U.S. nuclear power plants bolster defenses against cyberattacks

against, say, a nation state.”

The directive describes what actions site operators must take to identify and protect “critical digital assets,” computer systems and components key to the protection of the plant that, if harmed, could produce a radiological incident, he added. A critical system is identified as any that performs or is relied on for plant safety, security and emergency preparedness; provides a pathway to a system that could be used to compromise, attack, or degrade those functions; supports systems that if compromised could adversely impact those defenses; or protects against any of those cyberattacks.

“In essence, we’re making sure that we have a shield up around the plant beyond normal firewalls that would protect against a cyberattack,” Walters said last week.

Licensees submitted their cybersecurity blueprints for the U.S. sixty-five nuclear power plants for commission review in November 2009, Correia told Matishak. The agency hopes to have the plans approved by next spring.

Power plant operators would then implement the programs, and the NRC’s four regional offices would begin inspections to verify they were being used as designed, he said.

Correia said his division is in continuous contact with the commission’s threat assessment branch, which evaluates intelligence information from various government agencies, to make any changes to the perceived cyber danger.

The commission also has put together a “mock adversary force” to test power plants’ digital preparedness as part of the overall NRC site inspection process, he added. The agency conducts “force on force” exercises at facilities to challenge their physical security assets. The mock enemy’s mission might include action against digital systems and components.

The U.S. nuclear power industry also is well positioned to address the evolving threat because of its size, according to Lewis. The sector only has 104 reactors at 65 plants, compared to thousands of electrical utilities. These companies are often too small to spend money to examine the cybersecurity or so large that it is glossed over, he said. “Does it mean [the atomic energy sector is] totally invulnerable? No,” Lewis told Matishak. “But if you’re an opponent you’re going to ask yourself, ‘Gosh, there’s so many easy targets, why should I go after hard targets when I can pretty much get the same bang for the buck with a lot less effort?’”

Walters said the industry has been “fairly proactive” on the issue even without the NRC orders, noting the Nuclear Energy Institute formed a task force in 2002 to develop cybersecurity guidelines, which received the regulatory agency’s blessing. That guidance delineated cybersecurity protection measures that should be installed on certain plant systems.

The institute also has established a nuclear sector council that meets with DHS officials on a quarterly basis to address potential security concerns, he said.

“With the requirements we have in place and with licensees knowing what they need to do in terms of security controls … we are in very good shape in terms of protecting against cyber attacks,” according to Walters.

Officials and experts agreed the United States has begun to pay more attention to cybersecurity over the last several years. More could be done, however, to counter the ever-evolving threat to the nation’s power grid, including nuclear reactors.

“If it was up to me, I would mandate that the electrical generation and distribution be provably disconnected from the [Internet],” Libicki said. He predicted that entities would argue that such a move would prove too costly.

Walters said nuclear plants are different from other utilities because many of their safety systems are already detached from the Web. “For a nuclear plant, when you’re talking about controls and the systems for safety, those things are really confined to the sites and there’s no output to the Internet. There are inherent safeguards that exist,” he told Global Security Newswire.

Lewis predicted it would take time to secure some of the nation’s power networks because “they were never designed to be secure. “We will just have to think; we can’t afford to replace everything at once,” he added.

Correia described cybersecurity in the nuclear realm as an “ongoing process” that would require continuous observation of what is happening within cyber space so that facilities could respond to developing threats. “Licensees have to be able to react to it quickly, to adjust their cyber plans … to defend against it if there’s an attack,” he said.