Establishing and maintaining effective cybersecurity is an ever-growing challenge across the nation. As our society becomes more and more dependent on information technology (IT), our nation’s critical infrastructure – such as energy, and nuclear reactors, materials, and waste – depends on IT systems to carry out operations and process essential data. Digital systems are increasingly used in nuclear power plants to maximize productivity. In response to the cybersecurity challenges facing nuclear power plants, the Nuclear Regulatory Commission (NRC) has taken actions such as implementing infrastructure changes, enhancing interagency interfaces, performing enhanced inspections, and developing a cybersecurity roadmap.

Cybersecurity Infrastructure Changes and Interagency Interfaces

Following the terrorist attacks of September 11, 2001, the NRC issued a series of security advisories and orders requiring nuclear power plants to take actions to enhance the protection of certain computer systems. In March 2009, the NRC issued Title 10 of the Code of Federal Regulations (10 CFR) 73.54, “Protection of Digital Computer and Communication Systems and Networks,” requiring operating nuclear power plant licensee and license applicants to ensure that digital computer and communication systems associated with a nuclear power plant’s safety, security, and emergency preparedness functions are protected from cyberattacks. As a result, computer systems at operating power plants that monitor and control safety systems and help the reactor operate are isolated from external communications. Security systems that provide safeguards of the facility are also isolated from external communications, including the Internet.

In January 2010, the NRC issued guidance on implementing the requirements of 10 CFR 73.54, in Regulatory Guide 5.71, “Cyber Security Programs for Nuclear Facilities.” Later that year, the Nuclear Energy Institute (NEI) also published implementing guidance in NEI 08-09, “Cyber Security Plan for Nuclear Power Plants” (and in 2018, an addendum). These documents provide information to aid licensees in developing cybersecurity plans.

In 2013, the NRC’s Office of Nuclear Security and Incident Response established a Cyber Security Branch (CSB) to strengthen internal governance of the agency’s regulatory activities. The CSB plans, coordinates, and manages agency activities related to cybersecurity for NRC applicants and licensees such as security programs development and policy enhancements to prevent malevolent cyber acts against NRC-licensed facilities. The CSB’s cybersecurity-related responsibilities include developing rules and guidance, reviewing licensing actions, developing policy enhancements, and overseeing NRC-licensed facilities.

The NRC regularly monitors the threats associated with cybersecurity, including potential threats against NRC-licensed facilities. Within the CSB there is a cyber assessment team that assesses real-world cyber events at NRC-licensed facilities. The team evaluates whether an identified threat could impact licensed facilities and makes recommendations for NRC actions and communications to the licensees. Furthermore, the NRC has established liaison relationships with the intelligence and law enforcement communities to include the National Counterterrorism Center, the Department of Homeland Security’s U.S. Computer Emergency Response Team, and the Federal Bureau of Investigation.

The NRC also participates with other government regulators on the Cybersecurity Forum for Independent and Executive Branch Regulators (the Forum). The NRC Chairman served as the first Chair of the Forum and, in September 2016, turned the Chair over to the Federal Communications Commission. The purpose of the Forum is to increase the overall effectiveness and consistency of regulatory authorities’ cybersecurity efforts pertaining to U.S. critical infrastructure. The Forum enhances communication among regulatory agencies, regulated entities, and other organizations by sharing best practices and gathering expertise in this rapidly changing field, including areas of cybersecurity risk assessment, information sharing, and both voluntary and regulatory approaches to cybersecurity.

Cybersecurity Inspection Milestones

Applicable NRC licensees were inspected on a rolling basis through seven milestones as shown below. Since 2015, regional cybersecurity inspectors and the CSB have been conducting full implementation inspections to ensure that licensees are in compliance with 10 CFR 73.54 and licensing basis commitments such as their approved cybersecurity plans. Additional information regarding the full implementation inspections can be found in the NRC’s Office of the Inspector General’s 2019 report, OIG‑19‑A‑13, "Audit of NRC's Cyber Security Inspections at Nuclear Power Plants.”

Cybersecurity Roadmap

In June 2012, the staff transmitted to the Commission SECY-12-0088, “The Nuclear Regulatory Commission Cyber Security Roadmap.” This document laid out a graded approach for implementation of the NRC’s cybersecurity requirements for power plant licensees and communicated the staff’s approach to evaluating the need for cybersecurity requirements for other NRC-licensed facilities. In February 2017, the staff transmitted SECY‑17‑0034, “Update to the U.S. Nuclear Regulatory Commission Cyber Security Roadmap.” This paper provided an update on the implementation of cybersecurity requirements for power plant licensees as well as for other NRC-licensed facilities and decommissioning reactors. The continued implementation of the roadmap will help (1) ensure that appropriate levels of cybersecurity actions are implemented in a timely and efficient manner at all NRC and Agreement State licensed facilities, and (2) identify any needed improvements.