The Nuclear Regulatory Commission is ramping up its cybersecurity oversight efforts this year amid ongoing hacking threats to nuclear power plant operators.
The agency has said it is aware of recently reported cyber intrusions at multiple U.S. nuclear generation sites, though government officials stress that hackers did not breach the safety systems regulated by the NRC.
The NRC has been relatively quiet since news broke in late June of the recent threats. Last week, it released a statement noting that its experts are in contact with law enforcement and homeland security officials. It noted, however, that the threat "is not related to the cyber assets under our regulations and oversight."
Meanwhile, the NRC has signaled it will launch reviews of nuclear power companies’ comprehensive cybersecurity plans throughout the rest of the year.
The agency published a sweeping "cybersecurity rule" in 2009 and carried out initial inspections from 2013 until 2015. But the latest round of oversight could offer less wiggle room for operators, according to Amy Roma, a partner at the Hogan Lovells law firm and a specialist in nuclear regulations.
The first inspections had a gentler "learning curve," Roma said. "For the industry, it was the first time they were getting inspected on this, and for the NRC, many of their inspectors came from banking or nonindustrial systems backgrounds."
She said she expects to see "some flexibility" as the NRC resumes cyber inspections this year, "but you have to still be making a good-faith effort" to lock down key systems. She noted that the eighth and final milestone of the cybersecurity rule has also been the hardest for operators to implement, while the NRC has beefed up its own cybersecurity expertise.
The final phase is about "pulling everything together: it’s the full implementation of your entire cybersecurity plan," she said. "You don’t know what you’re going to see, but I would expect — understanding it’s the most difficult milestone — that it’s a learning process on both sides."
The nuclear power industry has petitioned the NRC to carve out cybersecurity exemptions for at least nine facilities on track to be decommissioned.
The NRC has already granted an exception for at least one such plant — the Pilgrim Nuclear Generating Station in Massachusetts — while other requests, including for Exelon Corp.’s Oyster Creek Nuclear Generating Station in New Jersey, are still under review, a spokesman for the agency said Thursday.
In a letter to NRC Chairwoman Kristine Svinicki and other energy and security officials last week, Sen. Ed Markey (D-Mass.) questioned whether "implementation guidance" for U.S. nuclear reactors needed to "be updated to reflect changes in the severity of cyber-attacks on U.S. nuclear plants."
Citing reports of "phishing" and "watering hole" intrusions on nuclear networks, Markey also asked, "Wouldn’t it be more appropriate to increase the scope of the cybersecurity rule, rather than decrease it?"
Nuclear vs. grid
Cybersecurity experts point out that the nuclear power industry has long placed stringent digital controls in its most sensitive systems, many of which still run on old-fashioned "analog" systems anyway.
The NRC said its first round of cybersecurity checkups "revealed several very low security significance violations of cyber security plan requirements," with nothing that could have jeopardized nuclear plant safety.
Computer systems at the core reactor level are routinely sealed off from the outside internet via "data diodes," or pieces of equipment that can only physically transmit data in one direction — outward. When properly configured, such networks effectively guarantee that outside hackers can’t break in.
"Nuclear safety culture is certainly a lot more rigorous than other areas," including with regard to cybersecurity, Marty Edwards, managing director of the Automation Federation, said in a recent interview. Edwards previously led a team of industrial control system security specialists at the Department of Homeland Security.
Outside the reactor, security can undergo its own form of nuclear decay, he observed, with workers potentially less "in tune" than the carefully trained and vetted employees who deal directly with radioactive materials.
That’s not to say hacking any major utility with nuclear generation assets would be trivial, he quickly added.
On the grid side, another set of binding cybersecurity standards take effect: the Critical Infrastructure Protection (CIP) rules set by the North American Electric Reliability Corp.
"Love them or hate them, the NERC [CIP standards] have made a difference, even if you only consider the difference in awareness that it’s created," Edwards said.
Experts described a sharp line between the cybersecurity regulations governing the bulk power grid — set through NERC and the Federal Energy Regulatory Commission — and those that apply to nuclear power reactors, which are set through the NRC.
"The nuclear industry has been heavily regulated from the very beginning," said Rebecca Slayton, an assistant professor at Cornell University’s Department of Science and Technology Studies and an expert on grid cybersecurity standards. "The electric power system embraced economic regulation early on, but the whole move toward reliability and security regulations was very slow and late in coming. So it’s hard to compare the two. … They have very different histories."
Slayton, who has extensively researched the NERC CIP standards with funding from the Department of Homeland Security, said the now-mature security program has had its pros and cons.
While the CIP standards "established a minimum threshold of security among the organizations that might not have had that floor," they also occasionally added some disincentives to go above and beyond that baseline.
For instance, she said she found that CIP auditors would penalize companies for failing to comply with their own policies in certain circumstances — even if those policies were well ahead of NERC standards.
The NRC, for its part, has not yet levied civil penalties against nuclear operators for failing to meet the new cybersecurity rule or report intrusions. But Roma of Hogan Lovells said that from an operator’s perspective, it’s still "better for you to go to them than for them to come to you."
She also said government regulators could help bring more cybersecurity resources to the table.
"If you have a persistent threat and you’re being attacked by what appears to be a state actor, the only entity who’s capable of responding to that is another state actor, so you have to engage the government," she said. "You can’t take care of this by yourself."