Cyber Security for Radioactive Byproduct Materials Licensees
In 2013, a U.S. Nuclear Regulatory Commission (NRC)/Agreement State working group (i.e., the Byproduct Materials Cyber Security Working Group) was formed to evaluate: (1) the potential consequences that may occur if the availability, integrity, or confidentiality of data or systems associated with risk-significant quantities of radioactive material1 were compromised by a cyber attack, and (2) whether additional regulatory measures or guidance were needed to ensure adequate protection against cyber security threats. (See SECY-12-0088, "The Nuclear Regulatory Commission Cyber Security Roadmap," (Roadmap) dated June 25, 2012, for an overview of the NRC's approach, or roadmap, for evaluating the need for cyber security requirements for various categories of nuclear and radioactive materials licensees and facilities.)
The working group completed its evaluation in summer 2017 and, as a result of its comprehensive analysis, concluded that risk-significant radioactive materials licensees do not rely solely on digital systems to ensure either safety or physical protection. Rather, these licensees generally employ a suite of measures, such as doors, locks, barriers, human resources, and operational processes, to ensure security, reflecting a defense-in-depth approach to physical protection. The staff found that a compromise of digital assets2 (including only the operability of those systems for which the NRC has regulatory authority) would not result in a direct dispersal of risk-significant quantities of radioactive material, or exposure of individuals to radiation, without a concurrent and targeted breach of the physical protection measures in force for these licensees. Such a cyber attack alone would not result in any onsite or offsite consequences. Therefore, the working group determined that the current cyber security threat faced by risk-significant radioactive materials licensees does not warrant developing new regulations related to protection of their material against cyber security threats. This determination also aligns with the determination made with respect to facilities (such as non-power reactor facilities and independent spent fuel storage installations) that could have similar resultant consequences from a cyber attack.
Although the working group determined that no regulatory changes were warranted, they identified that it would be prudent to develop an Information Notice to communicate effective practices for cyber security for risk-significant radioactive materials licensees. The Information Notice, dated August 14, 2019, provides licensees a better understanding of contemporary cyber security issues and enables licensees to consider strategies to protect digital assets (e.g., computers, digital alarm systems), including those assets used to facilitate compliance with physical security requirements such as 10 CFR Part 37, "Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material." The NRC staff leveraged existing cyber security guidance, such as that developed by NRC for non-power reactors, entitled, "Cyber Security: Effective Practices for the Establishment and Maintenance of Adequate Cyber Security at Non-Power (Research and Test) Reactor Facilities," and that developed by other Federal agencies, in its development of effective practices.
The NRC, as well as other partner agencies, will continue to monitor the constantly evolving cyber security threat landscape and coordinate cyber security efforts such as sharing of effective practices and coordination of outreach efforts with Federal and State partners and stakeholders.
For more information, please see the following topic on this page:
Background
Shortly after the terrorist attacks of September 11, 2001, the NRC issued a series of orders to its nuclear power plant licensees as well as to fuel cycle facilities and risk-significant radioactive materials licensees to enhance their overall security. These orders specified numerous security measures such as fingerprinting of individuals with access to radioactive materials, increasing physical security, and coordinating with local law enforcement in order to facilitate preparedness to respond to a security incident at a licensee facility.
For nuclear power plant licensees and applicants, which could be the subject of a greater impact and resultant consequence from a cyber attack when compared to other classes of licensees, the orders also included specific requirements for addressing certain cyber security threats and vulnerabilities and added cyber-attacks to the adversary threat types the nuclear power plants must be able to defend against. In March 2009, the NRC issued a new cyber security rule to codify cyber security requirements for nuclear power plant licensees and applicants. This new rule, 10 CFR 73.54, "Protection of Digital Computer and Communication Systems and Networks," requires licensees to submit a cyber security plan and an implementation schedule for NRC approval.
Following the cyber security efforts initiated for nuclear power plant licensees and the increased emphasis on critical infrastructure cyber security and preparedness, the NRC, in a graded approach based on risk significance, also considered the need for similar cyber security requirements for fuel cycle facilities, spent fuel storage facilities, non-power reactors, decommissioned nuclear facilities, and risk-significant radioactive materials licensees.
As the NRC continued to focus on its priority of imposing physical security requirements on risk-significant radioactive materials licensees, the NRC staff formed the Byproduct Materials Cyber Security Working Group in July 2013, as part of the process of evaluating the need for cyber security-related regulatory requirements and/or guidance.
The following year, the Radiation Source Protection and Security Task Force added a new cyber security-related recommendation (2014 Recommendation 1) to the 2014 Radiation Source Protection and Security Task Force Report which was submitted to the President and Congress. The recommendation called for U.S. Government agencies to assess the adequacy of, and coordinate strategies for, preventing and mitigating cyber security vulnerabilities related to Category 1 and 2 radioactive sources. The efforts of the NRC/Agreement State Byproduct Materials Cyber Security Working Group are being tracked as part of the recommendation's status. In addition, on January 6, 2016, a memorandum entitled, "Staff Activities Related to the Evaluation of Materials Cyber Security Vulnerabilities," was issued to the Commission to inform the Commission of the actions that the NRC staff was taking to evaluate and develop any regulatory measures or guidance to manage the risk to information and digital systems for radioactive materials licensees.
1 Risk-significant quantities of radioactive material are defined as those meeting the thresholds for Category 1 and Category 2 as included in Appendix A of 10 CFR Part 37.
2 The four digital assets assessed include: 1) digital/microprocessor-based systems and devices that support the physical security of the licensee's facilities. This includes access control systems, physical intrusion detection and alarm systems, video camera monitoring systems, digital video recorders, door alarms, motion sensors, keycard readers, and biometric scanners; 2) equipment and devices with software-based control, operation, and automation features, such as panoramic irradiators and stereotactic radiosurgery devices; 3) computers/systems used to maintain source inventories, audit data, and records necessary for compliance with security requirements and regulations; and 4) digital technology used to support incident response communications/coordination such as digital packet radio systems, digital repeater stations, and digital trunk radio systems.