Cyber security experts from the United States nuclear power industry discussed efforts taken to protect the nation’s nuclear plant fleet from cyber-attacks. This topic, recently having been brought into discussion following the famed Stuxnet computer worm attacks on Iran’s enrichment facilities, is one of upmost concern for nuclear plant operators.
Nuclear plant operators are required through federal nuclear regulations to build into their facilities safeguards against possible cyber-attacks, but plants also self-regulate and share working procedures through the Institute for Nuclear Power Operations (INPO). Gary Garret of INPO, a member of the four person panel discussion at the American Nuclear Society (ANS) Annual Meeting last week, shared that his organization evaluates all U.S. nuclear plants to insure that they are properly guarded against attacks.
The panel assured attendees that the equipment used to control operation of nuclear reactor systems is 100% electrically isolated from external access, a security paradigm called a ‘data diode’. Any changes to the system would need to be approved through the Nuclear Regulatory Commission (NRC), and both software and hardware components of the system would be evaluated to insure proper operation upon delivery from vendors. On top of these steps, all security and operational personnel are trained to recognize malicious behaviors and report suspicious activities.
When asked about attacks similar to the spread of the Stuxnet computer worm, panelists said that it was mainly due to social engineering that the attack took place. However, current security measures rely primarily on judicious human performance and training to prevent a similar attack from occurring in the United States. The establishment of this safety culture, key to preventing cyber-attacks from occurring on critical plant systems, was also emphasized as being the most the biggest challenge for nuclear plants to properly implement.