U.S. NRC Blog

Transparent, Participate, and Collaborate

Category Archives: Nuclear Security

Five Questions With Tom Rich

Tom Rich is head of the agency’s Information Security Directorate

  1. How would you describe your job in three sentences or less?

5 questions_9with boxMy job is to work with others to protect NRC’s information and information systems. This includes providing security training, performing security assessments, testing the vulnerability of our IT systems to phishing and penetration attacks, responding to security incidents and keeping up with situational awareness to see where we may need to strengthen our defenses.

  1. What is the single most important thing you do at work?

Communication with NRC managers and employees regarding threats to our IT systems and data. We do security briefings, security awareness events for staff, and daily meetings with the Chief Information Officer.

  1. What is the single biggest challenge you face?

tomrichThe dynamic pace of technology changes and the need for cyber defenders to keep up. With the “Internet of Things” becoming more and more a part of our daily lives, the devices we now use in virtually everything we do present security and privacy concerns and introduce a much larger avenue of attack. These devices want to communicate, in some cases sensitive data, through multiple channels with each other and cloud services. The challenge is that these devices do not have adequate security controls built into their design.

  1. What would you consider one of your biggest successes on the job?

We established a cyber security dashboard that measures the NRC’s improvements in security practices. This is an internal mechanism to let NRC stakeholders see what they are doing well and where improvements are needed. Since implementation, we have seen significant improvement in cybersecurity across the agency.

  1. What one thing about the NRC do you wish more people knew?

That we have Resident Inspectors at each of the nuclear plants. I think a lot of the public believe we regulate and inspect from a distance. I do not believe many know we have feet on the ground at the nuclear plants.

Five Questions With is an occasional series where we pose the same five questions to NRC staff.

ncsam-web_edited-1For more information on National Cyber Security Awareness Month, go here.

REFRESH: Protecting the NRC’s Cyber Frontier

By David McIntyre
Public Affairs Officer

The email was flagged urgent and screamed in capital letters: YOUR IMMEDIATE ATTENTION REQUIRED! The message said a software update was needed to avoid major system disruption, and to click a link and enter a network password.

cybersecThe NRC employee who received the email thought the message looked suspicious. Instead of clicking on the link, she forwarded the message as an attachment to the NRC’s Computer Security Incident Response Team.

Within minutes, a CSIRT member was analyzing the email on a computer unconnected to the NRC network. He quickly determined the message was bogus, a “phishing” attempt to gain unauthorized access to the system. He instructed the employee to delete the message and block the sender to avoid receiving any further attempted intrusions from that Internet address.

Had the employee provided her username and password, she could have exposed the NRC’s computer network and its sensitive information to compromise and possible disruption. Personal information about NRC employees would have been at risk, as well as sensitive pre-decisional information about agency policies and licensees.

While Safeguards and classified information about the security and status of nuclear plants is maintained on separate higher security systems, the information we process on the NRC corporate network must also be protected.

CSIRT, part of the NRC’s Computer Security Office, is a small group of experts, all highly trained in cyber defense. Their mission is to detect and thwart attacks on the NRC’s computer networks and prevent “spills” of sensitive information. Such attacks can come through phishing attempts, such as the fictional incident described above, malware implanted in website advertisements or viruses and malware on portable data devices.

The team routinely works with other federal agencies, including the Homeland Security Department’s U.S. Computer Emergency Response Team (US-CERT) to stay up to date on the latest vulnerabilities. They even practice “white hat” hacking to test the NRC’s systems.

As a response team, CSIRT investigates suspicious emails that have already passed through the NRC’s extensive SPAM filters and Internet firewall, robust cyber security defenses mounted by the Office of Information Systems.

ncsam-web_edited-1About 10 million emails are directed to NRC.gov addresses each month, and nearly 90 percent of them are blocked by the agency’s network security technologies as spam or for carrying viruses or suspicious attachments, says Mike Lidell, IT Specialist in the OIS Security Operations and Systems Engineering Branch. The OIS team administers the NRC’s firewalls, intrusion detection systems and spam filters.

While the percentage of blocked emails seems high, Lidell says it’s pretty much “par for the course” for any large organization or government agency. Emails that get through the initial line of defense are scanned again by the internal servers and a third time by the end-user’s individual computer. Internet data returned from the Web is scanned by NRC servers and individual workstations as well to guard against “drive-by downloads” of malicious software.

As Lidell points out, the “defense in depth” is necessary because the attacks are always evolving and changing. Thorne Graham, CSIRT’s team leader, praises a fourth line of defense against email attacks on the agency’s network: The NRC’s 4,000 employees. All NRC employees take annual online computer security training.

“Our best defense is the individual employee,” Graham says. “Security is everyone’s business.”

REFRESH is an occasional series where we republish previous posts. This originally ran in November 2014.

