuclear facilities around the world. The report summarizes several historical digital-related events at U.S. Nuclear Plants. While these events, from 2003, 2006, and 2008, had no safety impact, they informed industry efforts to address the risks associated with increasing reliance on digital technologies in the plants.

Some of the enhancements we have put into place include implementing cyber security training applicable to all plant personnel, including visiting contractors and support personnel. The plants have established multi-disciplinary cyber security assessment teams that include individuals representing a wide range of expertise, including IT, cyber security, instrumentation and control, nuclear security, operations and engineering. The digital components within the facility that must be protected against cyber attacks have been identified. The plants have implemented robust controls over the use of portable media (e.g., thumb drives) and portable devices (e.g., laptops) and apply those controls to both plant personnel and visiting contractors. The plants have implemented “data diodes” that allow the plants to extract performance data from the plant while precluding a cyber attack from outside the plant. Digital assets most necessary for ensuring safety and security have been assessed, and necessary cyber security controls have been implemented. Insider mitigation programs have been enhanced.

We’ve learned from those early lessons, and our sector continues to learn – including relying on up-to-date intelligence. As noted in the DHS report:
DHS coordinates a monthly unclassified threat briefing via teleconference for the Nuclear Reactors, Materials, and Waste Sector. The Sector also receives quarterly classified threat briefings. The monthly and quarterly briefings address both cyber and physical threats to the Sector.
On the one hand, the Chatham House report provides recommendations that are sound, and are generally consistent with the lessons learned in U.S. plants’ decade-plus history of enhancing its cyber posture. It is my personal opinion that the recommendations starting with Chapter 7, “Meeting the Challenges: the Way Forward” are prudent for any utility establishing a cyber security program.

On the other hand, the Chatham House report paints a fairly gloomy picture - even of the U.S. facilities that have well-established programs. For example, the document chastises the US plants for trying to clarify that the focus of the cyber security program is on the protection of assets that have a nexus to ensuring safety and security. The report states:
The Nuclear Energy Institute, a lobbying group which represents the nuclear industry’s interests to the US government, put in a request in August 2014 to reduce the number of systems in nuclear plants that would have to be included.
The report fails to assess the efficacy of the industry position - yet later on recommends precisely what the industry request sought to achieve:
It will be important for nuclear facilities to identify the most crucial parts of the plant from a cyber security perspective (notably, their critical cyber assets) in order to grant those the highest levels of protection. As Source 3 states, ‘It needs to be a graded approach; we can’t afford to do everything for every system.’ Prioritization of the cyber risks is therefore key. [Emphasis theirs]
As another example, the report makes the following unsubstantiated claim:
When countries do issue guidance, the cyber security measures that they recommend may not be rigorous enough. In the United States, the guidance issued by the Nuclear Regulatory Commission (NRC) is not sufficient to protect against the cyber security threat.
I disagree with this statement. The NRC’s cyber security rules require the plants to defend against a well-trained, dedicated and determined adversary who is willing to kill or be killed in an effort to achieve a radiological release. The NRC spent years developing guidance that provides acceptable methods to defend against that threat. The NRC’s approved guidance is supported by cyber security standards developed by the National Institute of Standards and Technology (NIST), and embodies the findings by standards organizations and agencies such as the International Society of Automation (ISA), and the Institute of Electrical and Electronics Engineers (IEEE), as well as guidance from the DHS.

The claim appears inconsistent with the DHS assessment, which affirms, “Compliance with the strict regulatory requirements of the Nuclear Reactors, Materials, and Waste Sector makes Sector assets difficult targets for physical or cyber attack.”

The U.S. plants are doing the right things for cyber security, and we welcome the opportunity to share recommended practices and lessons learned with nuclear facilities working to establish cyber security programs.

Comments

Anonymous said…
The Chatham House report is needlessly sensationalistic. For example, it makes the following statement:

"At Browns Ferry, it seems that the network produced excess traffic that caused the reactor recirculation pumps and condensate demineralizer controller to fail. The plant’s Unit 3 then had to be manually shut down in order to avoid a meltdown (Kesler, 2011).”

This statement is completely incorrect. Trips of cooling water recirculating pumps occur routinely and, because turbine condenser cooling is reduced rapidly, normally cause a reactor trip. The statement "to avoid a meltdown" is gratuitously sensational. This NEI review points out correctly that the recommendations of the study are reasonable, but one wonders why the authors felt the need to make very incorrect claims about cyber vulnerability, as with this claim about Browns Ferry.

Popular posts from this blog

Missing the Point about Pennsylvania’s Nuclear Plants

A group that includes oil and gas companies in Pennsylvania released a study on Monday that argues that twenty years ago, planners underestimated the value of nuclear plants in the electricity market. According to the group, that means the state should now let the plants close.

Huh?

The question confronting the state now isn’t what the companies that owned the reactors at the time of de-regulation got or didn’t get. It’s not a question of whether they were profitable in the '80s, '90s and '00s. It’s about now. Business works by looking at the present and making projections about the future.

Is losing the nuclear plants what’s best for the state going forward?

Pennsylvania needs clean air. It needs jobs. And it needs protection against over-reliance on a single fuel source.


What the reactors need is recognition of all the value they provide. The electricity market is depressed, and if electricity is treated as a simple commodity, with no regard for its benefit to clean air o…

How Nanomaterials Can Make Nuclear Reactors Safer and More Efficient

The following is a guest post from Matt Wald, senior communications advisor at NEI. Follow Matt on Twitter at @MattLWald.

From the batteries in our cell phones to the clothes on our backs, "nanomaterials" that are designed molecule by molecule are working their way into our economy and our lives. Now there’s some promising work on new materials for nuclear reactors.

Reactors are a tough environment. The sub atomic particles that sustain the chain reaction, neutrons, are great for splitting additional uranium atoms, but not all of them hit a uranium atom; some of them end up in various metal components of the reactor. The metal is usually a crystalline structure, meaning it is as orderly as a ladder or a sheet of graph paper, but the neutrons rearrange the atoms, leaving some infinitesimal voids in the structure and some areas of extra density. The components literally grow, getting longer and thicker. The phenomenon is well understood and designers compensate for it with a …

A Billion Miles Under Nuclear Energy (Updated)

And the winner is…Cassini-Huygens, in triple overtime.

The spaceship conceived in 1982 and launched fifteen years later, will crash into Saturn on September 15, after a mission of 19 years and 355 days, powered by the audacity and technical prowess of scientists and engineers from 17 different countries, and 72 pounds of plutonium.

The mission was so successful that it was extended three times; it was intended to last only until 2008.

Since April, the ship has been continuing to orbit Saturn, swinging through the 1,500-mile gap between the planet and its rings, an area not previously explored. This is a good maneuver for a spaceship nearing the end of its mission, since colliding with a rock could end things early.

Cassini will dive a little deeper and plunge toward Saturn’s surface, where it will transmit data until it burns up in the planet’s atmosphere. The radio signal will arrive here early Friday morning, Eastern time. A NASA video explains.

In the years since Cassini has launc…