The government is moving forward with new cybersecurity requirements for nuclear power plants.
The rules will require greater reporting of cyber incidents in the hopes of better understanding the digital threats facing nuclear reactors.
In recent years, both independent and state-backed hackers have been accused of infiltrating nuclear power plants around the world. While none of these intrusions have led to physical harm, security specialists see the possibility as one of the most dangerous scenarios in cyberspace.
In an effort to get ahead of this threat, the Nuclear Regulatory Commission (NRC), an independent regulatory agency, on Friday released a new set of reporting requirements.
The increased information will aid in the NRC’s “analysis of the reliability and effectiveness” of cybersecurity programs for nuclear power reactors, according to a Federal Register notice.
Heightened awareness of this threat is increasingly important as governments start to target nuclear plants in their burgeoning offensive cyber programs.
It’s widely believed the U.S. and Israel were behind a 2010 cyberattack that crippled nearly one-fifth of Iran’s nuclear centrifuges.
More recently, South Korea accused North Korea of hacking into one of its nuclear plants. The intrusion exposed sensitive data, but didn’t endanger the plant’s reactors.
A recent report also warned that the nuclear industry is in a “culture of denial” over these hacking risks.
Chatham House, an international affairs think tank, spent 18 months interviewing top nuclear officials and investigating nuclear power plants around the world. The results were not comforting.
“Cybersecurity is still new to many in the nuclear industry,” Caroline Baylon, the report’s author, told the Financial Times earlier this month. “They are really good at safety and, after 9/11, they’ve got really good at physical security. But they have barely grappled with cyber.”
Many plants still have control systems linked to the Internet, for example, exposing nuclear reactors to potential digital hijackings.
Overall, the report found 50 cyber incidents at nuclear plants, some of which nearly led to meltdowns. For instance, the safety system at an Alabama nuclear plant was overwhelmed with network traffic, almost triggering a catastrophe.
The NRC pushed back against the report, maintaining that it ignored many steps regulators had already taken to ensure that these type of disasters don't occur.
"The Chatham House report does not reflect the intensive effort the Nuclear Regulatory Commission has made to protect this country’s nuclear power plants from cyber threats," said David McIntyre, an NRC spokesman. "These efforts began with security orders issued soon after 9/11 and continued with regulations finalized in 2009 designed to protect critical digital assets and safety systems at the plants from the ever-changing cyber threat."
"The rule published today extends that effort by setting requirements and timelines for reporting cyber incidents to the NRC," he added.
— Updated 4:16 p.m.