A Solemn Anniversary

Stephen Burns

This Sunday marks the 15th anniversary of the terrorist attacks of September 11, 2001. As always, that day is a time for reflection, which the passing years do not diminish. The events of that day still seem as fresh and raw now as they did at the time.

NUREG/BR-0314, Rev. 4, "August 2015 Protecting Our Nation."That was certainly a pivotal day for us as a nation, for us as individuals and us as employees of the NRC. Here, staff went quickly into response mode even as the significance of the day was not yet clear. Senior managers gathered in the Operations Center and at the regional Incident Response Centers; other employees were sent home; security was heightened around the buildings; and licensee facilities were ordered to their highest level of security.

The NRC, like the rest of the country, pulled together and experienced a sense of renewed purpose and affirmation of our values as a democracy. As then Chairman Richard Meserve told employees: These are trying times, but we will persevere.

And we did. In the years since, the NRC increased its focus on security, revised its security inspection program, restructured and enhanced the force-on-force program, strengthened radioactive material controls, updated its Operations Center and exercised regularly for security events in addition to safety events. The NRC responded to the challenge in ways that also still reverberate today and affect nearly everything we do.

The NRC’s excellent publication Protecting our Nation goes into detail about actions the NRC has taken to strengthen security, emergency planning and incident response in the years since. On this anniversary, please take a few moments to read it while we reflect on the tragedy that day still represents for us all.

Pokémon Go — Not a Go at Nuclear Plants

Prema Chandrathil
Public Affairs Officer
NRC Region III

The highly popular cellphone game has found its way to a U.S. commercial nuclear power plant.

pokemanThe Pokémon Go game lets users chase and catch virtual creatures with their cellphone cameras. However, Pokémon Go and other games that use the GPS signals in our phones are creating safety and security issues. Local law enforcement officials across the country have cautioned folks to pay attention while playing and be careful not to wander into traffic (warnings that have not always been heeded). The phrase “heads up” takes on new meaning here.

The games have even enticed players to trespass on private property — including the Perry nuclear power plant in northeastern Ohio.

Recently, three teenagers pursued one of the strange looking cartoon creatures into the employee parking lot of the Perry plant, at 3 in the morning! Instead of catching the Pokémon, they were caught by security officers and escorted off the property.

But it could have ended very differently – and much more seriously — for these Pokémon pursuers.

Commercial nuclear plants are among the best-protected facilities in the country. Their security officers are highly trained professionals who carry guns and are authorized to use them in protecting the plant. Though you might not always see the protective measures and many details are not publically available, security is in place. (Click here for more info on the NRC’s security requirements for nuclear power plants.)

So have fun exploring and climbing over rocks searching for those virtual creatures, but the bottom line is be safe while playing these games. A nuclear power plant is not the place to be searching for Pikachu.


Maintaining Radioactive Material Security Through Rules, Not Orders

Kim Lukes
Health Physicist
Office of Nuclear Material Safety and Safeguards

The NRC’s rulemaking process can be lengthy. This ensures that members of the public and interested stakeholders have an opportunity to participate and provide feedback on new requirements as they are developed.

10cfrThere are occasions, though, when we need to move quickly. In these cases, the Commission can issue “orders” to any licensee to require them to address an issue promptly.

Following the Sept. 11 attacks, we revised our approach to security for certain radioactive materials. The NRC issued new security requirements via “orders” to certain licensees requiring added protective measures when using and transporting certain types and amounts of radioactive material. The new requirements focused on materials the International Atomic Energy Agency designates as Category 1 and 2; which are the two most safety significant quantities.

The strongest restrictions were placed on these categories of radioactive material through the NRC orders due to their type and quantity, which can pose the greatest potential risk to health if used to do harm.

The requirements included background checks to ensure that people with access to radioactive materials are trustworthy and reliable. The orders also required access controls to areas where radioactive materials are stored and security barriers to prevent theft of portable devices.

Over the longer term, the NRC developed new regulations to formalize the requirements in the security orders. The creation of Part 37 to Title 10 of the Code of Federal Regulations, published in 2013, was intended to replace the orders.  These rules ensure strong regulatory standards are maintained for the protection of certain types and quantities of radioactive material. NRC licensees were required to meet the new regulations in March 2014.

The NRC has agreements with 37 states allowing them to regulate radioactive materials. The Agreement States had to adopt compatible Part 37 security requirements, and their licensees had until March 19, 2016, to comply.

Because licensees are now in compliance with the new rules, the NRC has rescinded a series of material security orders. There is no change to security for these categories of radioactive material. These licensees have maintained the same higher level of security since we first issued the orders.

We are rescinding them because they are no longer needed. Licensees are complying with the Part 37 rules, instead of the orders. More details about the rescissions and our security requirements can be found here and in 10 CFR Part 37-Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material.

%d bloggers like this: