Combined ShapeemailfaxPDF IconphoneplayShape

Cybersecurity for Nuclear Power Plants

Reports & Briefs
Cybersecurity

Key Points

  • Critical safety and security systems at nuclear energy plants are isolated from the internet. They are further protected by cybersecurity and physical security plans that are required by the U.S. Nuclear Regulatory Commission. In addition, nuclear power plants are designed to shut down safely should their systems detect a disturbance on the electrical grid. Thus, nuclear plants are protected from digital threats by layer upon layer of safety measures.
  • The nuclear energy industry began addressing cybersecurity immediately after the terrorist attacks of Sept. 11, 2001. The NRC ordered the companies that operate nuclear power plants to enhance security in several areas and subsequently codified the new requirements in 2009. As part of this rule, the NRC established new cybersecurity requirements. Every company operating nuclear power plants has an NRC-approved cybersecurity program.
  • Under the broad scope of the NRC rule, nuclear plant licensees have identified thousands of digital assets at each reactor as requiring protection. However, most of them have no connection to radiological safety and security and, therefore, are outside the NRC’s purview to protect public health and safety. Including them under the umbrella of assets that require protection from cyberthreats creates wasteful activity and dilutes the resources necessary to ensure the protection of key equipment and systems.
  • The Nuclear Energy Institute, the nuclear industry’s policy organization petitioned the NRC in 2014 to revise the wording of its cybersecurity rule to align with the intent to protect public health and safety by preventing radiological sabotage. The proposal also would ensure that a single regulator—the NRC—would have oversight for cybersecurity at nuclear power plants.
  • NEI believes that the changes identified in the petition represent the most important near-term regulatory improvement that can be made in nuclear plant cybersecurity because it will both clarify the regulatory authority and avoid the diversion of resources from protection of assets that are related to radiological safety and security. 

First Line of Defense: Isolation

Critical safety and security systems at nuclear energy plants are isolated from the internet. They have no direct access to the web, nor do they have indirect access because they are not connected to the plants’ internal networks. These systems use either air gaps, which do not require internal networking or internet connectivity, or robust hardware-based isolation devices that separate the control system from front-office computers. In addition to the protection afforded by isolation, nuclear power plant digital assets are further protected by cybersecurity and physical security plans required by the NRC.

The nuclear energy industry’s layer-upon-layer approach to safety also requires each nuclear plant be designed to shut down safely and remain cooled indefinitely should its systems detect any anomalies on the electrical grid. This sometimes happens, for example, if there is a brief voltage fluctuation on the transmission lines or if off-site power lines are downed because of high wind or ice. However, the same measures designed to ensure safety in these circumstances also would protect a nuclear power plant from any deliberate interference with the regional electrical grid.

The nuclear energy industry began addressing cybersecurity more comprehensively after the terrorist attacks of Sept. 11, 2001. The NRC ordered the companies that operate nuclear power plants to enhance security in several areas and subsequently codified the new requirements in 2009, which also included new cybersecurity requirements.

Prior to the NRC rulemaking on cybersecurity, NEI developed the only comprehensive cybersecurity program specifically designed for control system and critical infrastructure security—the first of its kind within the energy sector. All nuclear power plants adopted the NEI cybersecurity program in 2006 and completed implementation by 2008.

What Specific Measures Are in Place to Protect Safety?

Each U.S. nuclear power plant has taken the following measures to ensure protection against cyberthreats:

  • Isolated key control systems using either air gaps, which do not implement any network or internet connectivity, or installed robust hardware-based isolation devices that separate front-office computers from the control system, thus making the front-office computers useless for attacking essential systems. As a result, key safety, security and power generation equipment at the plants are protected from any network-based cyberattacks originating outside the plant.
  • Enhanced and implemented strict controls over the use of portable media and equipment. Where devices like thumb drives, compact disks and laptops are used to interface with plant equipment, measures are in place to minimize the cyberthreat. These measures include authorizing use of portable assets to the performance of a specific task, minimizing the movement from less secure assets to more secure assets, and virus scanning. As a result, nuclear power plants are well protected from attacks like Stuxnet, which was propagated through the use of portable media.
  • Heightened defenses against an insider threat. Training and insider mitigation programs have been enhanced to include cyber attributes. Individuals who work with digital plant equipment are subject to increased security screening, cybersecurity training and behavioral observation.
  • Performed detailed cybersecurity assessments and implemented cybersecurity controls to protect equipment deemed most essential for the protection of public health and safety.
  • Taken measures to maintain effective cyber protection measures. These measures include maintaining equipment listed in the plant configuration management program and ensuring changes to the equipment are performed in a controlled manner. A cybersecurity impact analysis is performed before making changes to relevant equipment. The effectiveness of cybersecurity controls is periodically assessed, and enhancements are made where necessary. Vulnerability assessments are performed to ensure that the cybersecurity posture of the equipment is maintained.

Nuclear Energy.Now.

More than 50% of our carbon-free energy. Available 24/7. Powering communities. Vital to our clean energy future.

Resources