U.S. NRC Blog

Transparent, Participate, and Collaborate

Category Archives: Nuclear Security

Pokémon Go — Not a Go at Nuclear Plants

Prema Chandrathil
Public Affairs Officer
NRC Region III

The highly popular cellphone game has found its way to a U.S. commercial nuclear power plant.

pokemanThe Pokémon Go game lets users chase and catch virtual creatures with their cellphone cameras. However, Pokémon Go and other games that use the GPS signals in our phones are creating safety and security issues. Local law enforcement officials across the country have cautioned folks to pay attention while playing and be careful not to wander into traffic (warnings that have not always been heeded). The phrase “heads up” takes on new meaning here.

The games have even enticed players to trespass on private property — including the Perry nuclear power plant in northeastern Ohio.

Recently, three teenagers pursued one of the strange looking cartoon creatures into the employee parking lot of the Perry plant, at 3 in the morning! Instead of catching the Pokémon, they were caught by security officers and escorted off the property.

But it could have ended very differently – and much more seriously — for these Pokémon pursuers.

Commercial nuclear plants are among the best-protected facilities in the country. Their security officers are highly trained professionals who carry guns and are authorized to use them in protecting the plant. Though you might not always see the protective measures and many details are not publically available, security is in place. (Click here for more info on the NRC’s security requirements for nuclear power plants.)

So have fun exploring and climbing over rocks searching for those virtual creatures, but the bottom line is be safe while playing these games. A nuclear power plant is not the place to be searching for Pikachu.

 

Maintaining Radioactive Material Security Through Rules, Not Orders

Kim Lukes
Health Physicist
Office of Nuclear Material Safety and Safeguards

The NRC’s rulemaking process can be lengthy. This ensures that members of the public and interested stakeholders have an opportunity to participate and provide feedback on new requirements as they are developed.

10cfrThere are occasions, though, when we need to move quickly. In these cases, the Commission can issue “orders” to any licensee to require them to address an issue promptly.

Following the Sept. 11 attacks, we revised our approach to security for certain radioactive materials. The NRC issued new security requirements via “orders” to certain licensees requiring added protective measures when using and transporting certain types and amounts of radioactive material. The new requirements focused on materials the International Atomic Energy Agency designates as Category 1 and 2; which are the two most safety significant quantities.

The strongest restrictions were placed on these categories of radioactive material through the NRC orders due to their type and quantity, which can pose the greatest potential risk to health if used to do harm.

The requirements included background checks to ensure that people with access to radioactive materials are trustworthy and reliable. The orders also required access controls to areas where radioactive materials are stored and security barriers to prevent theft of portable devices.

Over the longer term, the NRC developed new regulations to formalize the requirements in the security orders. The creation of Part 37 to Title 10 of the Code of Federal Regulations, published in 2013, was intended to replace the orders.  These rules ensure strong regulatory standards are maintained for the protection of certain types and quantities of radioactive material. NRC licensees were required to meet the new regulations in March 2014.

The NRC has agreements with 37 states allowing them to regulate radioactive materials. The Agreement States had to adopt compatible Part 37 security requirements, and their licensees had until March 19, 2016, to comply.

Because licensees are now in compliance with the new rules, the NRC has rescinded a series of material security orders. There is no change to security for these categories of radioactive material. These licensees have maintained the same higher level of security since we first issued the orders.

We are rescinding them because they are no longer needed. Licensees are complying with the Part 37 rules, instead of the orders. More details about the rescissions and our security requirements can be found here and in 10 CFR Part 37-Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material.

Protecting Commercial Nuclear Facilities from Cyber Attack

James Andersen
Director, Cyber Security Directorate

reverse_cybersecgraphicOctober is “Cyber Security Awareness” month. While we typically focus on how to secure our personal information, we’d like to update you on the NRC’s efforts to ensure U.S. commercial nuclear power plants are protected from cyber threats.

The NRC has been very forward-thinking in developing cyber security requirements for nuclear power plants. The cyber threat is always evolving, and so is our approach. We first imposed cyber security requirements in Orders issued after the 9/11 terrorist attacks. Drawing on our experience with those steps, we formalized regulations in 2009.

Our “cyber security roadmap” spells out how nuclear plant licensees were implementing our 2009 cyber regulations, as well as our approach to assessing cyber needs of other licensees.

Nuclear plants are meeting these requirements in two phases. During Phase 1, they implemented controls to protect their most significant digital assets from the most prevalent cyber attack vectors. This phase was completed in December 2012, and our inspections of Phase 1 actions will be done late this year.

During Phase 2, which will be completed in 2016-2017, licensees will complete full implementation of their cyber security programs. They will add additional technical cyber controls, cyber security awareness training for employees, incident response testing and drills, configuration management controls, and supply chain protection

Like other NRC programs, cyber security involves “defense in depth.” Crucial safety- or security-related systems (both digital and analog) are isolated from the Internet, giving them strong protection. Such “air gaps” are important, but not sufficient. Licensees must also address wireless threats, portable media such as discs or thumb drives, and other avenues of attack. Physical security and access controls, including guarding against an insider threat to the plant, also add to cyber security, as do cyber intrusion detection and response capability.

The NRC will soon publish a new regulation requiring nuclear plant licensees to notify the agency quickly of certain cyber attacks.

With these efforts already accomplished or underway, you can see the NRC takes cyber security seriously, and we’re doing our best to stay flexible and ahead of the ever-changing threat. You can find more information about the NRC’s cyber security program on our website.

Safeguarding The Nation’s Secrets

Robert L. Norman
Sr. Program Manager, Safeguards Information

sgiAs part of its role in protecting health and safety, the NRC uses information security procedures to prevent sensitive information from getting into the wrong hands. The NRC puts sensitive information in three categories: classified, Safeguards Information (SGI), and Sensitive Unclassified Non-Safeguards Information (SUNSI).

Each category has specific marking requirements and security procedures. Although the NRC is the only agency with the authority to set requirements for protecting SGI, most agencies have requirements for the protection and designation of unclassified sensitive information.

You’ve probably heard the terms Top Secret, Secret, and Confidential; these are categories of classified information. Each category has a corresponding federal security clearance level needed for access. Executive Orders, Security Classification Guides and the Atomic Energy Act of 1954, as amended, lay out criteria for protecting information and identifying what nuclear information is classified at a particular level. A breach of classified information could threaten national security.

SUNSI, while generally unavailable to the public, does not require a federal security clearance. This category of information contains various types of information, including Personally Identifiable Information and attorney-client privilege. SUNSI is protected by the Privacy Act, NRC and other federal agency regulations.

While classified information and SUNSI are broad categories, SGI is much narrower. The SGI designation covers the physical protection of nuclear facilities and materials. This includes operating reactors, spent fuel shipments, and radioactive material at certain levels. Nuclear facilities require high security measures. Armed guards, physical barriers, and surveillance systems are just some of the ways we protect nuclear plants. Information about these detailed security measures is carefully guarded. Without SGI protection, people could use this information to attempt to circumvent physical barriers and break into security systems.

sgiSection 147 of the Atomic Energy Act requires the NRC to regulate SGI. The NRC is in charge of deciding what qualifies as SGI and how to protect it. A specially trained group of personnel, called SGI Designators, create and/or check documents for SGI. Even though a federal security clearance isn’t needed for access, SGI is treated similarly to Confidential information. Individuals must pass a background check and have a “need to know” to access SGI.

The use of SGI has often come into question. The Office of the Inspector General conducted an audit in 2004 of the NRC’s protection of SGI. According to the audit, the Confidential classification could protect SGI without seriously affecting costs. However, NRC staff concluded the proposal would require the government to perform thousands of expensive federal security clearances and change how information is stored and encrypted. A switch to a lower designation, such as standard official use only, would put security at risk. Current regulations already protect SGI without breaking the bank.

Another OIG audit revisited the topic in 2012. This audit discussed giving people outside of the NRC and its licensees access to SGI. The OIG recommended setting up a specific plan for granting outsider access. Based on the recommendations, outsiders will still need to undergo background checks and have a “need to know.”

The NRC strives to be as open and transparent as possible. However, when it comes to safeguarding sensitive information for the good of the country, and our licensees, information protection will always take priority over transparency.

Droning On Over Nuclear Power Plants

Monika Coflin
Technical Assistant
Division of Security Policy

Drones, or unmanned aerial vehicles, have been in the news lately. Last fall, unidentified drones breached restricted airspace over 13 of France’s 19 nuclear power plants in a seemingly coordinated fashion. In January, a drone crashed onto the lawn of the White House. And this week, a drone was found on the roof of the Japanese prime minister’s office.

PrintDrones may be fun toys, but they pose a number of concerns. They can be used to conduct surveillance to gather intelligence about facility security. They can also be used to deliver payloads that could include explosives. While the majority of drones currently in use are relatively small, larger ones are becoming available that could possibly deliver payloads capable of causing damage to facilities that are not hardened.

Security experts haven’t yet identified who was responsible for the French flyovers, but with the prices of drones falling and their popularity rising, the potential threat will likely continue to grow.

There are ways to detect and intercept drones, such as jamming radio signals or using helicopters to pursue encroaching drones. Chinese scientists are developing a laser weapon that can detect and shoot down small, low-flying aircraft, and interception drones have the ability to drop nets over intruding drones. However, there are many legal issues that challenge the use of these techniques.

The Federal Aviation Administration (FAA) has a long-standing “Notice to Airmen” warning pilots not to linger over nuclear power plants. The FAA has also issued guidelines on where users should not fly drones, but the industry is largely unregulated as more companies look to use the relatively new technology in their businesses. The FAA has been working to craft a comprehensive regulatory framework for drones, following calls from Congress and the President, and recently issued draft regulations for the commercial use of drones.

PrintPresident Obama likened the drone industry to cyberspace, which has brought new technologies that U.S. laws are still trying to catch up to.

“These technologies that we’re developing have the capacity to empower individuals in ways that we couldn’t even imagine 10-15 years ago,” the President said, pledging to work to create a framework that “ensures that we get the good and minimize the bad.”

Given the evolving nature of technology and the need to balance the threat with the potential benefits of drones, the NRC is actively engaging with the departments of Homeland Security, Energy, and Defense to move this government collaboration effort forward. For example, we have reached out to the FAA to examine available legal and regulatory options, and attended inter-agency meetings to learn about how other agencies are addressing potential impacts from drones.

In addition, NRC will participate in a U.S.-initiated drone working group under the nuclear counterterrorism umbrella with the governments of France and the United Kingdom. The NRC has provided, and will continue to provide, pertinent information on this topic in a timely manner to its licensees to ensure continued safe and secure operations.

Follow

Get every new post delivered to your Inbox.

Join 1,975 other followers

%d bloggers like this: