Cyber Security and the NRC – This Month and Every Month

The NRC is joining the Department of Homeland Security (DHS) and others in support of the National Cyber Awareness Month’s Campaign to: Stop.Think.Connect.

But cyber security — defending against hackers, criminals, and cyber terrorists — is a year ‘round focus for us.

The NRC’s cyber security team includes technology and threat assessment experts who team with other federal agencies and the nuclear industry to evaluate and help resolve issues that could affect digital systems. Our regulations also require nuclear power plants to adhere to strict requirements to make sure computer and communication systems and networks are protected from cyber attacks.

For NRC employees, there is cyber security awareness training, including “phishing” tests to help users identify and respond appropriately to attempts to trick them into providing sensitive information. There are also agency-wide policy and standards for appropriate cyber security controls to protect important NRC information.

For October, we are paying special attention to cybersecurity in all aspects of our lives. As DHS says:

“Few of us need to be reminded of the impact cyberspace has on our lives. From the kitchen table to the classroom, from business transactions to essential government operations and services, cybersecurity is an issue that touches all of us. While increased connectivity has led to amazing transformations and global advances across society, it also has increased the importance and complexity of our shared risk. We all have an important role to play. Emerging cyber threats require engagement from the entire American community—from government and law enforcement to the private sector and most importantly, members of the public, to create a safe, secure, and resilient cyber environment.”

More information about DHS efforts can be found online. More information about the NRC and cyber security, can be found here.

Kathy Lyons-Burke
Senior IT Security Officer for Policy, Standards, and Training

Nuclear Regulators Security Conference Registration Now Open

While the NRC is responsible for licensing the nuclear material only in the U.S., we are also very active internationally – especially with helping other countries develop nuclear and radiological regulatory programs covering both safety and security.

In 2010, the NRC participated in the first international Nuclear Security Summit, convened by President Obama, which focused on how to better safeguard weapons-grade plutonium and uranium to prevent nuclear terrorism. The participating countries at the summit agreed to work cooperatively as an international community to advance nuclear security and advocate for strong nuclear security practices around the globe — with the NRC leading the effort for the U.S.

That summit was followed this year, in March, with a similar conference held in Korea. There, the U.S. committed to hosting the first-ever Nuclear Regulators Security Conference. That conference is scheduled for Dec. 4 through 6 in Rockville, Md. Its goal is to enhance awareness of the importance of comprehensive national regulatory security programs, and to build relationships between world-wide regulatory entities with responsibility for nuclear and radioactive materials security.

Topics at the conference will include:

• establishing and maintaining a strong, independent, legal and regulatory framework to protect and secure nuclear and radioactive materials;

• creating methodologies for design basis threats and threat assessments;

• best practices for information protection and cyber security;

• establishing programs to ensure personnel trustworthiness and reliability; and

• a special session on the International Atomic Energy Agency’s (IAEA) International Physical Protection Advisory Service missions.

Confirmed speakers include: John O. Brennan, Assistant to the President for Homeland Security and Counterterrorism; Yukiya Amano, Director General, IAEA; and NRC Chairman Allison M. Macfarlane.

This conference is open to the public and free, but space is limited – and pre-registration is required.

Nancy Fragoyannis
Senior Level Advisor for Nonproliferation and International Nuclear Security

NRC’s Office of Nuclear Security and Incident Response Celebrates 10 Years

Ten years ago, the nation was still reeling from the events of Sept. 11th, and the NRC was gearing up to face a changed world with, among other actions, a newly created Office of Nuclear Security and Incident Response (NSIR).

In those early days, the new NSIR team was working at a hectic pace, requiring faster responses – to Congress, the White House, the Office of Homeland Security (which later became the Department of Homeland Security) and the media — and a faster turnaround time than was usual at the agency. As NSIR took shape the time demands on the staff were intense. Many days NSIR staff would spend all day in meetings at the White House or at the newly founded Department of Homeland Security, and then come back to the office at 5 p.m. to spend the next two to three hours sharing with the rest of the team what had happened that day. Sixty to 70 hour work weeks were the norm.

