U.S. NRC Blog

Transparent, Participate, and Collaborate

Category Archives: Nuclear Security

REAL ID and Access to Nuclear Power Plants

Mark Resner
Senior Security Specialist

October 10 was the deadline for five states to comply with the REAL ID Act of 2005, implementing federal standards for tamper-proof identification documents such as driver’s licenses. According to the Department of Homeland Security, effective Jan. 30, 2017, “nuclear power plants may not accept for official purposes driver’s licenses and state IDs from a noncompliant state/territory without an extension.”

deadly force horzThe five states now coming under REAL ID Act enforcement are Kentucky, Maine, Oklahoma, Pennsylvania and South Carolina. They join Minnesota, Missouri and Washington state on DHS’s “non-compliant” list. Several other states have extensions in effect through either June or October of next year, allowing federal facilities to accept their existing identification documents while the states try to come into compliance with the Act’s requirements.

What does this mean for nuclear plants? Will residents of non-compliant states have trouble gaining access to plants?

For the majority of people entering nuclear plants – those who work there – this will have virtually no effect. State issued IDs such as driver’s licenses are never the sole data point for admitting anyone to a nuclear plant, either a worker or a visitor. Nuclear power plant workers have employee badges issued by their employers following an extensive background and criminal records check, psychological assessments, and drug and alcohol testing.

Although visitors are generally known in advance of their arrival, screened through the industry database against a list of individuals who would be denied access, approved by a nuclear plant employee who has undergone the required background screening, and continuously escorted while inside the protected area of the facility, visitors will need to show REAL ID Act-compliant identification. If their state is non-compliant, they will need to produce other official identification such as a passport.

The REAL ID program is intended to enhance the nation’s security by making it harder for terrorists to obtain state-issued identification documents. The NRC’s access authorization requirements for nuclear power plants (set out in regulation at 10 CFR 73.56 and 10 CFR 73.57) already go beyond REAL ID in ensuring anyone allowed into the protected area of nuclear plants is properly vetted.

Five Questions With Tom Rich

Tom Rich is head of the agency’s Information Security Directorate

  1. How would you describe your job in three sentences or less?

5 questions_9with boxMy job is to work with others to protect NRC’s information and information systems. This includes providing security training, performing security assessments, testing the vulnerability of our IT systems to phishing and penetration attacks, responding to security incidents and keeping up with situational awareness to see where we may need to strengthen our defenses.

  1. What is the single most important thing you do at work?

Communication with NRC managers and employees regarding threats to our IT systems and data. We do security briefings, security awareness events for staff, and daily meetings with the Chief Information Officer.

  1. What is the single biggest challenge you face?

tomrichThe dynamic pace of technology changes and the need for cyber defenders to keep up. With the “Internet of Things” becoming more and more a part of our daily lives, the devices we now use in virtually everything we do present security and privacy concerns and introduce a much larger avenue of attack. These devices want to communicate, in some cases sensitive data, through multiple channels with each other and cloud services. The challenge is that these devices do not have adequate security controls built into their design.

  1. What would you consider one of your biggest successes on the job?

We established a cyber security dashboard that measures the NRC’s improvements in security practices. This is an internal mechanism to let NRC stakeholders see what they are doing well and where improvements are needed. Since implementation, we have seen significant improvement in cybersecurity across the agency.

  1. What one thing about the NRC do you wish more people knew?

That we have Resident Inspectors at each of the nuclear plants. I think a lot of the public believe we regulate and inspect from a distance. I do not believe many know we have feet on the ground at the nuclear plants.

Five Questions With is an occasional series where we pose the same five questions to NRC staff.

ncsam-web_edited-1For more information on National Cyber Security Awareness Month, go here.

REFRESH: Protecting the NRC’s Cyber Frontier

By David McIntyre
Public Affairs Officer

The email was flagged urgent and screamed in capital letters: YOUR IMMEDIATE ATTENTION REQUIRED! The message said a software update was needed to avoid major system disruption, and to click a link and enter a network password.

cybersecThe NRC employee who received the email thought the message looked suspicious. Instead of clicking on the link, she forwarded the message as an attachment to the NRC’s Computer Security Incident Response Team.

Within minutes, a CSIRT member was analyzing the email on a computer unconnected to the NRC network. He quickly determined the message was bogus, a “phishing” attempt to gain unauthorized access to the system. He instructed the employee to delete the message and block the sender to avoid receiving any further attempted intrusions from that Internet address.

Had the employee provided her username and password, she could have exposed the NRC’s computer network and its sensitive information to compromise and possible disruption. Personal information about NRC employees would have been at risk, as well as sensitive pre-decisional information about agency policies and licensees.

While Safeguards and classified information about the security and status of nuclear plants is maintained on separate higher security systems, the information we process on the NRC corporate network must also be protected.

