U.S. NRC Blog

Transparent, Participate, and Collaborate

Tag Archives: NRC

Five Questions With Tom Rich

Tom Rich is head of the agency’s Information Security Directorate

  1. How would you describe your job in three sentences or less?

5 questions_9with boxMy job is to work with others to protect NRC’s information and information systems. This includes providing security training, performing security assessments, testing the vulnerability of our IT systems to phishing and penetration attacks, responding to security incidents and keeping up with situational awareness to see where we may need to strengthen our defenses.

  1. What is the single most important thing you do at work?

Communication with NRC managers and employees regarding threats to our IT systems and data. We do security briefings, security awareness events for staff, and daily meetings with the Chief Information Officer.

  1. What is the single biggest challenge you face?

tomrichThe dynamic pace of technology changes and the need for cyber defenders to keep up. With the “Internet of Things” becoming more and more a part of our daily lives, the devices we now use in virtually everything we do present security and privacy concerns and introduce a much larger avenue of attack. These devices want to communicate, in some cases sensitive data, through multiple channels with each other and cloud services. The challenge is that these devices do not have adequate security controls built into their design.

  1. What would you consider one of your biggest successes on the job?

We established a cyber security dashboard that measures the NRC’s improvements in security practices. This is an internal mechanism to let NRC stakeholders see what they are doing well and where improvements are needed. Since implementation, we have seen significant improvement in cybersecurity across the agency.

  1. What one thing about the NRC do you wish more people knew?

That we have Resident Inspectors at each of the nuclear plants. I think a lot of the public believe we regulate and inspect from a distance. I do not believe many know we have feet on the ground at the nuclear plants.

Five Questions With is an occasional series where we pose the same five questions to NRC staff.

ncsam-web_edited-1For more information on National Cyber Security Awareness Month, go here.

REFRESH: Protecting the NRC’s Cyber Frontier

By David McIntyre
Public Affairs Officer

The email was flagged urgent and screamed in capital letters: YOUR IMMEDIATE ATTENTION REQUIRED! The message said a software update was needed to avoid major system disruption, and to click a link and enter a network password.

cybersecThe NRC employee who received the email thought the message looked suspicious. Instead of clicking on the link, she forwarded the message as an attachment to the NRC’s Computer Security Incident Response Team.

Within minutes, a CSIRT member was analyzing the email on a computer unconnected to the NRC network. He quickly determined the message was bogus, a “phishing” attempt to gain unauthorized access to the system. He instructed the employee to delete the message and block the sender to avoid receiving any further attempted intrusions from that Internet address.

Had the employee provided her username and password, she could have exposed the NRC’s computer network and its sensitive information to compromise and possible disruption. Personal information about NRC employees would have been at risk, as well as sensitive pre-decisional information about agency policies and licensees.

While Safeguards and classified information about the security and status of nuclear plants is maintained on separate higher security systems, the information we process on the NRC corporate network must also be protected.

CSIRT, part of the NRC’s Computer Security Office, is a small group of experts, all highly trained in cyber defense. Their mission is to detect and thwart attacks on the NRC’s computer networks and prevent “spills” of sensitive information. Such attacks can come through phishing attempts, such as the fictional incident described above, malware implanted in website advertisements or viruses and malware on portable data devices.

The team routinely works with other federal agencies, including the Homeland Security Department’s U.S. Computer Emergency Response Team (US-CERT) to stay up to date on the latest vulnerabilities. They even practice “white hat” hacking to test the NRC’s systems.

As a response team, CSIRT investigates suspicious emails that have already passed through the NRC’s extensive SPAM filters and Internet firewall, robust cyber security defenses mounted by the Office of Information Systems.

ncsam-web_edited-1About 10 million emails are directed to NRC.gov addresses each month, and nearly 90 percent of them are blocked by the agency’s network security technologies as spam or for carrying viruses or suspicious attachments, says Mike Lidell, IT Specialist in the OIS Security Operations and Systems Engineering Branch. The OIS team administers the NRC’s firewalls, intrusion detection systems and spam filters.

While the percentage of blocked emails seems high, Lidell says it’s pretty much “par for the course” for any large organization or government agency. Emails that get through the initial line of defense are scanned again by the internal servers and a third time by the end-user’s individual computer. Internet data returned from the Web is scanned by NRC servers and individual workstations as well to guard against “drive-by downloads” of malicious software.

As Lidell points out, the “defense in depth” is necessary because the attacks are always evolving and changing. Thorne Graham, CSIRT’s team leader, praises a fourth line of defense against email attacks on the agency’s network: The NRC’s 4,000 employees. All NRC employees take annual online computer security training.

“Our best defense is the individual employee,” Graham says. “Security is everyone’s business.”

REFRESH is an occasional series where we republish previous posts. This originally ran in November 2014.

Radium Part III: The NRC’s Role

Richard Chang
Office of Nuclear Material Safety and Safeguards

Radium_Periodic Element Table

We’ve been writing in this series about radium—how it was discovered, how it was used, how it can impact human health. Today we want to explain where the NRC fits in.

As we said in our last post, the states originally oversaw radium use. In 2005, Congress gave the NRC authority over radium through the Energy Policy Act. In 2007, we put in place our regulations on the control, use, and disposal of radium. These rules made clear that the NRC oversees radium only after it has been purposely concentrated for use.

Because many states already had laws on radium, we took over regulatory oversight in phases. We had full oversight for radium in all states by August 2009 (either through states that regulate nuclear materials under agreements with the NRC, known as Agreement States, or directly in those states that remain under NRC jurisdiction).

In 2007 after our regulations were put in place, we began talking to the U.S. Navy about radium contamination at their sites. As we learned more about this program and talked with the other branches of the military, we began working to clarify our role in the remediation at military sites. During the same time, we became aware of two specific radium cleanup efforts by other federal agencies. The Environmental Protection Agency has done cleanup work at the former WaterburyClockWaterbury Clock Company, in Waterbury, Conn. The National Park Service is also involved in a cleanup project at Great Kills Park, in Staten Island, N.Y.

As we learned more about these projects, it became apparent that a critical step for us to take would be identifying historical commercial radium sites; many of which were many decades old. As such, we began to look for sites in our jurisdiction that may have radium, and to find out how much, if any, cleanup was done. There are no known health and safety issues at any of these sites, but we want to make sure they do not pose a risk.

We contracted with Oak Ridge National Laboratory to help us develop a full picture of commercial radium sites. The lab started by cataloging the different products developed and sold to the public in the early 20th century. Oak Ridge scoured existing publicly available literature, records and databases, identified sites where radium may have been used to make consumer goods and looked for any cleanup records. We received the final results in November 2015.

We are working to get more information about the sites under NRC jurisdiction. We will be reaching out to site owners. Our goal is to confirm that these sites do not pose a risk to public health and safety and the environment. We’ll keep you posted on our progress.

Hurricane Matthew and the NRC — UPDATE Part II

UPDATE 2:  The NRC’s Region II Incident Response Center was staffed throughout the weekend due to Hurricane Matthew. In all, three plants entered unusual event classifications for storm-related reasons, including electrical grid instability. In addition to the update below on the St. Lucie plant, two other plants, Harris and Robinson, experienced brief losses of offsite power due to the effects of the hurricane. At those two sites, the emergency diesel generators started automatically and provided power until the grid stabilized. — Joey Ledford

UPDATE: While our thoughts are with the people who lost power or suffered damages in the storm, the St. Lucie nuclear plant experienced winds below hurricane strength and did not lose off-site power. The plant’s safety equipment and systems were not affected by the storm and both units remain safely shut down pending a “Disaster Initiated Review.” The review will ensure that evacuation routes are clear and emergency services are available. The units cannot restart until that review is conducted jointly by the NRC and FEMA. The NRC continues to monitor Hurricane Matthew, and will decide later today whether to continue to staff its incident response center in Atlanta. — Joey Ledford

Joey Ledford
Public Affairs Officer
Region II

It’s hard to believe, but no major hurricane has made landfall in the continental United States since 2005. Hurricane Wilma came ashore in southwest Florida in October of that year as a Category 3 storm, but then skirted the peninsula and went back into the Atlantic.

pathDuring this record respite of 11 years, the NRC never stopped training and preparing for big storms, including major hurricanes. Storm preparations were an important part of the post-Fukushima enhancements that have made U.S. commercial nuclear plants safer.

This week, a mammoth storm known as Hurricane Matthew is stalking Florida’s East Coast, having already taken its toll on Haiti, the Dominican Republic, Cuba and the Bahamas. The NRC and the companies that operate nuclear facilities began preparations for Matthew long before its anticipated path was clear.

Late Tuesday, the staff at Florida Power and Light’s St. Lucie plant in Port St. Lucie, not far from the predicted landfall, declared an unusual event, the lowest of NRC’s emergency classifications, because of the hurricane warning. The plant staff began severe weather procedures, which include making sure any equipment or debris that could be affected by wind or water has been removed or secured. Staff also conducted walk downs of important plant systems and ensured emergency supplies were adequate.

Similar work was being done at Turkey Point, south of Miami, another FPL plant, and at Brunswick, a Duke Energy station near Southport, N.C.

The NRC’s resident inspectors at each plant, meanwhile, worked to verify the storm preparations were completed as expected, paying special attention to the condition of emergency diesel generators that would be used if the plants lose offsite power.

The NRC maintains 24-hour staffing at any plant expected to experience hurricane-force winds. Since the resident inspectors live near the plant and need to take care of their families and homes, other agency personnel are dispatched to storm sites to help with staffing. One resident inspector from Tennessee volunteered to drive to southeastern North Carolina to staff Brunswick. Some other inspectors at or near the plants on other inspection duties volunteered to stay and provide staffing.

The NRC’s Region II Incident Response Center in Atlanta will be staffed around the clock during the storm, monitoring its path while keeping in contact with plant operators, NRC on-site inspectors, state emergency officials in the affected states and NRC headquarters.

Previous hurricanes have shown that nuclear plants are robust facilities that can withstand extremely high winds and storm surges. As Matthew approaches, the NRC is working to ensure plant operators have taken actions to protect the plants, safely shut down if necessary and ensure power is available to keep the plants in a safe condition until the storm has passed.

Five Questions with the NRC’s SECY

Annette Vietti-Cook is the NRC’s Secretary of the Commission

  1. How would you describe your job in three sentences or less?

5 questions_9with boxEvery day I work directly with the Commission offices managing the Commission’s decisionmaking process, and as the official record keeper, historian, and meeting coordinator. I oversee the planning of Commission meetings, drafting of Commission decisions, tracking of Commission requirements, and managing of Commission correspondence and records, and rulemaking and adjudicatory dockets. I also work with the agency’s historian.

  1. What is the single most important thing that you do at work?

Communicate effectively. My staff and I work closely and daily with the Commission and their staff as well as with the Executive Director for Operations staff. We provide advice on Commission policies and procedures, help to prepare items for Commission consideration, convey Commission decisions, and prepare for Commission meetings. As the Secretary, I must constructively address issues with the Commission and staff, acknowledge dissenting opinions and use good communication – and good judgement – in a way that ultimately benefits the agency’s performance of its mission.

  1. What is the single biggest challenge you face?

annettefinalTraining, developing, and mentoring employees so my office can provide outstanding support to the Commission. Commissioners come and go, so it’s important that the Office of the Secretary maintain the institutional knowledge of how the Commission does its work. The Internal Commission Procedures, which lay out how all manner of regulatory and policy issues are handled, are vitally important but can never tell the whole story. I’ve been with the agency for 34 years and Secretary for 17 years and many of my staff have similar long tenures. So we believe our institutional knowledge is a real asset.

  1. If you could change one thing at the NRC or within the nuclear industry, what would it be?

Eliminate the requirement that the NRC substantially recover the cost of its annual budget through the imposition of fees collected from NRC licensees. This structure creates the misimpression among some that NRC inappropriately considers fees in carrying out its important safety and security mission. By eliminating fees, the NRC would license and regulate independently through congressionally appropriated funds, just like most other federal agencies.

  1. What one thing about the NRC do you wish more people knew?

The NRC is full of competent, dedicated and hardworking people. There is also a squash court on the roof of the building. Yes, even regulators can have a sense of humor.

Five Questions is an occasional series in which we pose the same questions to different NRC staff members.

%d bloggers like this: