UPDATE: Protecting Commercial Nuclear Facilities from Cyber Attack

James Andersen
Director, Cyber Security Directorate

The NRC has been very forward-thinking in developing cyber security requirements for nuclear power plants. The cyber threat is always evolving, and so is our approach. We first imposed cyber security requirements in Orders issued after the 9/11 terrorist attacks. Drawing on our experience with those steps, we formalized regulations in 2009.

Our “cyber security roadmap” spells out how nuclear plant licensees were implementing our 2009 cyber regulations, as well as our approach to assessing cyber needs of other licensees.

cybersecNuclear plants are meeting these requirements in two phases. During Phase 1, they implemented controls to protect their most significant digital assets from the most prevalent cyber attack vectors. This phase was completed in December 2012, and our inspections of Phase 1 actions were completed in 2015.

During Phase 2, which will be completed by the end of this year, licensees will complete full implementation of their cyber security programs. They will add additional technical cyber controls, cyber security awareness training for employees, incident response testing and drills, configuration management controls, and supply chain protection

Like other NRC programs, cyber security involves “defense in depth.” Crucial safety- or security-related systems (both digital and analog) are isolated from the Internet, giving them strong protection. Such “air gaps” are important, but not sufficient. Licensees must also address wireless threats, portable media such as discs or thumb drives, and other avenues of attack. Physical security and access controls, including guarding against an insider threat to the plant, also add to cyber security, as do cyber intrusion detection and response capability.

The NRC published a new regulation in late 2015 requiring nuclear plant licensees to notify the agency quickly of certain cyber attacks.

With these efforts already accomplished or underway, you can see the NRC takes cyber security seriously, and we’re doing our best to stay flexible and ahead of the ever-changing threat. You can find more information about the NRC’s cyber security program on our website.

This post first ran in October 2015

Getting Ready for Winter Looks Much Like Preparing for Hurricanes

Neil Sheehan
Public Affairs Officer
Region I

coldweatherAt first glance the blizzard that pounded the upper Midwest on Christmas weekend – or the winter storm that hit New England over New Year’s — doesn’t seem to have much in common with the hurricanes that hit the Gulf Coast or Eastern Seaboard during the hot summer months.

But from our perspective, they do.

NRC regulations requires that U.S. nuclear power plants be ready for all kinds of weather conditions, and that extends to winter storms.

The preparations take many forms. Here are some of the key activities:

  • Plant operators keep close tabs on approaching storms via weather forecasting services. Storm watches or warnings would clearly attract attention.
  • As a storm draws closer, information gathered from the facility’s meteorological towers is assessed. These data points would include wind speed/direction and snowfall rates. Specific conditions, such as wind speeds exceeding a pre-designated threshold, can result in operators starting to shut down the reactor, or reactors, at a plant site.
  • Prior to a storm arriving in the area, plant personnel would conduct visual inspections of plant grounds. They would check that there were no loose items that could be propelled by strong winds and potentially damage equipment.
  • Workers would also ensure that fuel tanks for emergency diesel generators were filled. These generators can provide back-up power for plant safety systems should the local electrical grid go down.
  • Plans would also be developed to keep the plant appropriately staffed until the storm had passed. This might mean providing cots and food for employees unable to get home due to the weather conditions.

Amid all of these preparations, the NRC Resident Inspectors assigned to each plant would follow the progress of these activities while also tracking expected conditions at the plant. They, too, could be asked to stay at the facility until the storm had passed.

The old adage that success is “90 percent preparation and 10 percent perspiration” is one taken seriously when wicked weather is bearing down.