Director, Cyber Security Directorate
October is “Cyber Security Awareness” month. While we typically focus on how to secure our personal information, we’d like to update you on the NRC’s efforts to ensure U.S. commercial nuclear power plants are protected from cyber threats.
The NRC has been very forward-thinking in developing cyber security requirements for nuclear power plants. The cyber threat is always evolving, and so is our approach. We first imposed cyber security requirements in Orders issued after the 9/11 terrorist attacks. Drawing on our experience with those steps, we formalized regulations in 2009.
Our “cyber security roadmap” spells out how nuclear plant licensees were implementing our 2009 cyber regulations, as well as our approach to assessing cyber needs of other licensees.
Nuclear plants are meeting these requirements in two phases. During Phase 1, they implemented controls to protect their most significant digital assets from the most prevalent cyber attack vectors. This phase was completed in December 2012, and our inspections of Phase 1 actions will be done late this year.
During Phase 2, which will be completed in 2016-2017, licensees will complete full implementation of their cyber security programs. They will add additional technical cyber controls, cyber security awareness training for employees, incident response testing and drills, configuration management controls, and supply chain protection
Like other NRC programs, cyber security involves “defense in depth.” Crucial safety- or security-related systems (both digital and analog) are isolated from the Internet, giving them strong protection. Such “air gaps” are important, but not sufficient. Licensees must also address wireless threats, portable media such as discs or thumb drives, and other avenues of attack. Physical security and access controls, including guarding against an insider threat to the plant, also add to cyber security, as do cyber intrusion detection and response capability.
The NRC will soon publish a new regulation requiring nuclear plant licensees to notify the agency quickly of certain cyber attacks.
With these efforts already accomplished or underway, you can see the NRC takes cyber security seriously, and we’re doing our best to stay flexible and ahead of the ever-changing threat. You can find more information about the NRC’s cyber security program on our website.