The continual state of urgency of the requests from NSIR staff often caused challenges for the other parts of the agency, which were also running at a high rate of speed. It was always “I need it NOW” whenever an NSIR person came looking for assistance. In true team spirit however, the rest of the agency always responded no matter how short the turnaround time. In its first few years of existence, NSIR demands on staff meant shortened holiday celebrations, missed T-ball games and dance recitals, and generally less sleep.

In addition to doing the core mission work of NSIR, there was also a need to establish the office processes and procedures. Those who were part of the early days of NSIR described it as building the airplane while flying at 40,000 feet!

Eventually, the time pressure of the atmosphere eased a bit, but the demand for increased involvement on the federal level continued to grow. More resources were allocated and NSIR grew from an office of 50 to more than 200. NSIR management also began to recruit from outside the NRC and hired a number of staff with extensive backgrounds in law enforcement, military security and emergency preparedness to bring fresh ideas and approaches. The added staff helped with the workload and allowed for a better work/life balance. Office policies and procedures were completed and NSIR settled into becoming a more “regular” type of NRC office. With key support from the rest of the agency, NSIR was successful in its mission of enhancing safety and security.

As it begins its second decade of service, NSIR continues to be a vigilant watchdog of security, emergency preparedness, and incident response to ensure the safe operation of commercial nuclear power stations and fuel cycle facilities in the U.S.

Joe Anderson
Chief, Operating Reactor Licensing and Outreach Branch
NSIR

In Nuclear Power Plants – Behavior Is Under Observation

The NRC requires that all nuclear power plants follow strict access authorization regulations that are intended to make sure only trusted individuals have the OK to be in the most sensitive areas of the plant. These access authorization regulations require fingerprint checks, drug and alcohol screening, psychological testing and other hurdles when employees are first hired, and must be periodically updated if the individuals are to continue to have access to these areas.

But even once a worker has been granted so-called unescorted access, they are still subject to a “behavioral observation program.” In other words, the NRC requires that every plant have a program in which all employees and supervisors are trained in detecting problems such as drug or alcohol abuse or other impairments of employees.

As part of the program, all employees are required to report to their supervisors any suspicious behavior they see among their coworkers. Suspicious behavior could be a worker observed in an area of the plant where they don’t have authorization to be, or if a worker made threatening statements about harming people or plant equipment.

The NRC regulations even require workers to report on themselves or “self-disclose” if they, for whatever reason, believe they are no longer mentally and physically fit to safely perform their duties. An example of this is an employee undergoing marital problems that are causing them stress that interferes with their duties. Such an employee may be referred to an Employee Assistance Program or their assigned duties may be changed until the person is deemed fit for duty.

If a determination is made to deny the person unescorted access for any reason, their name and that fact is entered into an information sharing database that NRC requires all U.S. nuclear power plants to use. Should that person attempt to enter (or get a job at) another nuclear plant, the information about their access status would be available for review by the plant they were attempting to access.

Ultimately, a determination that an employee is not trustworthy or reliable – based on behavior observation or self reporting — has serious implications for that person maintaining their access authorization but such determinations are necessary to keep nuclear power plants operating safely in their communities.

Mark Resner
Access Authorization Program Coordinator

Putting Security Back into the Reactor Oversight Process Assessment Program

The NRC assesses the safety of all 104 nuclear reactors in this country by looking closely at seven different safety “cornerstones.” These are the fundamentals of nuclear plant safety such as “public radiation safety,” and “barrier integrity.” The severity of any performance issue is assessed using a color-coded system as part of the NRC’s Reactor Oversight Process (ROP).

However, for the past 10 years or so, the NRC assessed nuclear plant security using a separate oversight process. The NRC made the separation shortly after the terrorist attacks on September 11, 2001, to limit the possibility that anyone could extrapolate potential protective-measure vulnerabilities at its licensed facilities. The NRC has since enhanced security requirements.

In June, 2011, the staff submitted a paper, SECY-11-0073, to the Commission seeking approval of a proposal to reintegrate nuclear plant security into the existing ROP. This will achieve a more integrated assessment of licensee performance. On July 20, 2011, the Commission approved the staff’s proposal.

