The Nuclear Regulatory Commission released new rules to guide nuclear power plants in reporting cyber aggression against their networks Friday, one day after President Obama announced the U.S. isn’t doing enough to protect critical infrastructure like power grids from cyberattacks.
“This rule establishes new cyber security event notification requirements that contribute to the NRC’s analysis of the reliability and effectiveness of licensees’ cyber security programs and plays an important role in the continuing effort to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat,” a notice pending publication in the Federal Register reads.
The London-based international policy think tank Chatham House published a study earlier this month reporting the majority of nuclear power plants around the world are not prepared to withstand cyberattacks.
According to the 18-month study, most nuclear power plants are “insecure by design” and the reporting of cyber incidents infrequent at best, meaning plants potentially encounter far more cyber aggression than personnel are aware.
Study authors also found links to the public Internet on what were thought to be isolated plant networks, some of which were indexed by search engines, making them potentially identifiable weak points for hackers. Personnel in charge of those networks were frequently unaware of the links.
The finding pokes holes in the popular belief among those in the industry that nuclear power plants are safe from hackers because their control systems typically lie on air-gapped networks, or computers not connected to the Internet. The report also points out the Stuxnet worm, reportedly developed in secret and deployed by the U.S. to sabotage Iran’s nuclear program, was able to inflict significant physical damage on Iranian nuclear centrifuges by infiltrating the plant’s air-gapped network via USB drives.
“As cyber criminals, states and terrorist groups increase their online activities, the fear of a serious cyber attack is ever present,” the study reads. “This is of particular concern because of the risk – even if remote – of a release of ionizing radiation as a result of such an attack. Moreover, even a small-scale cyber security incident at a nuclear facility would be likely to have a disproportionate effect on public opinion and the future of the civil nuclear industry.”
The report further found a breakdown in communication between plant engineers and information technology engineers charged with maintaining cybersecurity. As a result, plant engineers often fail to grasp cybersecurity best practices, with on-site training focusing on reactive rather than preventative measures.
On Thursday President Obama declared November “Critical Infrastructure Security and Resilience Month,” a follow-up to October’s “National Cybersecurity Awareness Month.”
“By some estimates, we are currently underinvesting in our infrastructure by hundreds of billions of dollars each year,” Obama said in a White House proclamation Thursday. “Not only is it a threat to our national security, but failing to maintain and strengthen our infrastructure also jeopardizes our economic growth and closes doors of opportunity for all our citizens.”
National Security Agency Director Adm. Mike Rogers said earlier this year he expects a major cyberattack against critical U.S. infrastructure will take place during his tenure as head of NSA and U.S. Cyber Command.
“I believe that during my time as the commander of United States Cyber Command, I will be directed to deploy capability from U.S. Cyber Command to defend critical U.S. infrastructure, either in anticipation of, or in the aftermath of a significant cyber event,” Rogers said in July.
“Not yet, but it’s the ‘when’, not the ‘if’, to me,” he added.
The NRC isn’t the only agency taking steps to improve U.S. cyber defenses. The Department of Homeland Security created a committee in August to begin assessing the security of “lifeline” utilities, and up their cybersecurity ante to protect against a potential “cyber Pearl Harbor.”
On Tuesday the Senate successfully passed the Cybersecurity Information Sharing Act, which, along with granting companies legal immunity to share cyber threat data with DHS, gives the department more authority to repel cyberattacks on federal agencies, sets new standards for cybersecurity best practices at federal agencies and speeds up the rollout of “Einstein” — the government’s automated cyber threat detection and repellant system.