Safe from a cyberattack?

Nuclear Regulatory Commission officials are preparing to write new computer and software standards for safety systems in nuclear power plants.

NRC officials released a 15-page draft guide, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants," in December 2004. They are seeking public comment before revising the draft, a process that could take six months or more. The new document will eventually replace a three-page guide that NRC officials issued in January 1996 for ensuring the safety of the nation's 103 nuclear power plants.

Regulatory guides are not substitutes for regulations, and compliance is voluntary.

Satish Aggarwal, a senior program manager in NRC's Office of Nuclear Regulatory Research, said NRC officials promote safety standards developed by the Institute of Electrical and Electronics Engineers. But those don't include cybersecurity standards, he said.

"We know it will take [institute members] three to five years before they can come out with a consensus standard," Aggarwal said. But after the Sept. 11, 2001, terrorist attacks, he said, NRC officials recognized an immediate need for cybersecurity guidelines.

Jim Davis, director of operations at the Nuclear Energy Institute, a policy organization for the nuclear energy and technologies industry, said

the NRC document updates engineering design criteria by including cybersecurity in the design process. A previous guide failed to address computer and software

security.

Extensive security checklists guide owners and operators of nuclear power plants. The new document would formalize security policies and procedures that NRC officials and plant operators already follow, Aggarwal said.

"Our experience indicates that what we put on paper voluntarily gets implemented in all plans," he said.

Jim Riccio, a nuclear policy analyst at Greenpeace, said he hadn't seen the draft guide but said such guides should be mandatory. According to reports, viruses and worms have penetrated several nuclear power plants' networks during the past few years, he said.

"They've known since early 2000 these systems were susceptible to viruses," Riccio said. "At least NRC is getting around to closing the barn door."

Davis said industry officials have been worried about cybersecurity since at least 1997. In 2001, the Slammer worm penetrated a private computer

network in Ohio's Davis-Besse nuclear power plant. Davis said the plant was not operating at the time, and the attack probably would not have interfered with the safety systems even if the plant had been operating.

Nuclear plants have multiple levels of protection, Davis said, but every wide-area network is vulnerable to some level of intrusion. Still, vulnerability doesn't always pose a safety problem, he added.

Nevertheless, NRC officials issued an order in February 2002 asking industry officials to reduce the likelihood of a cyberattack penetrating even peripheral systems that support nuclear plants.

The new security guide is only a starting point, Aggarwal said. "The bottom line is we want to secure the power plants in every way we can."

***

NRC responds to terrorism concerns

Since the Sept. 11, 2001, terrorist attacks, Nuclear Regulatory Commission officials have taken steps to improve cybersecurity.

Here's a timeline of recent NRC actions.

Oct. 6, 2001: Issued a safety advisory.

Feb. 15, 2002: Issued a safety advisory for backbone networking devices.

Feb. 25, 2002: Issued an order for security

enhancements.

October 2002: Started developing a cybersecurity vulnerability self-assessment methodology for nuclear power plants.

April 29, 2003: Issued an order for modifying physical

security systems.

Source: Nuclear Regulatory Commission letter to Rep. Edward Markey (D-Mass.)