Category: Nuclear Security

UPDATE: Protecting Commercial Nuclear Facilities from Cyber Attack

James Andersen
Director, Cyber Security Directorate

The NRC has been very forward-thinking in developing cyber security requirements for nuclear power plants. The cyber threat is always evolving, and so is our approach. We first imposed cyber security requirements in Orders issued after the 9/11 terrorist attacks. Drawing on our experience with those steps, we formalized regulations in 2009.

Our “cyber security roadmap” spells out how nuclear plant licensees were implementing our 2009 cyber regulations, as well as our approach to assessing cyber needs of other licensees.

cybersecNuclear plants are meeting these requirements in two phases. During Phase 1, they implemented controls to protect their most significant digital assets from the most prevalent cyber attack vectors. This phase was completed in December 2012, and our inspections of Phase 1 actions were completed in 2015.

During Phase 2, which will be completed by the end of this year, licensees will complete full implementation of their cyber security programs. They will add additional technical cyber controls, cyber security awareness training for employees, incident response testing and drills, configuration management controls, and supply chain protection

Like other NRC programs, cyber security involves “defense in depth.” Crucial safety- or security-related systems (both digital and analog) are isolated from the Internet, giving them strong protection. Such “air gaps” are important, but not sufficient. Licensees must also address wireless threats, portable media such as discs or thumb drives, and other avenues of attack. Physical security and access controls, including guarding against an insider threat to the plant, also add to cyber security, as do cyber intrusion detection and response capability.

The NRC published a new regulation in late 2015 requiring nuclear plant licensees to notify the agency quickly of certain cyber attacks.

With these efforts already accomplished or underway, you can see the NRC takes cyber security seriously, and we’re doing our best to stay flexible and ahead of the ever-changing threat. You can find more information about the NRC’s cyber security program on our website.

This post first ran in October 2015

REFRESH: Pokémon Go — Not a Go at Nuclear Plants

Prema Chandrathil
Public Affairs Officer
NRC Region III

pokemon-go-1569794_1920The highly popular cellphone game has found its way to a U.S. commercial nuclear power plant.

The Pokémon Go game lets users chase and catch virtual creatures with their cellphone cameras. However, Pokémon Go and other games that use the GPS signals in our phones are creating safety and security issues. Local law enforcement officials across the country have cautioned folks to pay attention while playing and be careful not to wander into traffic (warnings that have not always been heeded). The phrase “heads up” takes on new meaning here.

The games have even enticed players to trespass on private property — including the Perry nuclear power plant in northeastern Ohio.

Recently, three teenagers pursued one of the strange looking cartoon creatures into the employee parking lot of the Perry plant, at 3 in the morning! Instead of catching the Pokémon, they were caught by security officers and escorted off the property.

But it could have ended very differently – and much more seriously — for these Pokémon pursuers.

Commercial nuclear plants are among the best-protected facilities in the country. Their security officers are highly trained professionals who carry guns and are authorized to use them in protecting the plant. Though you might not always see the protective measures and many details are not publicly available, security is in place. (Click here for more info on the NRC’s security requirements for nuclear power plants.)

So have fun exploring and climbing over rocks searching for those virtual creatures, but the bottom line is be safe while playing these games. A nuclear power plant is not the place to be searching for Pikachu.

refresh leafREFRESH is an occasional series where we revisit previous posts. This post, which first ran in July 2016, was by far one of the most popular posts of last year.