So what does this mean? It means that experts in safety and experts in security are working together now to implement this reintegration and are updating the Inspection Manuals used by the staff. The goal is to complete these by July 2012. The NRC will communicate the changes to licensees, through a Regulatory Issue Summary, to provide them with the implementation plan and effective date.

The staff will continue to issue security inspection reports and letters for security findings in the same manner as today, except instead of separate assessment letters for safety and security, they will be combined into a single letter issued every six months. As is already the case, sensitive security-related information will not be contained in the public version of the assessment letters.

The public website will be revised to include security cornerstone assessment inputs, but with a different color scheme than used for safety violations. For example, the color blue will signify a greater-than-green (white, yellow, or red) security input.

When the website is updated to reflect reintegration, plants with pre-existing security issues will appear to shift in the ROP Action Matrix. In all cases, the NRC will have already identified the input under the security assessment process and will be in various states of planning, performing, or completing the NRC’s response and inspection for those issues.

The reintegration of security and safety is important because it will allow the NRC to achieve a more integrated assessment of licensee performance and make the integrated assessment information available to the public. However, that does not mean that details about security will be made publicly available. The NRC will continue to protect security-related information so that it cannot be used by potential adversaries.

Kevin Roche
Reactor Operations Engineer

Protecting Our Nation

The NRC has just posted on its website an updated report about the NRC’s security activities in the 10 years after the September 11th terrorist attacks. The report, titled “Protecting Our Nation,” (NUREG/Br-0314 Rev. 2) outlines important upgrades in security, emergency preparedness, and incident response related to nuclear facilities and radioactive materials.

Some highlights in the report include information on:

• Force-on-Force security inspections, which incorporate both tabletop drills and simulated combat between a mock commando-type adversary force and nuclear plant security force.

• Cyber security as an emerging tool that both domestic and international adversaries can use to exploit potentially vulnerable systems. The NRC is working with its federal partners to address this complicated issue.

• Incident response exercises as a way to prepare for potential terrorist attacks or other incidents, such as major storms, that could disrupt operations.

• Intelligence assessments used to evaluate and warn of possible threats of attacks or other malevolent activities directed at nuclear facilities or radioactive material licensees.

The report can be found at:  http://148.184.174.31/reading-rm/doc-collections/nuregs/brochures/br0314/index.html.

Rebecca Clinton
Security Specialist

Cybersecurity and Nuclear Power Plants

It’s hard to read the news these days without seeing reports of one entity or another “getting hacked” or being attacked in cyberspace. We’re frequently asked how nuclear power plants are protected from those who try to break into computer systems without authorized access – often for malicious purposes.

Perhaps the most important thing to recognize is that nuclear power plants and their computer systems were designed before the days of internet cafes and wireless connections. So there is no connection to the internet and thus no way for a hacker from the outside to get at the safety-related computer systems of the plants. Even the digital control systems installed in some plants more recently have no connection to the ‘net.

And while nuclear power plants were designed to feed electricity to the power grid, they were also isolated in ways to protect them from any potential negative effects that could come from the grid.

After the terrorist attacks of September 11, 2001, cyber security quickly became a major focus of U.S. government activities. The NRC was no exception. We took immediate steps – through orders — to ensure that computer systems used to operate nuclear power plants were not accessible even by “insiders” who could attack the cyber systems directly from within the plant.

Later, the NRC went even further with a new regulation that required all the nuclear power plants to have a cyber security plan and a timeframe for implementing protections of those key systems related to safety, security and emergency preparedness functions.

In addition any power company seeking to build a new nuclear power plant will need to include a cyber-security plan as part of their application to the NRC.

The NRC has its own cyber security experts on staff and works closely with other federal experts, including U.S. Cert – the U.S. Cyber Emergency Readiness Team – to monitor what’s happening in cyber space here and around the world, and to take actions if necessary to protect the vital systems in nuclear power plants.

Sara Mroz
Security Specialist