This story was updated at 10:19 a.m. EDT.
Regulators of the nation’s nuclear plants and high-voltage power lines met yesterday for a top-level review of threats and hurdles each faces from cyberattacks, natural disasters and the grid’s disruptive transitions.
The public meeting of commissioners of the Federal Energy Regulatory Commission and the Nuclear Regulatory Commission highlighted common strategies both agencies are following. They include pursuing cyber risks from contaminated vendor equipment and software; addressing potential vulnerabilities in communications pathways; and prioritizing regulations on the most urgent issues. (The commissioners also met in private.)
The threat of cyberattacks through the power sector’s supply chain has become a top priority after disclosures that Havex and BlackEnergy reconnaissance malware had penetrated industrial control networks via corrupted software updates from vendors (EnergyWire, July 20).
The Department of Energy is encouraging the industry’s vendors to create a working group on supply chain vulnerabilities, and the issue is expected to be raised at the National Electrical Manufacturers Association’s meeting next month, officials said. A NEMA official said today the association intends to create a working group of senior industry executives patterned after the Electricity Sub-Sector Coordinating Council, which links utility executives with counterparts in government security agencies. The timing of this step not been settled, the official said.
NRC’s regulations cover nuclear plant operators’ equipment acquisition policies and supply chain protection. FERC, meanwhile, is seeking industry comment on creating a reliability standard for supply chain cyber issues and what its compliance timetable should be. Yet the commission has no direct regulatory handle on the utility sector’s hardware and software vendors, experts note.
FERC Commissioner Cheryl LaFleur commented after the meeting, "The one thing where we’ve heard that they are ahead of us is in looking at vendors. … That’s something we can potentially learn from."
NRC Chairman Stephen Burns said he took note of FERC’s actions on the issue. "That’s where attention needs to be focused," he said.
Several commissioners noted fundamental differences in their rulemaking authorities that allow nuclear regulation to go on a faster track. NRC’s guiding statute permits nuclear regulators to order nuclear plants to make changes to protect public health and safety. For FERC, Congress wrote a more complex, bottoms-up process in which FERC orders new regulations; they are drafted by industry representatives through the North American Electric Reliability Corp. (NERC), and then FERC can accept or reject the language, or call for changes, but not rewrite it.
"Although we’re very much related in what we do, the NRC is primarily a safety regulator, and we are primarily an economic regulator," said FERC Commissioner Philip Moeller.
It’s certainly a much more direct line of authority," agreed FERC Commissioner Tony Clark, speaking after the meeting. "If they want something to be done, they just do it."
A circuitous path
"Ultimately, we can get to the same spot, but it’s more circuitous, and it takes more time. If there’s an advantage to ours, it is that the grid is so tremendously complex that we need industry who actually operates it to provide their input. … The disadvantage, it’s slower. There’s no denying it," Clark said.
For example, to keep cyberattackers from hacking into the vital safety systems that control nuclear plant safety systems, NRC rules result in one-directional controls that allow data flows from these systems to move only outward — data may not flow into this top level. At a NERC security conference in Philadelphia last week, Owl Computing Technologies Inc. and Waterfall Security Solutions Ltd. showed off one-way data flow processors used in the nuclear power industry.
"The secret here is having at least one layer of unidirectional protection between the nontrusted corporate network, or worse, the Internet, and the reliability critical system," said Andrew Ginter, vice president of Waterfall, who spoke at the NERC conference. "It is literally impossible for a network attack to come through the gateways. It cannot send information in." One-way controls are not widely employed in the bulk power system, Ginter said.
Despite its more direct authority, NRC regulation has moved slowly on some difficult or controversial issues, particularly when there is strong industry pushback. Outside the United States, nuclear reactor operators have begun to install digital sensors and controls for reactor safety-related functions, said H.M. Hashemian, president and CEO of Analysis and Measurement Services Corp., which provides testing and analysis services to nuclear plant operators. But replacement of mechanical controls with software-dependent digital controls is not happening as rapidly in the United States. Some in the industry believe there is a concern at NRC that a common software vulnerability could cause a widespread software infection, Hashemian said.
"The more software is integrated into every layer of I&C (instrumentation and control) from large platform computer systems and microprocessor-driven control systems to software embedded in primary instrumentation and controllers — the greater the potential challenge posed by common mode failure," he said in a paper published by intechopen.com.
"Although wireless sensors and networks are well suited for equipment condition monitoring in nuclear power plants, they are not yet ready for control applications nor is it yet safe to attempt to use wireless sensors for equipment or process control," he wrote. "There is not a consensus on some of the issues," he added in an interview.
The challenge of regulating the morphing lines of cybersecurity attacks has led FERC to issues a series of expanding regulations.
LaFleur noted that FERC’s critical infrastructure protection regulations are now in their sixth version. "We’re already talking about what we do next," she said.
The complexity of the cyber challenges has also led NRC to prioritize its regulations into two stages, commissioners noted. NRC’s cyber regulations were completed in 2009. Plant operators were required to finish the first stage actions by 2012. Inspections of this stage are to be completed at the end of this year, and the entire process runs through 2017.
"We started with a rule that was too darn hard to execute," said NRC Commissioner William Ostendorff yesterday. The prioritized approach followed extensive meetings with the nuclear industry, he added. "One cannot spend enough time engaging with the people who have to execute this at the industry level," he said. "We’re not there yet. We’re making progress. It’s been a long road."
