Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Cyber Security Regulation Strictly Regulated by NRC Feb 2013

Cyber Security Regulation Strictly Regulated by NRC Feb 2013

Ratings: (0)|Views: 351 |Likes:
Published by Yury Chemerkin

More info:

Published by: Yury Chemerkin on Mar 06, 2013
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Cyber Security Strictly Regulated by NRC;No Additional Regulation Needed
February 2013 
Key Points
The U.S. Nuclear Regulatory Commission (NRC) has extensive regulations for cyber security protectionat nuclear energy facilities. Regulatory oversight by other agencies is unnecessary and would duplicatethe already-strict NRC oversight.
The nuclear energy industry implemented a cyber security program in 2002 to protect critical digitalassets and the information they contain from sabotage or malicious use. The industry has beenstrengthening its response in the years since.
The NRC in 2009 established regulations for cyber security at commercial reactors, even though criticalcomputer systems used to control nuclear energy facilities are not connected to the Internet.
The industry has worked with federal regulators—including the NRC, the Federal Energy RegulatoryCommission (FERC) and the North American Electric Reliability Corporation (NERC)—to ensure thatdigital assets are fully protected. FERC initially proposed rules to cover portions of a nuclear energyfacility but reversed its stance when it found that the NRC’s cyber security rulemaking covers the entirefacility.
Cyber Security Systems
Nuclear energy facilities use both digital and analog systems to monitor plant processes, operate equip-ment, and store and retrieve information. Analog systems follow hard-wired instructions; digital computersystems use software to provide instructions. Digital systems, including individual computers and networks,are vulnerable to cyber attacks, which include malicious exploitation and infection by malware such asviruses, worms and other types of programming code.Nuclear energy facilities are designed to shut down safely if necessary, even if there is a breach of cybersecurity. A cyber attack cannot prevent critical systems in a nuclear energy facility from performing theirsafety functions. Among other measures, these critical systems are not connected to the Internet or to afacility’s internal network. The isolation of critical safety systems minimizes the pathways for a cyberattack. Nuclear energy facilities also are designed to automatically disconnect from the power grid if thereis a disturbance that could be caused by a cyber attack.
No Need for Duplicative Federal Oversight
The White House has proposed that the Department of Homeland Security work with critical infrastructuresectors, including the electric sector, to devise strategies to secure computer systems and protect them
against cyber threats. Under the proposal, the agency could develop a cyber security strategy for facilitiesthat do not have one. The electric power sector is the only industry with mandatory, enforceable cybersecurity standards—Critical Infrastructure Protection standards. Moreover, nuclear power plants are strict-ly regulated in this area by NRC regulations and oversight. Additional regulation would be duplicative andwould risk creating inconsistencies in requirements.
Cyber Protection in Place at Nuclear Power Plants
The Nuclear Energy Institute has developed the only comprehensive cyber security program specificallydesigned for control system and critical infrastructure security and the first of its kind within the energysector. All nuclear power plants adopted the NEI cyber security program in 2006 and had implemented itby 2008. A year later, the NRC issued comprehensive regulations that require a cyber security plan for all nuclearenergy facilities. NRC regulation covers all areas of a plant, including those that might otherwise be subjectto NERC’s critical infrastructure protection reliability standards or proposed Department of HomelandSecurity oversight.Every company operating nuclear power plants has earned NRC approval for a cyber security plan thatdescribes how the facility is implementing its cyber security program. Companies also provided the NRCwith a schedule describing the actions toward full implementation of its cyber security program. The NRChas reviewed and approved each of these schedules and regularly inspects cyber protection measures atU.S. reactors.
Five Steps That Provide Protection
Each U.S. nuclear power plant has taken the following measures to ensure protection against cyberthreats:
Isolated key control systems using either air-gaps, which do not implement any network or internetconnectivity, or installed robust hardware-based isolation devices that separate front-office computersfrom the control system, thus making the front-office computers useless for attacking essential sys-tems. As a result, key safety, security and power generation equipment at the plants are protectedfrom any network-based cyber attacks originating outside the plant.
Enhanced and implemented strict controls over the use of portable media and equipment. Where de-vices like thumb drives, CD, and laptops are used to interface with plant equipment, measures are inplace to minimize the cyber threat. These measures include authorizing use of portable assets to theperformance of a specific task, minimizing the movement from less secure assets to more secure as-sets, and virus scanning. As a result, nuclear power plants are well-protected from attacks like Stuxnet,which was propagated through the use of portable media.
Heightened defenses against an insider threat. Training and insider mitigation programs have beenenhanced to include cyber attributes. Individuals who work with digital plant equipment are subject toincreased security screening, cyber security training and behavioral observation.
Implemented cyber security controls to protect equipment deemed most essential for the protection of public health and safety.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->