If there is anything such as “critical infrastructure” where a cyber attack must be prevented by all means, it’s certainly the international fleet of nuclear power plants and associated facilities for the production, processing and storage of nuclear material. Potential cyber attacks against these facilities don’t cause concern in respect to the confidentiality, integrity, and availability of information, but in respect of public health and national security. While the majority of nuclear power plants still use analog safety systems that simply cannot be compromised by even the most sophisticated digital code, these analog systems are simply no longer available for purchase. Therefore, renewal projects for the instrumentation and control of nuke plants, and certainly new reactors, use digital devices for even the most sensitive systems and processes. Critical risk or acceptable? Well that’s what governments around the world need to figure out.
In the US, cyber security for nuclear power plants got its start as an industry best practice. Subsequent to the attacks of 9/11, many aspects of U.S. security were bolstered and nuclear power plants were considered among the most critical of critical infrastructure assets and therefore in need of additional security. Industry efforts were noteworthy and significant progress was made. However, the U.S. Nuclear Regulatory Commission (NRC) determined that industry efforts were insufficient and published a new cyber security rule in 2009 and cyber security guidance in 2010.
This graphic depicts a simplified view of the rulemaking process employed by the NRC and contrasts that to the process used by the U.S. Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC). The primary difference being that the NRC does not employ a consensus based process and is driven primarily by public health and safety as opposed to reliability. Keeping the lights on is important, but not as important as protecting the public from unwanted nuclear radiation. The simple existence of the regulation tells everybody that the NRC, as many other regulators, do see a potential for radiological release caused by a cyber attack, and therefore the requirement to impose and audit regulation.
To remain relevant, regulatory frameworks must be viewed in light of the increasing sophistication of malware that is targeting industrial control systems that no longer enjoy security by obscurity. The cyber threat is fundamentally different than the safety hazards that have threatened nuclear power plants since their inception (e.g., metal fatigue, earthquakes, flooding, and equipment failure). The natural environment can be harsh, but it is not malicious or “out to get us” in any sense and cyber defenses must take this into account. Although the current regulatory framework may be considered a good start, it should also be considered the minimum of what must be done rather than the maximum of what can be done.
For a detailed treatment of this important topic download our latest whitepaper Regulating Nuclear Cyber Security: The Core Issues.