U.S. NRC Blog

Transparent, Participate, and Collaborate

UPDATE: Protecting Commercial Nuclear Facilities from Cyber Attack

James Andersen
Director, Cyber Security Directorate

The NRC has been very forward-thinking in developing cyber security requirements for nuclear power plants. The cyber threat is always evolving, and so is our approach. We first imposed cyber security requirements in Orders issued after the 9/11 terrorist attacks. Drawing on our experience with those steps, we formalized regulations in 2009.

Our “cyber security roadmap” spells out how nuclear plant licensees were implementing our 2009 cyber regulations, as well as our approach to assessing cyber needs of other licensees.

cybersecNuclear plants are meeting these requirements in two phases. During Phase 1, they implemented controls to protect their most significant digital assets from the most prevalent cyber attack vectors. This phase was completed in December 2012, and our inspections of Phase 1 actions were completed in 2015.

During Phase 2, which will be completed by the end of this year, licensees will complete full implementation of their cyber security programs. They will add additional technical cyber controls, cyber security awareness training for employees, incident response testing and drills, configuration management controls, and supply chain protection

Like other NRC programs, cyber security involves “defense in depth.” Crucial safety- or security-related systems (both digital and analog) are isolated from the Internet, giving them strong protection. Such “air gaps” are important, but not sufficient. Licensees must also address wireless threats, portable media such as discs or thumb drives, and other avenues of attack. Physical security and access controls, including guarding against an insider threat to the plant, also add to cyber security, as do cyber intrusion detection and response capability.

The NRC published a new regulation in late 2015 requiring nuclear plant licensees to notify the agency quickly of certain cyber attacks.

With these efforts already accomplished or underway, you can see the NRC takes cyber security seriously, and we’re doing our best to stay flexible and ahead of the ever-changing threat. You can find more information about the NRC’s cyber security program on our website.

This post first ran in October 2015

5 responses to “UPDATE: Protecting Commercial Nuclear Facilities from Cyber Attack

  1. Anonymous January 23, 2017 at 7:25 pm

    The agency issued Standard Review Plan – 13.6.6 titled “Cyber Security Plan” for commrnents in a draft form in November, 2010. When does the staff plan to issue its Final Guidance on Cyber Security for nuclear plants design – after a real attack !!!

  2. Ace Hoffman (@AceHoffman) January 23, 2017 at 9:46 am

    1986:Lawrence Berkeley Labs hacked by Germans, Clifford Stoll discovers the hack, writes best-selling book called The Cuckoo’s Egg. Everyone except the NRC becomes well aware of the problem.
    1988: Morris worm infects 10% of world’s servers.
    1994: Griffiss AFB, Goddard Space Center, Wright-Patterson AFB attacked by anonymous hackers, “sensitive information” stolen.
    1997 NSA tests reveal systems throughout the USA are easily hacked.
    1998 Harvard and several other academic institutions hacked — by three teenagers.
    1998 DoD establishes Joint Task Force on Computer Network Defence.
    2001 (July) Code Red worm affect thousands of Microsoft computers including White House site.
    … and the list goes on…
    2015-2016 Hackers presumed to be Russian infiltrate US elections, reveal dishonesty by the DNC to get their preferred candidate elected.

    2001: NRC finally starts to recognize there’s a problem.
    2016 Ukraine energy grid hacked, presumably by Russians.
    2017: US and other reactors still filled with compromised hardware and software vulnerable to IoT attacks, operating system attacks, server and system-wide attacks, still filled with counterfeit parts, aging hardware, unchanged “admin” passwords
    January 23rd, 2017: NRC claims to be on the ball, involving “defense in depth”, announces that reactor operators have been required since 2015 to notify the agency of “certain” cyber attacks, republishes post from October 2015.

  3. Jack Coupal January 23, 2017 at 8:46 am

    Any effective attack on the US would obviously give higher priority to destroy or inactivate US nuclear power plants. While relatively small in number, those plants are crucial to continuing national security, providing energy for private and public needs during a concerted attack against the United States.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: