2024: Domino Containers - The Next Step. News from the Domino Container commu...
Cyber security regulation strictly regulated by nrc feb 2013
1. Security
Cyber Security Strictly Regulated by NRC;
No Additional Regulation Needed
February 2013
Key Points
The U.S. Nuclear Regulatory Commission (NRC) has extensive regulations for cyber security protection
at nuclear energy facilities. Regulatory oversight by other agencies is unnecessary and would duplicate
the already-strict NRC oversight.
The nuclear energy industry implemented a cyber security program in 2002 to protect critical digital
assets and the information they contain from sabotage or malicious use. The industry has been
strengthening its response in the years since.
The NRC in 2009 established regulations for cyber security at commercial reactors, even though critical
computer systems used to control nuclear energy facilities are not connected to the Internet.
The industry has worked with federal regulators—including the NRC, the Federal Energy Regulatory
Commission (FERC) and the North American Electric Reliability Corporation (NERC)—to ensure that
digital assets are fully protected. FERC initially proposed rules to cover portions of a nuclear energy
facility but reversed its stance when it found that the NRC’s cyber security rulemaking covers the entire
facility.
Cyber Security Systems
Nuclear energy facilities use both digital and analog systems to monitor plant processes, operate equip-
ment, and store and retrieve information. Analog systems follow hard-wired instructions; digital computer
systems use software to provide instructions. Digital systems, including individual computers and networks,
are vulnerable to cyber attacks, which include malicious exploitation and infection by malware such as
viruses, worms and other types of programming code.
Nuclear energy facilities are designed to shut down safely if necessary, even if there is a breach of cyber
security. A cyber attack cannot prevent critical systems in a nuclear energy facility from performing their
safety functions. Among other measures, these critical systems are not connected to the Internet or to a
facility’s internal network. The isolation of critical safety systems minimizes the pathways for a cyber
attack. Nuclear energy facilities also are designed to automatically disconnect from the power grid if there
is a disturbance that could be caused by a cyber attack.
No Need for Duplicative Federal Oversight
The White House has proposed that the Department of Homeland Security work with critical infrastructure
sectors, including the electric sector, to devise strategies to secure computer systems and protect them
1
2. against cyber threats. Under the proposal, the agency could develop a cyber security strategy for facilities
that do not have one. The electric power sector is the only industry with mandatory, enforceable cyber
security standards—Critical Infrastructure Protection standards. Moreover, nuclear power plants are strict-
ly regulated in this area by NRC regulations and oversight. Additional regulation would be duplicative and
would risk creating inconsistencies in requirements.
Cyber Protection in Place at Nuclear Power Plants
The Nuclear Energy Institute has developed the only comprehensive cyber security program specifically
designed for control system and critical infrastructure security and the first of its kind within the energy
sector. All nuclear power plants adopted the NEI cyber security program in 2006 and had implemented it
by 2008.
A year later, the NRC issued comprehensive regulations that require a cyber security plan for all nuclear
energy facilities. NRC regulation covers all areas of a plant, including those that might otherwise be subject
to NERC’s critical infrastructure protection reliability standards or proposed Department of Homeland
Security oversight.
Every company operating nuclear power plants has earned NRC approval for a cyber security plan that
describes how the facility is implementing its cyber security program. Companies also provided the NRC
with a schedule describing the actions toward full implementation of its cyber security program. The NRC
has reviewed and approved each of these schedules and regularly inspects cyber protection measures at
U.S. reactors.
Five Steps That Provide Protection
Each U.S. nuclear power plant has taken the following measures to ensure protection against cyber
threats:
Isolated key control systems using either air-gaps, which do not implement any network or internet
connectivity, or installed robust hardware-based isolation devices that separate front-office computers
from the control system, thus making the front-office computers useless for attacking essential sys-
tems. As a result, key safety, security and power generation equipment at the plants are protected
from any network-based cyber attacks originating outside the plant.
Enhanced and implemented strict controls over the use of portable media and equipment. Where de-
vices like thumb drives, CD, and laptops are used to interface with plant equipment, measures are in
place to minimize the cyber threat. These measures include authorizing use of portable assets to the
performance of a specific task, minimizing the movement from less secure assets to more secure as-
sets, and virus scanning. As a result, nuclear power plants are well-protected from attacks like Stuxnet,
which was propagated through the use of portable media.
Heightened defenses against an insider threat. Training and insider mitigation programs have been
enhanced to include cyber attributes. Individuals who work with digital plant equipment are subject to
increased security screening, cyber security training and behavioral observation.
Implemented cyber security controls to protect equipment deemed most essential for the protection of
public health and safety.
2
3. Taken measures to maintain effective cyber protection measures. These measures include maintaining
equipment listed in the plant configuration management program and ensuring changes to the equip-
ment are performed in a controlled manner. A cyber security impact analysis is performed before mak-
ing changes to relevant equipment. The effectiveness of cyber security controls is periodically as-
sessed, and enhancements are made where necessary. Vulnerability assessments are performed to
ensure that the cyber security posture of the equipment is maintained.
3