Protecting the NRC’s Cyber Frontier

By David McIntyre
Public Affairs Officer


computersec1The email was flagged urgent and screamed in capital letters: YOUR IMMEDIATE ATTENTION REQUIRED! The message said a software update was needed to avoid major system disruption, and to click a link and enter a network password. The NRC employee who received the email thought the message looked suspicious. Instead of clicking on the link, she forwarded the message as an attachment to the NRC’s Computer Security Incident Response Team.

Within minutes, a CSIRT member was analyzing the email on a computer unconnected to the NRC network. He quickly determined the message was bogus, a “phishing” attempt to gain unauthorized access to the system. He instructed the employee to delete the message and block the sender to avoid receiving any further attempted intrusions from that Internet address.

Had the employee provided her username and password, she could have exposed the NRC’s computer network and its sensitive information to compromise and possible disruption. Personal information about NRC employees would have been at risk, as well as sensitive pre-decisional information about agency policies and licensees. While Safeguards and classified information about the security and status of nuclear plants is maintained on separate higher security systems, the information we process on the NRC corporate network must also be protected.

CSIRT, part of the NRC’s Computer Security Office, is a small group of experts, all highly trained in cyber defense. Their mission is to detect and thwart attacks on the NRC’s computer networks and prevent “spills” of sensitive information. Such attacks can come through phishing attempts, such as the fictional incident described above, malware implanted in website advertisements or viruses and malware on portable data devices.

The team routinely works with other federal agencies, including the Homeland Security Department’s U.S. Computer Emergency Response Team (US-CERT) to stay up to date on the latest vulnerabilities. They even practice “white hat” hacking to test the NRC’s systems.

As a response team, CSIRT investigates suspicious emails that have already passed through the NRC’s extensive SPAM filters and Internet firewall, robust cyber security defenses mounted by the Office of Information Systems.

About 10 million emails are directed to addresses each month, and nearly 90 percent of them are blocked by the agency’s network security technologies as spam or for carrying viruses or suspicious attachments, says Mike Lidell, IT Specialist in the OIS Security Operations and Systems Engineering Branch. The OIS team administers the NRC’s firewalls, intrusion detection systems and spam filters.

computersec1While the percentage of blocked emails seems high, Lidell says it’s pretty much “par for the course” for any large organization or government agency. Emails that get through the initial line of defense are scanned again by the internal servers and a third time by the end-user’s individual computer. Internet data returned from the Web is scanned by NRC servers and individual workstations as well to guard against “drive-by downloads” of malicious software.

As Lidell points out, the “defense in depth” is necessary because the attacks are always evolving and changing. Thorne Graham, CSIRT’s team leader, praises a fourth line of defense against email attacks on the agency’s network: The NRC’s 4,000 employees. All NRC employees take annual online computer security training.

“Our best defense is the individual employee,” Graham says. “Security is everyone’s business.”


Author: Moderator

Public Affairs Officer for the U.S. Nuclear Regulatory Commission

6 thoughts on “Protecting the NRC’s Cyber Frontier”

  1. I believe that no automatic control functions in a nuclear power plant have computer software or hardware interfaces that could be subject to cyberattack. Is that correct? I believe that this is especially true in older nuclear power plants. Therefore no hacker could take control of a reactor from the automatic system or from the licensed operators. Please and hopefully confirm.

  2. 90% of the emails blocked due to security threats. That could be thousands, upon thousands of external emails. Since you list a percentage then you must know the total number of external incoming emails. How many emails do you receive during each month? Maybe a better question, what are the average number of emails received monthly over a years time frame? How many internal emails are blocked due to malicious content?

  3. Your original comment was submitted to the NRC Allegation’s staff for review before posting. We cannot post an allegation on the blog. The post was reviewed today and cleared. Since this post contains the original verbiage and additional verbiage, it was posted in lieu of the original.

    Sorry for the delay.


  4. Where is my comment about cyber-security, it was posted on the 27th, there’s another posting on the 27th above. Do you need approval prior to posting the truth about failed regulatory action and negligence? The incident concerning cyber attacks were conveyed to Commissioner Ostendorf along with other security issues and short comings. After all, nuclear security is all of our responsibility – right? Cover-ups do not make for acceptable physical or cyber security.

    “The Nuclear Regulatory Commission is failing to perform required continuous monitoring measures and update other security weaknesses it’s known about for years, a new report from NRC’s Office of the Inspector General found.” – See more at: Those are not my words, this is a report about the NRC’s OIG finding concerning the NRC’s negligence. What remains to be seen, will you make improvements?.

    I have contacted the NRC personally about cyber security issues because our organization has found the NRC’s contractor for your web activities attempting to break into one of our computer systems. NRC’s reply, “They work for other government agencies.” There was also a problem with spurious emails which looked identical to NRC emails containing malicious malware. All was reported to the NRC Cyber Security folks. Our organizational computer systems appear to have been attacked by what appears to be nuclear industry proponents.

    Apparently the NRC-OIG says YOU have a problem with cyber-security, and along comes the PR folks of the NRC attempting to paint a different picture. NRC, you have many professional and responsible citizens working at the NRC. But, as you have previously been informed by those who are concerned about you living up to your mission and law, you must make improvements, our lives depend on you performing your mission as required by law. That mission does not include demonstrated deceit, failures nor support of the nuclear power industry. Your job is that of protecting the public, not protecting the nuclear power industry and covering-up regulatory errors..

  5. Nice of you to lead us on thinking that this was an actual cyber-threat. Is that the only way you think we would bother to read your stuff?! The NRC is as big a secret-keeper as the CIA. Not only does the NRC hide behind the Confidential label they hide behind much additional info they liberally classify as Safeguards Info. NRC transparency is an oxymoron!

Comments are closed.

%d bloggers like this: