By Wayne Barber
Computer systems used in management of spent fuel at U.S. nuclear power plants are not connected to the Internet or business networks, a key line of defense against cyber threats, representatives for industry and the Nuclear Regulatory Commission said this week.
Nonetheless, a U.S. senator is seeking information from the NRC and other federal agencies about what government and industry are doing to fend off attacks in the wake of reports of foreign targeting of U.S. nuclear facilities.
“The NRC and the nuclear power sector have been vigilant when it comes to cybersecurity,” NRC spokesman Neil Sheehan said by email this week. “Critical safety systems are separated either physically or logically through hardware,” and not connected to the Internet or plant business systems, Sheehan added.
Nuclear facilities are required to have approved cybersecurity programs that involve everything from vulnerability assessments (including insider threats) to controls on “removable media” – such as portable devices that could conceivably be involved in attacks akin to the “Stuxnet” worm deployed against Iran’s nuclear program.
Sheehan said the Nuclear Regulatory Commission is working closely with law enforcement and Homeland Security following reports of cyberattacks against nuclear energy operations. The New York Times, for example, last week cited a federal law-enforcement finding that since May hackers have infiltrated computer networks of companies that manage nuclear power plants and other energy facilities.
“There has been no operational impact to any nuclear power plant or the North American electric grid as the result of this event,” Nuclear Energy Institute spokesman John Keeley said by email.
But Sen. Edward Markey (D-Mass.) highlighted the potential for sabotage of spent nuclear fuel storage pools Monday in asking the heads of several federal agencies for details about recent news reports.
“Given the consequences of a breach of safety at a nuclear power station – including the deliberate sabotage of the reactor core or the spent-fuel storage pool – evidence that foreign governments have targeted U.S. nuclear power stations must be treated with the utmost gravity,” Markey wrote in his letter to NRC Chair Kristine Svinicki, Energy Secretary Rick Perry, Defense Secretary James Mattis, Homeland Security Secretary John Kelly, and acting FBI Director Andrew McCabe.
He asked for answers by Aug. 10 to nine questions, including: how many U.S. nuclear power plants have been impacted by cyberattacks; how the various federal agencies are coordinating to counter the threat; and whether power plant operators are providing adequate resources to cybersecurity.
The senator, a member of the Senate Foreign Relations cybersecurity subcommittee, also asked for a classified briefing on potential cyber vulnerability of nuclear power and other key infrastructure.
Defenses Good, but Threat Growing, Expert Says
Spent fuel facilities are generally covered by the same set of cyber protections that defense nuclear power plants, given that’s where the spent fuel is housed.
The good news is that domestic nuclear facilities “are not playing catch-up on the cybersecurity threat,” said Dave Lochbaum, director the Union of Concerned Scientists’ Nuclear Safety Project. Rules codified by the NRC in the years following the Sept. 11, 2001, terror attacks have ramped up the lines of defense against cyberattacks, he noted.
There were two phases for plants to come into compliance with the requirements. The first phase was completed in 2012 and involved implementation of controls to protect plants’ most significant digital assets.
The second phase – due to be completed this year – entails full implementation of all changes required, according to the NRC. This encompasses additional cyber controls; cybersecurity awareness training for employees; incident response drills and testing; configuration management controls; and supply chain protection.
The bad news is that the cybersecurity risk is not static, but constantly changing, Lochbaum said.
When asked, Lochbaum said it’s possible that cyber intruders could pick up information of value by penetrating nonoperating systems.
“Right now, perhaps the biggest vulnerability nuclear plants face from hackers would be their getting information on plant designs (e.g., blueprints) and work schedules with which to conduct a physical attack,” according to Lochbaum.
Cyber risks at nuclear facilities are likely to become more complex as the operations become more digital, he added.
“As analog systems become more and more obsolete (and more and more costly to maintain), the business case for digital control replacements even for safety-related systems looks better,” Lochbaum said. “Even now, digital computers are connected to safety-related systems for diagnostics and monitoring. Because such connections are temporary, they are not governed by NRC’s regulations as stringently,” said the UCS official.
A nuclear engineer by training, Lochbaum worked at nuclear power plants for 17 years. He also acted as an industry whistleblower before joining UCS, according to his online biography. Lochbaum also worked at the NRC for a stint in 2009 before returning to UCS.
