James Wiggins, director of the Office of Nuclear Security and Incident Response at the NRC, spoke today on future nuclear power plant security, emphasizing the need for it to be based in both operational and information technology expertise. While the role for IT professionals in power plants is crucial, he said, it must work in tandem with systems engineering expertise. Understanding the physical consequences of cybersecurity threats is key to mitigating cyber risks, he said.
The talk is part of a conference on Commercial Nuclear Power Cybersecurity, which got underway today with talks by representatives from a range of government security organizations, who each reviewed cybersecurity risks to nuclear power and the regulatory policies in development to deal with them. The University of Maryland conference brings together regulators, industry engineers, and academics to discuss collaborative approaches to deal with the unprecedented nature of cyber threats to an industry that’s already undergoing scrutiny from multiple angles.
Wiggins' perspective is rooted in his knowledge of power plant systems – he began his career with the NRC as a reactor inspector in 1980. But a lot has changed in system control since then -- more and more plants are using SCADA (supervisory control and data acquisition) to manage their operations digitally. Wiggins admitted that it’s tricky to apply the methods and paradigms of physical security to the digital realm.
The industry now has examples like Stuxnet to consider, and has to imagine scenarios, Wiggins said, like what someone could do with a thumb drive, or what someone could do within a single software program. The idea of securing self-contained parts of a power facility becomes moot when it houses a network of technologies.
That leads to Wiggins’ foremost cybersecurity concern, which lies in the complexity of the supply chain for nuclear power plant technologies. A nightmare scenario he has imagined, he said, is based on the network of companies and individuals involved in bringing digital systems to plants. While it’s possible to keep a plant disconnected from the Internet as a cyber threat, or restrict physical access to a plant, SCADA system designs are harder to supervise, and encompass multiple entry points for threats, even at the operating system level.
Wiggins said that the regulations and new plans that the NRC is refining in order to meet new cybersecurity challenges are ahead of cybersecurity preparation in other industries, but that it's a stretch to say that they are ahead of the curve.
Modifying the licensing process for future reactors is one component of new preparedness measures. Wiggins said that the NRC traditionally holds vendors responsible for operational success and failure in individual plants once they are certified. But in the construction of older plants, regulators discovered a series of mechanical problems caused by falsely-certified materials. This led to a niche effort within in the agency to prevent counterfeit and fraudulent materials from entering into nuclear power plant construction.
The 21st century version of mediating these kinds of production involves the multifaceted SCADA systems that are used in modern plant system operation and control. The NRC receives proposals for system component designs from different vendors, and certifies the ones that meet its regulatory criteria. Then, when licensees of new reactors work with the NRC, they can choose from NRC-certified designs. While this process works from a legal standpoint, Wiggins said, its role in mitigating modern manufacturing vulnerabilities is still in development.
Another high priority challenge for the nuclear industry and its governance that Wiggins addressed lies in NRC communications. Wiggins explained that when threats are identified by the entities like the Department of Homeland Security, the NRC assumes the responsibility of alerting power plants. From there, the NRC presumes that the systems and personnel in the plants will react appropriately. However, he admitted that the communication system itself for disseminating such alerts may not function as well as he hopes it will in the future.
Wiggins said communicating threats should ideally involve the right combination of information security professionals and operations engineers, but it's not always easy to map out a perfect communications network.