Last month we sponsored the webcast “Diving deeper into the details of nuclear power security”, hosted by Intelligent Utility. The webcast features two speakers, well-respected within the nuclear energy community, William Gross, Sr. Project Manager, Engineering, Nuclear Energy Institute, and Matt Gibson, Senior Technical Leader, Plant Technology Nuclear Sector, EPRI. This blog will concentrate on William Gross’s piece in the webcast, focusing on Design Basis Threats, the first step in the NRC Cyber Security Framework.
When you think of nuclear power concerns, what words come to mind? There’s a good chance you think security and safety. Nuclear power is an industry that certainly faces its fair share of threats. With intrusions predicted to rise, nuclear asset owners should be actively exploring how to protect their systems and the public from both physical and cyber attacks.
How would we define threats to the nuclear power industry?
Gross explained in his presentation that the Nuclear Regulatory Commission (NRC) specifically defines two Design Basis Threats relating to the nuclear power industry:
- Radiological Sabotage: This involves an attack on a nuclear power plant causing safety consequences such as radiology exposure to the public.
- Theft and Diversion: This involves the theft of protected nuclear material that could be used to make nuclear weapons or radiological dispersion devices.
The outcomes from each Design Basis Threat are interconnected, causing both the safety and security of a nuclear power plant, as well as the public, at risk. Gross expressed that it is imperative for all nuclear power plants to develop and apply a program plan that can safely manage the two Design Basis Threats, radiological sabotage and theft and diversion. The NRC believes this program should address the threats through prevention, detection, response, and recovery.
Gross discussed the 5 modes of attack facing the two Design Basis Threats which include:
- External Assault: An example would be breaking into a nuclear power plant building
- Internal Threat: This would be a threat that has initiated inside the nuclear power plant
- Land Vehicle Bomb Assault: This mode of attack, by a vehicle on land, that’s purpose would be to damage important safety equipment within the nuclear power plant
- Waterborne Vehicle Bomb Assault: This mode of attack, by a vehicle on water, that’s purpose would be to damage important safety equipment within the nuclear power plant
- Cyber Attack: This includes hackers trying to damage the nuclear power plant’s computer network and/or system.
Focusing further on the fifth mode of attack, a cyber-attack: How does cybersecurity fit into a nuclear power plant’s “physical” protection program?
“At nuclear power plants, cybersecurity is an integrated component of our overall physical protection strategy” – William Gross, Sr. Project Manager & Engineering Energy Central
Just like physical protections that nuclear power plants must implement, cybersecurity precautions are just as crucial to protecting against potential threats. According to Gross, the concerns surrounding a cyber-attack on a nuclear power plant concentrate on how it could affect the plant’s computers. He further explained that the computers of a nuclear power plant are used to control some of the plant’s equipment, as well as open files needed for managing the safety of the entire plant. The plant’s computers must be protected in order for equipment and systems to be maintained and fully capable of performing their intended function(s).
In 2009, the NRC distributed specific cybersecurity requirements to defend the cyber-attack attribute of the two Design Basis Threats. The requirements outline that each power plant provide NRC with 1) a cybersecurity plan and 2) an implementation schedule.
As a publicly available document, the nuclear power industry developed a unified template for the cybersecurity plan and implementation schedule. Later, it was approved by the NRC and seven milestones were due in December of 2012. In 2013, the NRC inspections began. Currently, Milestone 1-7 will complete in 2015, whereas milestone 8 is still underway and will be finished up by plant’s between mid to late 2016-2017 time frame.
Webcast moderator and Intelligent Utility editor-in-chief, Kathleen Wolf Davis, kicked off the broadcast by enumerating a list of applicable security and cybersecurity lessons learned:
- Converge IT, OT, and physical security departments but beware cultural differences.
- Spread the digital security culture inherent in millennials to other generations in your business.
- Timely access to info is key, but security clearances are lacking.
- Don’t “Jon Bon Jovi” your security. “Livin’ on a prayer” is not a strategy. Stop just surviving.
Bill Gross circled back on these lessons in his closing thoughts:
- He believes a good real life example of lesson one is that cybersecurity is integrated into a nuclear power plant’s physical protection strategy.
- When it comes to clearances and timely access to security information, each nuclear power plant makes sure to maintain a list of individuals that have security clearances both at the secret and top secret levels to ensure that they have the capability to access classified information if it becomes available and it is necessary for them.
- And lastly with regards to “Jon Bon Jovi”-ing one’s security, Gross has witnessed a commitment to pursuing proactive cybersecurity measures across the industry. As things change in the ever-evolving threat landscapes, plants will need to continually assess if their protective strategies need to change.