Today's nuclear power plants can produce huge amounts of clean energy from small amounts of fuel. What they can't do, however, is be 100 percent certain there isn't a hacker somewhere in the world eager to tamper with and use their controls for more nefarious purposes.
That's why the U.S. Nuclear Regulatory Commission (NRC) added Rule 10CFR73.54 to the Code of Federal Regulations in 2009. Designed to protect against digital sabotage, the new rule requires the nation's 94 nuclear power plants to provide "high assurance" that their computer and communication systems and networks are adequately protected from cyber attack.
"What the rule didn't explain was exactly how they were supposed to accomplish that," explains Steve Carr, a Burns & McDonnell cyber security consultant.
That's where the Nuclear Energy Institute, an industry trade group, stepped in. Working with more than 20 cyber security experts from the nuclear industry — including Carr — the institute developed guidelines that prescribe how the nation's nuclear plants should comply with the rule.
The result: NEI 0809, which lists approximately 130 controls that must be in place on each of the hundreds of critical digital assets in every nuclear power plant. Plants have until Dec. 31, 2012, to implement the guidelines and achieve compliance with the NRC's rule.
A Tool for Tracking Cyber Assets
With little more than a year to go before the deadline, compliance efforts are a work in progress," says Carr, who co-authored the guidelines and is part of a Burns & McDonnell Cyber Security Group that works with plants to implement them. "The key is making sure a plant's leadership understands the controls needed to protect their assets and how to implement them without interfering with day-to-day operations."
To bring order to the process, Burns & McDonnell developed an electronic asset tracking tool that identifies cyber gaps in a plant's critical digital assets.
Users enter an inventory of these assets, along with the controls that have been applied to them, into a database. The auditing tool then looks for gaps in the controls that may put the assets at risk of attack.
The controls themselves cover everything from physical security — can the asset be locked? — to access questions — is each user's access locked down to the lowest level required for the job?
"To achieve compliance with the NRC rule, every single one of a plant's digital assets must have all 130 controls applied to it," says Carr. Burns & McDonnell is implementing its auditing tool in seven nuclear power plants.
"In the case of nuclear power plants, hackers aren't interested in stealing data but in manipulating specific processes in a way that causes a radiation release or a shutdown of a nuclear reactor," Carr explains. That includes everything from interrupting the power supply to a plant to shutting down the water pumps used to cool a reactor.
"Our goal is to protect the public by preventing any nuclear reaction or shutdown that is not planned," says Carr. "That means plugging every possible cyber security gap."
For more information, contact Jerome Farquharson, 314-682-1628.