Hoping to avoid a proverbial “cyber Pearl Harbor,” in which a hacker causes major physical damage to U.S. infrastructure, the government is updating its rules for nuclear power plants.
The U.S. Nuclear Regulatory Commission (NRC) has published new cybersecurity regulations, which impose reporting requirements on nuclear facilities. Such facilities have been widely criticized as of late for reportedly maintaining outdated and insecure systems and skimping on anti-intrusion measures. The new rules, effective May 2016, are essential, the NRC says, to assist the agency in assessing and evaluating potential cyber-related threats.
“This rule establishes new cyber security event notification requirements that contribute to the NRC’s analysis of the reliability and effectiveness of licensees’ cyber security programs” the NRC said in a statement. It added that such rules would play “an important role in the continuing effort to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks.”
Moreover, the new requirements are intended to aid the NRC in reporting cybersecurity issues that pose a threat to public health or safety to the U.S. Department of Homeland Security and other federal intelligence and law enforcement agencies.
The new rules require power plant “licensees” to notify the NRC within one hour after the discovery any cyberattack that adversely impacts safety, security, or emergency preparedness functions, or ones that compromise support systems and equipment resulting in similar vulnerabilities. Additionally, power plants will have an eight-hour window in which to notify the NRC of any “observed behavior, activities, or statements that may indicate intelligence gathering or preoperational planning” related to a cyberattack.
A report published in early October by the London-based Chatham House noted that cyberattacks targeting nuclear energy facilities are becoming more widespread and easier to conduct, and those facilities are ill-prepared for attacks that may result in the release of ionizing radiation. Lapses in security can stem from a variety of on-site issues, including an unhealthy reliance on reactive security measures or poor communication between cybersecurity teams—which are often located off-site—and nuclear engineers.
The NRC contested the report, as it addresses nuclear facilities worldwide, not simply in the United States.
“The Chatham House report does not reflect the intensive effort the Nuclear Regulatory Commission has made to protect this country’s nuclear power plants from cyber threats,” David McIntyre, an NRC spokesman, told the Hill on Friday. “These efforts began with security orders issued soon after 9/11 and continued with regulations finalized in 2009 designed to protect critical digital assets and safety systems at the plants from the ever-changing cyber threat.”
Photo by Tennessee Valley Authority/Flickr (CC BY 2.0)