October is National Cyber Security Awareness Month and – before we head into November – it’s now a good time to remember the importance of cyber security. Cyber crime threatens our work, personal life, identity and privacy. Here at the NRC, we’re committed to protecting our internal digital assets and information, as well as ensuring that our regulated facilities’ critical digital systems of are well protected. This vigilance supports the NRC’s security and safety missions.
All NRC employees are required to complete annual training on computer security. Some of the concepts we teach our employees are useful for everyone:
- Set strong passwords and don’t share them with anyone.
- Keep your operating system, browser, and other critical software optimized and secure by installing updates.
- Maintain an open dialogue with your family, friends, and community about Internet safety.
- Limit the amount of personal information you post online, and use privacy settings.
- Be cautious about what you receive or read online; if it sounds too good to be true, it probably is.
The NRC ensures operating power reactor licensees and applicants seeking new licenses implement appropriate protections against cyber threats. Since 2009, the NRC has required each power plant to have a cyber security program in place to protect their computer and communications systems.
Over the last two years we have conducted more than 35 cyber security inspections and actively engaged licensees to ensure all identified issues are addressed. In the recently released “Strategic Plan: Fiscal Years 2014-2018,” we highlight the importance of cyber security guidance for nuclear power reactors, fuel cycle and spent fuel storage facilities, non-power reactors, decommissioned nuclear facilities, and materials licensees.
The NRC is developing a final rule, 10 CFR part 73.77, “Cyber Security Event Notifications,” which, if approved, will require timely notification of cyber security events. This rule is intended to improve the NRC’s ability to respond to cyber security-related plant events, enable the NRC to more effectively evaluate potential threats, and aid the NRC’s overall situational awareness.
In our Cyber Security Directorate, part of the Office of Nuclear Security and Incident Response, we continue to work with federal partners to protect the United States’ critical infrastructure. The NRC joins the Department of Homeland Security in its interagency and public-private efforts under the Sector Specific Agency Nuclear Sector. And we join with other government regulators on the newly-established Cyber Security Forum for Independent and Executive Branch Regulators, led by Chairman Allison Macfarlane. These partnerships strengthen our mutual knowledge base and provide agencies with an opportunity to share methods and approaches to enhance overall cyber security protection.
During Cyber Security Awareness Month, federal agencies are holding a variety of events to promote the conversation – among employees and the public – on this important topic. One of the most important things for our employees and our stakeholders to realize is the individual computer user is the first line of defense in cyber security.
U.S. NRC Blog 
Tip, you posted this on October 29th, this year a goal should be to publish on October 1st.
In another related cyber security posting you mentioned that the NRC blocks 90% of their email due to security problems found in the emails. Here are some questions relating to this activity.
The NRC maintains that 90% of the emails you receive are blocked due to security threats, that could be thousands, upon thousands of external emails. Since you list a percentage then you must know the total number of external incoming emails. How many emails do you receive during each month? Maybe a better question, what are the average number of emails received monthly over a years time frame? How many internal emails are blocked due to malicious content?
As an information security & compliance specialist for over two decades in the nuclear field, some of the biggest problems I see are (1). Lack of formalized and comprehensive information security policies and procedures along with (2) hardly any structured programs for security awareness training for employees and other in-scope personnel (i.e., vendors, contractors, etc.). In today’s growing world of cyber security threats, businesses need to start getting serious about educating their employee, while also creating a constant security mindset ideology within the organization. Accidents, attacks, and breaches do happen, so be prepared and train your employees on best practices.
Cyber security threats are going to continue to grow in the coming years, so it’s highly essential that companies start securing their entire digital infrastructure, which begins by putting in place information security policies and procedures, provisioning and hardening of such systems, and then undertaking comprehensive security awareness training for employees. Call it the 3-point stance for protecting your organization. The problem is that most companies have (1). Outdated policies (2). Don’t have formalized procedures and checklists for hardening their information systems, and (3) do little or nothing when it comes to security awareness training. This won’t cut it in today’s world, so it’s time to get serious about information security.
Additionally, our firm has a small staff of trained nuclear engineers that conduct security and compliance audits for nuclear facilities around the world, so it’s pleasing to finally see the entire global market actually wake up to the real-world that we need nuclear power – and now