Safe from a cyberattack?

Nuclear regulatory officials formalize security standards for safety systems

Nuclear Regulatory Commission officials are preparing to write new computer and software standards for safety systems in nuclear power plants.

NRC officials released a 15-page draft guide, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants," in December 2004. They are seeking public comment before revising the draft, a process that could take six months or more. The new document will eventually replace a three-page guide that NRC officials issued in January 1996 for ensuring the safety of the nation's 103 nuclear power plants.

Regulatory guides are not substitutes for regulations, and compliance is voluntary.

Satish Aggarwal, a senior program manager in NRC's Office of Nuclear Regulatory Research, said NRC officials promote safety standards developed by the Institute of Electrical and Electronics Engineers. But those don't include cybersecurity standards, he said.

"We know it will take [institute members] three to five years before they can come out with a consensus standard," Aggarwal said. But after the Sept. 11, 2001, terrorist attacks, he said, NRC officials recognized an immediate need for cybersecurity guidelines.

Jim Davis, director of operations at the Nuclear Energy Institute, a policy organization for the nuclear energy and technologies industry, said

the NRC document updates engineering design criteria by including cybersecurity in the design process. A previous guide failed to address computer and software


Extensive security checklists guide owners and operators of nuclear power plants. The new document would formalize security policies and procedures that NRC officials and plant operators already follow, Aggarwal said.

"Our experience indicates that what we put on paper voluntarily gets implemented in all plans," he said.

Jim Riccio, a nuclear policy analyst at Greenpeace, said he hadn't seen the draft guide but said such guides should be mandatory. According to reports, viruses and worms have penetrated several nuclear power plants' networks during the past few years, he said.

"They've known since early 2000 these systems were susceptible to viruses," Riccio said. "At least NRC is getting around to closing the barn door."

Davis said industry officials have been worried about cybersecurity since at least 1997. In 2001, the Slammer worm penetrated a private computer

network in Ohio's Davis-Besse nuclear power plant. Davis said the plant was not operating at the time, and the attack probably would not have interfered with the safety systems even if the plant had been operating.

Nuclear plants have multiple levels of protection, Davis said, but every wide-area network is vulnerable to some level of intrusion. Still, vulnerability doesn't always pose a safety problem, he added.

Nevertheless, NRC officials issued an order in February 2002 asking industry officials to reduce the likelihood of a cyberattack penetrating even peripheral systems that support nuclear plants.

The new security guide is only a starting point, Aggarwal said. "The bottom line is we want to secure the power plants in every way we can."


NRC responds to terrorism concerns

Since the Sept. 11, 2001, terrorist attacks, Nuclear Regulatory Commission officials have taken steps to improve cybersecurity.

Here's a timeline of recent NRC actions.

Oct. 6, 2001: Issued a safety advisory.

Feb. 15, 2002: Issued a safety advisory for backbone networking devices.

Feb. 25, 2002: Issued an order for security


October 2002: Started developing a cybersecurity vulnerability self-assessment methodology for nuclear power plants.

April 29, 2003: Issued an order for modifying physical

security systems.

Source: Nuclear Regulatory Commission letter to Rep. Edward Markey (D-Mass.)

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group