against cyber threats. Under the proposal, the agency could develop a cyber security strategy for facilitiesthat do not have one. The electric power sector is the only industry with mandatory, enforceable cybersecurity standards—Critical Infrastructure Protection standards. Moreover, nuclear power plants are strict-ly regulated in this area by NRC regulations and oversight. Additional regulation would be duplicative andwould risk creating inconsistencies in requirements.
Cyber Protection in Place at Nuclear Power Plants
The Nuclear Energy Institute has developed the only comprehensive cyber security program specificallydesigned for control system and critical infrastructure security and the first of its kind within the energysector. All nuclear power plants adopted the NEI cyber security program in 2006 and had implemented itby 2008. A year later, the NRC issued comprehensive regulations that require a cyber security plan for all nuclearenergy facilities. NRC regulation covers all areas of a plant, including those that might otherwise be subjectto NERC’s critical infrastructure protection reliability standards or proposed Department of HomelandSecurity oversight.Every company operating nuclear power plants has earned NRC approval for a cyber security plan thatdescribes how the facility is implementing its cyber security program. Companies also provided the NRCwith a schedule describing the actions toward full implementation of its cyber security program. The NRChas reviewed and approved each of these schedules and regularly inspects cyber protection measures atU.S. reactors.
Five Steps That Provide Protection
Each U.S. nuclear power plant has taken the following measures to ensure protection against cyberthreats:
Isolated key control systems using either air-gaps, which do not implement any network or internetconnectivity, or installed robust hardware-based isolation devices that separate front-office computersfrom the control system, thus making the front-office computers useless for attacking essential sys-tems. As a result, key safety, security and power generation equipment at the plants are protectedfrom any network-based cyber attacks originating outside the plant.
Enhanced and implemented strict controls over the use of portable media and equipment. Where de-vices like thumb drives, CD, and laptops are used to interface with plant equipment, measures are inplace to minimize the cyber threat. These measures include authorizing use of portable assets to theperformance of a specific task, minimizing the movement from less secure assets to more secure as-sets, and virus scanning. As a result, nuclear power plants are well-protected from attacks like Stuxnet,which was propagated through the use of portable media.
Heightened defenses against an insider threat. Training and insider mitigation programs have beenenhanced to include cyber attributes. Individuals who work with digital plant equipment are subject toincreased security screening, cyber security training and behavioral observation.
Implemented cyber security controls to protect equipment deemed most essential for the protection of public health and safety.