While concerns about global cyber security threats may seem relatively new, the U.S. Nuclear Regulatory Commission (NRC) has been requiring the nuclear power industry to address such threats for more than 15 years. The NRC considers regulation of the cyber security of our nation’s nuclear power plants as one of its critical responsibilities and crucial to meeting its mission of protecting public health and safety.
The nuclear power industry had been required to address cyber security concerns since 2002 when NRC included the first cyber requirements in physical security and design basis threat orders. The NRC later published the cyber security rule (10 CFR 73.54) in 2009. The rule was implemented in a two-phased approach to address the challenging task of implementing security controls on an architecture with mix of Information Technologies (IT) and Operation Technologies (OT). In most cases, these OT systems had been installed for decades and, unlike traditional IT infrastructure, were designed with safety but not security in mind. In addition, they were designed to last, which presented a unique challenge for nuclear power plant operators. Based on NRC requirements, the industry needed to come up with a model for addressing these challenges and protecting their digital assets. Assessing and protecting legacy OT systems is arguably more complex than building new security architecture from the ground up. Fortunately, the nuclear industry had decades of experience in physical security and safety culture that could be leveraged.
The first implementation phase included controls to address the most significant plant systems and security controls,such as portable media and wireless connections. These controls were in place by the end of 2012, and the NRC inspected the initial implementation over the following three years. The second phase required implementation of all aspects of the program, including controls for a greater number of digital systems and programs addressing a number of areas, including configuration management, vulnerability management, and supply chain. These activities were completed in 2017 for most nuclear power plants.
In my years of overseeing and participating in cyber security inspections at nuclear power plants across the country, I have seen what makes cyber security programs successful. In simple terms, I consider these cornerstones to play a vital role in creating a successful cyber security program.
1. Safety culture: A safety culture is an environment where everyone at the workplace takes cyber security practice seriously. Leadership at an organization must be fully supportive of cyber security awareness training and should take an active role in championing initiatives for the program to be effective.
2. Assessment of assets: An understanding of what systems are important to the function of the organization and creating an infrastructure that best supports those functions are good first steps to building a program, but this process should be ongoing as systems are constantly being updated and configurations change.
3. Assessment of vulnerabilities: Whether it is to keep up with the latest public vulnerabilities and patching systems or running systems on a virtual environment before deploying on a production system, applying due diligence makes all the difference.
4. Vendor relationships and product training: Today’s complex global supply chain adds additional layers of complexity to what is already complex to manage. Like Swiss cheese, systems and service acquisitions within cybersecurity creates many potential holes in an already dynamic defensive infrastructure. To mitigate potential risks, maintaining strong relationships with vendors and an understanding of products and services should be carefully considered throughout the product life cycle.
5. People and knowledge: Hiring and maintaining the best talent an organization can afford is vital for the implementation and sustainability of its cybersecurity program. Having competent security staff will directly impact the quality of training, assessments, and risk management. When it comes to brain power, there’s no compensation for competence.
When I think about what makes anything successful, it always starts and ends with people. As technology is changing at an accelerated pace, and system’s life cycles get shorter, we need to constantly focus on people, programs, and processes to overcome evolving cyber security challenges.