Part 3 of 4 Parts (Please read Part 1 and Part 2 first)
The NEI petition goes on to say that such a narrowing of NRC cybersecurity regulations would result in a substantial reduction in burden for nuclear plant operators’ employment of digital equipment. At the same time, it would ensure adequate protection against cyberattacks.
The NEI petition triggered a review of cybersecurity regulations at the NRC that is still going on. The NRC is currently conducting cybersecurity inspections of all U.S. nuclear power reactors. The NRC hopes to finish the inspections by the end of 2020.
Edwin Lyman is the action director of the Nuclear Safety Project at the Union of Concerned Scientists. He said that the NRC caution about the revision of cybersecurity regulations is appropriate. He also said that cybersecurity threats were unpredictable. This means that the regulation of digital hardware and software at nuclear power plants should be as broad as possible. “By narrowing [the guidance], you are assuming you know exactly what the adversary is going to do, and that's a mistake.”
Lyman has pointed out that a piece of equipment that would not seem to be related to a radiological sabotage attempt might be critical if there was a simultaneous physical attack on a nuclear power plant. As an example, hacking the communication devices used by plant security would not, in itself, be a radiological threat. However, if the communication devices were hacked while the plant was under physical attack that threatened the integrity of the core, the ability of plant security personnel to respond to the attack might be compromised.
Bill Gross is a cybersecurity expert working for the NEI. He said that the nuclear industry in the U.S. has strong cybersecurity policies and can defend against a variety of attacks. One of the main lines of defense is “air gapping.” In addition, “we don't let portable media or the laptops we use to go outside the plant. We keep them in the plant in the maintenance locker.” If a device could contain a virus, trojan horse, malware or worm, it is firescanned as it is taken from the locker and firescanned when it is returned to the locker. Gross said that the challenges associated with adding more digital instruments and controls to nuclear power plants is “not a hurdle that's beyond what the utilities are more than willing to put up with to get the safety benefits they could get from modernizing their older systems.”
The safety benefits of installing digital instruments and controls follow from the improvement of reactors operations in general. Several reactors in the U.S. have recently been retired early because it was too expensive to maintain and operate them in the current low power price U.S. marketplace. Additional U.S. nuclear power plants face the same fate. Digital controls can lower the cost of nuclear plant operation and can also assist in capturing more revenues.
Please read Part 4 next