By David McIntyre
Public Affairs Officer
The email was flagged urgent and screamed in capital letters: YOUR IMMEDIATE ATTENTION REQUIRED! The message said a software update was needed to avoid major system disruption, and to click a link and enter a network password.
The NRC employee who received the email thought the message looked suspicious. Instead of clicking on the link, she forwarded the message as an attachment to the NRC’s Computer Security Incident Response Team.
Within minutes, a CSIRT member was analyzing the email on a computer unconnected to the NRC network. He quickly determined the message was bogus, a “phishing” attempt to gain unauthorized access to the system. He instructed the employee to delete the message and block the sender to avoid receiving any further attempted intrusions from that Internet address.
Had the employee provided her username and password, she could have exposed the NRC’s computer network and its sensitive information to compromise and possible disruption. Personal information about NRC employees would have been at risk, as well as sensitive pre-decisional information about agency policies and licensees.
While Safeguards and classified information about the security and status of nuclear plants is maintained on separate higher security systems, the information we process on the NRC corporate network must also be protected.
CSIRT, part of the NRC’s Computer Security Office, is a small group of experts, all highly trained in cyber defense. Their mission is to detect and thwart attacks on the NRC’s computer networks and prevent “spills” of sensitive information. Such attacks can come through phishing attempts, such as the fictional incident described above, malware implanted in website advertisements or viruses and malware on portable data devices.
The team routinely works with other federal agencies, including the Homeland Security Department’s U.S. Computer Emergency Response Team (US-CERT) to stay up to date on the latest vulnerabilities. They even practice “white hat” hacking to test the NRC’s systems.
As a response team, CSIRT investigates suspicious emails that have already passed through the NRC’s extensive SPAM filters and Internet firewall, robust cyber security defenses mounted by the Office of Information Systems.
About 10 million emails are directed to NRC.gov addresses each month, and nearly 90 percent of them are blocked by the agency’s network security technologies as spam or for carrying viruses or suspicious attachments, says Mike Lidell, IT Specialist in the OIS Security Operations and Systems Engineering Branch. The OIS team administers the NRC’s firewalls, intrusion detection systems and spam filters.
While the percentage of blocked emails seems high, Lidell says it’s pretty much “par for the course” for any large organization or government agency. Emails that get through the initial line of defense are scanned again by the internal servers and a third time by the end-user’s individual computer. Internet data returned from the Web is scanned by NRC servers and individual workstations as well to guard against “drive-by downloads” of malicious software.
As Lidell points out, the “defense in depth” is necessary because the attacks are always evolving and changing. Thorne Graham, CSIRT’s team leader, praises a fourth line of defense against email attacks on the agency’s network: The NRC’s 4,000 employees. All NRC employees take annual online computer security training.
“Our best defense is the individual employee,” Graham says. “Security is everyone’s business.”
REFRESH is an occasional series where we republish previous posts. This originally ran in November 2014.
U.S. NRC Blog 
I definitely agree
Unfortunately..as we’ve seen numerous times with unplanned manual shutdowns of nuclear plants, it does require human intervention. In the alternative, human error has also been responsible for many otherwise avoidable accidents over the years too. At some point, (one would think radiation being the major cause of cancer is enough), the risk must be recognized that it exceeds the benefit and until then there will be both releases of radiation and attempts by criminals to hack sensitive information. Get rid of it and several problems are solved.
2012 study: “Abstract…The IOM found sufficient evidence to conclude that the 2 environmental factors most strongly associated with breast cancer were exposure to ionizing radiation and to combined postmenopausal hormone therapy. The IOM’s conclusion of a causal relation between radiation exposure and cancer is consistent with a large and varied literature showing that exposure to radiation in the same range as used for computed tomography will increase the risk of cancer….”
https://www.ncbi.nlm.nih.gov/pubmed/22688684
As an expert in energy, and energy conservation, I have that without a doubt, leaving the “conservation plan” in the hands of the general employees of an organization, is the surest way to failure. “Turn out the lights”, ” Turn down the thermostat when you are leaving”, “don’t use electric heat foot warmers (because the aircon is out of control”
All of these are a guaranteed “lose”
So the NRC statement of
“Our best defense is the individual employee,” Graham says. “Security is everyone’s business.”
Sounds like a politically correct, gov speak, feel good, go rah rah team saying. Which if internallized into the belief system of management, will undoubtedly leave major security issue unaddressed.
Them thar is weasal words. I can smell them a mile away.