James Andersen
Director, Cyber Security Directorate
October is “Cyber Security Awareness” month. While we typically focus on how to secure our personal information, we’d like to update you on the NRC’s efforts to ensure U.S. commercial nuclear power plants are protected from cyber threats.
The NRC has been very forward-thinking in developing cyber security requirements for nuclear power plants. The cyber threat is always evolving, and so is our approach. We first imposed cyber security requirements in Orders issued after the 9/11 terrorist attacks. Drawing on our experience with those steps, we formalized regulations in 2009.
Our “cyber security roadmap” spells out how nuclear plant licensees were implementing our 2009 cyber regulations, as well as our approach to assessing cyber needs of other licensees.
Nuclear plants are meeting these requirements in two phases. During Phase 1, they implemented controls to protect their most significant digital assets from the most prevalent cyber attack vectors. This phase was completed in December 2012, and our inspections of Phase 1 actions will be done late this year.
During Phase 2, which will be completed in 2016-2017, licensees will complete full implementation of their cyber security programs. They will add additional technical cyber controls, cyber security awareness training for employees, incident response testing and drills, configuration management controls, and supply chain protection
Like other NRC programs, cyber security involves “defense in depth.” Crucial safety- or security-related systems (both digital and analog) are isolated from the Internet, giving them strong protection. Such “air gaps” are important, but not sufficient. Licensees must also address wireless threats, portable media such as discs or thumb drives, and other avenues of attack. Physical security and access controls, including guarding against an insider threat to the plant, also add to cyber security, as do cyber intrusion detection and response capability.
The NRC will soon publish a new regulation requiring nuclear plant licensees to notify the agency quickly of certain cyber attacks.
With these efforts already accomplished or underway, you can see the NRC takes cyber security seriously, and we’re doing our best to stay flexible and ahead of the ever-changing threat. You can find more information about the NRC’s cyber security program on our website.
U.S. NRC Blog 
CYBER SECURITY FAILURE AT THE NRC – The OIG Report, January 2016 reveals basic management failures regarding Cyber Security. I thought the big one was the indicator of a lack of oversight with no performance goals, the NRC contracts out their cyber security operations at several levels. No performance goals or measurements for work expectations, an OMG moment, an indicator of various levels of management failures. The disclosure is appreciated., correction of these most serious failures is not an option, it is a must do situation and not take the time the NRC is noted for in correcting failures years later.
NRC OIG report listed via MSNBC – http://msnbcmedia.msn.com/i/MSNBC/Sections/NEWS/AJDocs/160112-nrc-cybersecurity-IG.pdf
Excerpt which describes in very short order the basic problem: The SOC acronym is for the Security Operations Center
“… there are no performance goals for the SOC, the contract also contains no SOC-specific performance metrics.
It is difficult to understand why the Security Operations Center had no performance goals or objectives. To my way of thinking, this is an intentional action of cyber-security management, which should require an in-depth security investigation to determine if the failure was criminal, intentional subversive activity. or maybe it was just plain ole negligence.
Another revealing statement in the OIG Report regarding contract management:
“NRC management did not perform a detailed analysis of SOC functions to develop service level agreements for the contract.” Again, negligence or intentional criminal activity? The contract management portion of failures outlined – “…the contract is vague regarding content, timing, or recipients of those reports.”
In summary a whole section is titled – “SOC Not Optimized To Protect Agency Network” That specific title sums up the management failures regarding protection of the NRC from cyber-attacks. I’m sure folks would like to believe the lack of attention to detail regarding the Security Operations Center was negligence, that is bad enough, but it is necessary to determine if the failures were intentional.
Thank you NRC OIG for exposing this serious failure regarding cyber-security. The question that remains, what is NRC Operations going to do about this failure?
It is my understanding that the NRC staff believes all digital platforms have a software flaw, which will only be revealed at the time of demand of normal or emergency action. There is no software management/QA system that will assure that the flaw is detected and removed. There is no testing methodology (factory acceptance, surveillance, etc.) that will assure the flaw is detected and removed. Employing redundancy is no solution, since the flaw is common, e.g. operating system, to all digital platforms. Only diverse, redundant digital platforms, cleverly arranged in a fault tolerant configuration, is acceptable. Yet, the NRC staff believes that the same professional engineers, who cannot develop a flaw-free digital platform, can develop protocols which will foil cyber attacks. How does one detect a software flaw intentionally inserted when they cannot detect one that was inserted accidently? Only analog and discrete logic (non-digital) platforms can provide the assurance required.
How will the NRC force a plant to up grade when it is loosing money and has no credit to get the changes done.
There are a range of actions the NRC can take if licensees don’t follow NRC requirements. The basic enforcement action is issuing a notice of violation, which requires the licensee to correct the problem and take steps to keep it from happening again. Serious and/or deliberate violations can result in fines. If there are serious questions about the safety of NRC-licensed activities, the NRC can require the activities be stopped or an individual removed from work involving NRC-licensed materials. The NRC may modify, suspend, or revoke a license at any time. If the NRC stops licensed activities, they cannot begin again until the problems are fixed.
Jim Andersen
I met a man in my practice who owned a cyber safety security company. When I meet my clients I ask them what they do. So I asked him what he feared most in the world regarding cyber security and hacks. Without a moment of hesitation, he said China hacking our grids to get to nuke plants. He didn’t know anything about me or the fact that am ardently opposed to nukes. He said there is no way to prevent China from doing this. He said they’ve been doing it though not effectively enough yet. But it will come. There are a million reasons to shut down the nuclear industry. There is no reason to leave nukes operating. None. The argument regarding nukes as an energy source is now outdated since renewables work more efficiently, cleanly and cheaply than nukes. A wind generator is not going to cause one million deaths from meltdowns( enter and welcome to the trolls who want to counter this number and fact, post Chernobyl/Fukushima).
So let’s get real and shut down nukes, shall we? What have you got to lose except your lives? Oh, your children’s lives. And their children’s lives. Unless of course, you think that radiation is good for you…you know who you are. Me? I’ll eat the apple a day instead.
The plant never needs to refuse a request made by the NRC; the NRC itself never oversees what its demands are and all a nuke plant has to do is nothing. No one is responsible. No one is in control.
It highlighted insufficient funding and training, a “paucity” of regulatory standards, increasing use of digital systems and greater use of cheaper but riskier commercial “off-the-shelf” software.
In addition there is a “pervading myth” that nuclear power plants are protected because they are “air gapped”—in other words not connected to the Internet.
In fact, many nuclear facilities have gradually developed some form of Internet connectivity, and computer systems can be infected with a USB drive or other removable media devices.
Read more at: http://phys.org/news/2015-10-nuclear-power-cyber.html#jCp
After decades of IT education and learning about and around some of the most sophisticated control systems on the planet, and the lesson from Y2K and every other attack you are not prepared or the NRC is scared of this possibility then you NRC are totally incompetent, to say the least.
Or is the NRC just begging for more financial gifts to their benefactors of nuclear avarice.
Really, you guys suck at IT and ITSec if this is a legitimate problem, really!
You should just quit or jump off a bridge now for the incompetence you are sharing.
Most people don’t realize that control and protection logic in legacy plants is still mostly relay and contact matrices – they are not connected to the outside world, and “hacking” would involve entry into a locked cabinet with screwdriver and pliers.
The increasing emphasis on cybersecurity is due to the use of digital control and protection in the next generation plants, and the few legacy ones that are converting over from their original hard wired analog. As with many things, those who know most about the topic are the least likely to talk in detail about it. Those who know least are welcome to speculate wildly.
When the NRC requests a change or add on, what happens if a plant refuses to make the change because the customers are paying a high price for power. In the past requests were denied and never changed to date.
NRC “cyber security roadmap” spells out how nuclear plant licensees were implementing our 2009 cyber regulations, as well as our approach to assessing cyber needs of other licensees.
Looks good on paper.
Click to access 2012-0088scy.pdf
“NRC inspections of Phase 1 actions will be done late this year”.
What, almost 7 years to even check to see if things have been done?
“The NRC will soon publish a new regulation requiring nuclear plant licensees to notify the agency quickly of certain cyber attacks.”
Certain cyber attacks? Seems the “cyber security roadmap” should have already stated that ALL cyber attacks were to be reported immediately.
4/27/15
Moniz said the greatest risks to the nation’s electric grid are cyberattacks and extreme weather. The frequency and source of cyberattacks on energy infrastructure are increasing, he said.
http://www.bna.com/funding-mechanism-uncertain-n17179925868/
I’m very concerned because the NRC failed to even enforce reactor fire regulations.
Click to access ucs-nrc-fire-regulations-5-2-13.pdf
10/12/15 Pilgrim nuclear plant never addressed 1992 NRC information notice
http://www.metrowestdailynews.com/article/20151012/NEWS/151019585/0/breaking_ajax