CSIRT, part of the NRC’s Computer Security Office, is a small group of experts, all highly trained in cyber defense. Their mission is to detect and thwart attacks on the NRC’s computer networks and prevent “spills” of sensitive information. Such attacks can come through phishing attempts, such as the fictional incident described above, malware implanted in website advertisements or viruses and malware on portable data devices.

The team routinely works with other federal agencies, including the Homeland Security Department’s U.S. Computer Emergency Response Team (US-CERT) to stay up to date on the latest vulnerabilities. They even practice “white hat” hacking to test the NRC’s systems.

As a response team, CSIRT investigates suspicious emails that have already passed through the NRC’s extensive SPAM filters and Internet firewall, robust cyber security defenses mounted by the Office of Information Systems.

ncsam-web_edited-1About 10 million emails are directed to NRC.gov addresses each month, and nearly 90 percent of them are blocked by the agency’s network security technologies as spam or for carrying viruses or suspicious attachments, says Mike Lidell, IT Specialist in the OIS Security Operations and Systems Engineering Branch. The OIS team administers the NRC’s firewalls, intrusion detection systems and spam filters.

While the percentage of blocked emails seems high, Lidell says it’s pretty much “par for the course” for any large organization or government agency. Emails that get through the initial line of defense are scanned again by the internal servers and a third time by the end-user’s individual computer. Internet data returned from the Web is scanned by NRC servers and individual workstations as well to guard against “drive-by downloads” of malicious software.

As Lidell points out, the “defense in depth” is necessary because the attacks are always evolving and changing. Thorne Graham, CSIRT’s team leader, praises a fourth line of defense against email attacks on the agency’s network: The NRC’s 4,000 employees. All NRC employees take annual online computer security training.

“Our best defense is the individual employee,” Graham says. “Security is everyone’s business.”

REFRESH is an occasional series where we republish previous posts. This originally ran in November 2014.

A Solemn Anniversary

Stephen Burns
Chairman

This Sunday marks the 15th anniversary of the terrorist attacks of September 11, 2001. As always, that day is a time for reflection, which the passing years do not diminish. The events of that day still seem as fresh and raw now as they did at the time.

NUREG/BR-0314, Rev. 4, "August 2015 Protecting Our Nation."That was certainly a pivotal day for us as a nation, for us as individuals and us as employees of the NRC. Here, staff went quickly into response mode even as the significance of the day was not yet clear. Senior managers gathered in the Operations Center and at the regional Incident Response Centers; other employees were sent home; security was heightened around the buildings; and licensee facilities were ordered to their highest level of security.

The NRC, like the rest of the country, pulled together and experienced a sense of renewed purpose and affirmation of our values as a democracy. As then Chairman Richard Meserve told employees: These are trying times, but we will persevere.

And we did. In the years since, the NRC increased its focus on security, revised its security inspection program, restructured and enhanced the force-on-force program, strengthened radioactive material controls, updated its Operations Center and exercised regularly for security events in addition to safety events. The NRC responded to the challenge in ways that also still reverberate today and affect nearly everything we do.

The NRC’s excellent publication Protecting our Nation goes into detail about actions the NRC has taken to strengthen security, emergency planning and incident response in the years since. On this anniversary, please take a few moments to read it while we reflect on the tragedy that day still represents for us all.

Pokémon Go — Not a Go at Nuclear Plants

Prema Chandrathil
Public Affairs Officer
NRC Region III

The highly popular cellphone game has found its way to a U.S. commercial nuclear power plant.

pokemanThe Pokémon Go game lets users chase and catch virtual creatures with their cellphone cameras. However, Pokémon Go and other games that use the GPS signals in our phones are creating safety and security issues. Local law enforcement officials across the country have cautioned folks to pay attention while playing and be careful not to wander into traffic (warnings that have not always been heeded). The phrase “heads up” takes on new meaning here.

The games have even enticed players to trespass on private property — including the Perry nuclear power plant in northeastern Ohio.

Recently, three teenagers pursued one of the strange looking cartoon creatures into the employee parking lot of the Perry plant, at 3 in the morning! Instead of catching the Pokémon, they were caught by security officers and escorted off the property.

But it could have ended very differently – and much more seriously — for these Pokémon pursuers.

Commercial nuclear plants are among the best-protected facilities in the country. Their security officers are highly trained professionals who carry guns and are authorized to use them in protecting the plant. Though you might not always see the protective measures and many details are not publically available, security is in place. (Click here for more info on the NRC’s security requirements for nuclear power plants.)

So have fun exploring and climbing over rocks searching for those virtual creatures, but the bottom line is be safe while playing these games. A nuclear power plant is not the place to be searching for Pikachu.

 

%d bloggers like this: