Policy Briefs


March 2014

Key Points


  • The U.S. Nuclear Regulatory Commission (NRC) has extensive regulations for cyber security protection at nuclear energy facilities. Regulatory oversight by other agencies is unnecessary and would duplicate the already-strict NRC oversight.
     
  • The nuclear energy industry implemented a cyber security program in 2002 to protect critical digital assets and the information they contain from sabotage or malicious use. The industry has been strengthening its response in the years since.
  • The NRC in 2009 established regulations for cyber security at commercial reactors, even though critical computer systems used to control nuclear energy facilities are not connected to the Internet.
  • The industry has worked with federal regulators—including the NRC, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC)—to ensure that digital assets are fully protected. FERC initially proposed rules to cover portions of a nuclear energy facility, but reversed its stance when it found that the NRC’s cyber security rulemaking covers the entire facility.

 
Cyber Security Systems
Nuclear energy facilities use both digital and analog systems to monitor plant processes, operate equipment, and store and retrieve information. Analog systems follow hard-wired instructions; digital computer systems use software to provide instructions. Digital systems, including individual computers and networks, are vulnerable to cyber attacks, which include malicious exploitation and infection by malware such as viruses, worms and other types of programming code.
 
Nuclear energy facilities are designed to shut down safely if necessary, even if there is a breach of cyber security. A cyber attack cannot prevent critical systems in a nuclear energy facility from performing their safety functions. Among other measures, these critical systems are not connected to the Internet or to a facility’s internal network. The isolation of critical safety systems minimizes the pathways for a cyber attack. Nuclear energy facilities also are designed to automatically disconnect from the power grid if there is a disturbance that could be caused by a cyber attack.
 
No Need for Duplicative Federal Oversight
The White House has proposed that the Department of Homeland Security work with critical infrastructure sectors, including the electric sector, to devise strategies to secure computer systems and protect them against cyber threats. Under the proposal, the agency could develop a cyber security strategy for facilities that do not have one. The electric power sector is the only industry with mandatory, enforceable cyber security standards—Critical Infrastructure Protection standards.  Moreover, nuclear power plants are strictly regulated in this area by NRC regulations and oversight. Additional regulation would be duplicative and would risk creating inconsistencies in requirements.

Cyber Protection in Place at Nuclear Power Plants
The Nuclear Energy Institute has developed the only comprehensive cyber security program specifically designed for control system and critical infrastructure security and the first of its kind within the energy sector. All nuclear power plants adopted the NEI cyber security program in 2006 and had implemented it by 2008.
 
A year later, the NRC issued comprehensive regulations that require a cyber security plan for all nuclear energy facilities. NRC regulation covers all areas of a plant, including those that might otherwise be subject to NERC’s critical infrastructure protection reliability standards or proposed Department of Homeland Security oversight.
 
Every company operating nuclear power plants has earned NRC approval for a cyber security plan that describes how the facility is implementing its cyber security program. Companies also provided the NRC with a schedule describing the actions toward full implementation of its cyber security program. The NRC has reviewed and approved each of these schedules and regularly inspects cyber protection measures at U.S. reactors.

Five Steps That Provide Protection
Each U.S. nuclear power plant has taken the following measures to ensure protection against cyber threats:

  • Isolated key control systems using either air-gaps, which do not implement any network or internet connectivity, or installed robust hardware-based isolation devices that separate front-office computers from the control system, thus making the front-office computers useless for attacking essential systems. As a result, key safety, security and power generation equipment at the plants are protected from any network-based cyber attacks originating outside the plant.
  • Enhanced and implemented strict controls over the use of portable media and equipment. Where devices like thumb drives, CD, and laptops are used to interface with plant equipment, measures are in place to minimize the cyber threat. These measures include authorizing use of portable assets to the performance of a specific task, minimizing the movement from less secure assets to more secure assets, and virus scanning. As a result, nuclear power plants are well-protected from attacks like Stuxnet, which was propagated through the use of portable media.
  • Heightened defenses against an insider threat. Training and insider mitigation programs have been enhanced to include cyber attributes. Individuals who work with digital plant equipment are subject to increased security screening, cyber security training and behavioral observation.
  • Implemented cyber security controls to protect equipment deemed most essential for the protection of public health and safety.
  • Taken measures to maintain effective cyber protection measures. These measures include maintaining equipment listed in the plant configuration management program and ensuring changes to the equipment are performed in a controlled manner. A cyber security impact analysis is performed before making changes to relevant equipment. The effectiveness of cyber security controls is periodically assessed, and enhancements are made where necessary. Vulnerability assessments are performed to ensure that the cyber security posture of the equipment is maintained.