Nukes getting second-to-last cyber check

The government is putting $12 million toward completing its cybersecurity vetting of nuclear power plants.

The Nuclear Regulatory Commission (NRC) has awarded a contract to test nuclear plants’ compliance with the final phase of a cybersecurity program launched in 2009.


At the start of the program, nuclear plants were given a generic cybersecurity template, which they were required to fill in with their own cyber defense tactics. NRC has been periodically checking in since then.

This newest round of inspections comes ahead of a final check by the NRC next year.

Nuclear power plants are one of the few industries with strict cybersecurity oversight, with rules put in place shortly after the terrorist attacks of 9/11.

NRC eventually put an interim cybersecurity program in place in 2004, requiring nuclear plants to prove they could defend against cyberattacks intended to spread radiological material or pilfer nuclear material.

Nuclear plants are often used as the example of how a single cyberattack could have devastating consequences.

The Stuxnet computer virus — one of the most ruinous cyberattacks — destroyed almost 20 percent of Iran’s nuclear centrifuges and infiltrated a Russian nuclear power plant, according to security experts. The United States and Israel are suspected to be behind the virus.

Nuclear plants were invoked Wednesday by privacy advocates explaining the imperfections of government hacking techniques.

“In the physical world, entering a structure, you’re sure it won’t fall down,” said Joe Hall, chief technologist at the digital rights advocate Center for Democracy and Technology. “We cannot be so sure online. If you make a mistake, it could be a nuclear power plant.”

Most of the policy focus on cybersecurity  — both on Capitol Hill and in public — has centered around retailers and banks, following major data breaches at Target, Home Depot and JPMorgan.