UPDATE: Protecting Commercial Nuclear Facilities from Cyber Attack

James Andersen
Director, Cyber Security Directorate

The NRC has been very forward-thinking in developing cyber security requirements for nuclear power plants. The cyber threat is always evolving, and so is our approach. We first imposed cyber security requirements in Orders issued after the 9/11 terrorist attacks. Drawing on our experience with those steps, we formalized regulations in 2009.

Our “cyber security roadmap” spells out how nuclear plant licensees were implementing our 2009 cyber regulations, as well as our approach to assessing cyber needs of other licensees.

cybersecNuclear plants are meeting these requirements in two phases. During Phase 1, they implemented controls to protect their most significant digital assets from the most prevalent cyber attack vectors. This phase was completed in December 2012, and our inspections of Phase 1 actions were completed in 2015.

During Phase 2, which will be completed by the end of this year, licensees will complete full implementation of their cyber security programs. They will add additional technical cyber controls, cyber security awareness training for employees, incident response testing and drills, configuration management controls, and supply chain protection

Like other NRC programs, cyber security involves “defense in depth.” Crucial safety- or security-related systems (both digital and analog) are isolated from the Internet, giving them strong protection. Such “air gaps” are important, but not sufficient. Licensees must also address wireless threats, portable media such as discs or thumb drives, and other avenues of attack. Physical security and access controls, including guarding against an insider threat to the plant, also add to cyber security, as do cyber intrusion detection and response capability.

The NRC published a new regulation in late 2015 requiring nuclear plant licensees to notify the agency quickly of certain cyber attacks.

With these efforts already accomplished or underway, you can see the NRC takes cyber security seriously, and we’re doing our best to stay flexible and ahead of the ever-changing threat. You can find more information about the NRC’s cyber security program on our website.

This post first ran in October 2015

Five Questions With Tom Rich

Tom Rich is head of the agency’s Information Security Directorate

  1. How would you describe your job in three sentences or less?

5 questions_9with boxMy job is to work with others to protect NRC’s information and information systems. This includes providing security training, performing security assessments, testing the vulnerability of our IT systems to phishing and penetration attacks, responding to security incidents and keeping up with situational awareness to see where we may need to strengthen our defenses.

  1. What is the single most important thing you do at work?

Communication with NRC managers and employees regarding threats to our IT systems and data. We do security briefings, security awareness events for staff, and daily meetings with the Chief Information Officer.

  1. What is the single biggest challenge you face?

tomrichThe dynamic pace of technology changes and the need for cyber defenders to keep up. With the “Internet of Things” becoming more and more a part of our daily lives, the devices we now use in virtually everything we do present security and privacy concerns and introduce a much larger avenue of attack. These devices want to communicate, in some cases sensitive data, through multiple channels with each other and cloud services. The challenge is that these devices do not have adequate security controls built into their design.

  1. What would you consider one of your biggest successes on the job?

We established a cyber security dashboard that measures the NRC’s improvements in security practices. This is an internal mechanism to let NRC stakeholders see what they are doing well and where improvements are needed. Since implementation, we have seen significant improvement in cybersecurity across the agency.

  1. What one thing about the NRC do you wish more people knew?

That we have Resident Inspectors at each of the nuclear plants. I think a lot of the public believe we regulate and inspect from a distance. I do not believe many know we have feet on the ground at the nuclear plants.

Five Questions With is an occasional series where we pose the same five questions to NRC staff.

ncsam-web_edited-1For more information on National Cyber Security Awareness Month, go here.