Despite the potentially devastating effects of a release of radioactive material, the nuclear sector is generally regarded as well-secured. The Nuclear Regulatory Commission oversees the industry, which has been working from a cybersecurity plan since 2009 that is making speedy progress.
"We started something with Nuclear Regulatory Commission direction, we called it a cyber roadmap, said Brian Holian, director of the NRC's Office of Nuclear Security and Incident Response. "In 2009, we finalized a cybersecurity rule for the nuclear power plants to follow. In 2012, we completed inspections of those or started inspections of those. The first cycle of equipment was done and inspected at all 60-some sites by 2015."
Special Multimedia Report
The NRC regulates nuclear power plants, fuel cycle facilities and medical and industrial uses of radioactive material.
"Eventually all those industries that we regulate will have cyber controls applied to them," he said.
The NRC does a lot of its work through information-sharing in coordination with other federal agencies, but the cyber rule is a requirement.
"A lot of times the industry will say 'we can do voluntary initiatives,' but I think it was very important for us—and them, really—to have a set of requirements that they need to follow," he said. "We also followed up just last year with another rule called the cyber event notification. We wanted to know when their systems are being challenged."
As frightening as the images of nuclear meltdowns are, it would be very difficult for a hacker operating hundreds or thousands of miles away to cause such a thing. A more likely scenario is one in which an attacker takes a plant offline, preventing it from generating electricity and darkening part of the power grid.
Bill Gross, a senior project manager at the Nuclear Energy Institute, described the systems within a nuclear power plant as falling into two broad categories.
Primary systems are those that control the reactor itself, and are designed to shut down the reactor and maintain it in a safe condition when needed to protect it. Primary systems provide core cooling and other essential functions in the reactor's operation. Secondary systems manage the steam generated by a nuclear reaction, which is ultimately what generates electricity at the plant.
"The primary systems within a nuclear power plant are designed from the ground up to be able to perform their intended safety function irrespective of any type of natural or manmade phenomenon," he said. "There is not a cyberattack that could prevent our safety systems from effectively shutting the reactor down."
The primary and secondary systems in nuclear plants are isolated from each other for greater protection, he said.
"We use a lot of digital technologies on the secondary side for controlling the power generation equipment," said Gross. "All of that equipment has been isolated from outside networks, including local plant networks, using hardware-based isolation devices that preclude the ability from an attack outside the plant to propagate into the plant through any type of network."
In a sense, the fact that many nuclear plants run on older technology protects them from cyber threats, Holian and Gross said. The industrial controls that manage their operations are largely analog systems unconnected to a network. However, that is soon to change.
"The majority of the fleet was built many years ago, and analog equipment is less susceptible [to remote attacks] than digital equipment," Holian said. "However, analog equipment, as you know from common uses in America, [is] quickly being replaced by digital equipment."
Despite the greater vulnerability, digital equipment has some advantages. It is quicker to react, making its use in control systems important for greater overall safety. Many existing plants are retrofitting their old control systems with digital, and new plants coming soon will be digitally controlled from the start.
Gross and Holian noted that changing technology won't change the regulatory safety requirements. Four nuclear plants under construction now are all digital, in both primary and secondary systems.
New plants have to meet the same design requirements as older plants, he said. "Even if you were to use a digital safety related system, you'd have to be able to demonstrate to the NRC that that system could perform under all reasonably postulated accident scenarios, and we would do the same protective measures that we have in place."
"The rule covers new plants also," Holian said. "So the fact that they're going to have more digital assets means they'll have more critical components to look at, and still apply the same controls. So it'll be more for a plant to do. They'll benefit by having the efficiencies of the digital assets. … he good part of that is the plants that are being built now, even the suppliers are looking at the rules that are already in place and designing to accommodate that. So that's the good aspect of that."