We’re frequently asked how nuclear power plants are protected from those who try to break into computer systems without authorized access – often for malicious purposes.
Perhaps the most important thing to recognize is that nuclear power plants and their computer systems were designed before the days of internet cafes and wireless connections. So there is no connection to the internet and thus no way for a hacker from the outside to get at the safety-related computer systems of the plants. Even the digital control systems installed in some plants more recently have no connection to the ‘net.
And while nuclear power plants were designed to feed electricity to the power grid, they were also isolated in ways to protect them from any potential negative effects that could come from the grid.
After the terrorist attacks of September 11, 2001, cyber security quickly became a major focus of U.S. government activities. The NRC was no exception. We took immediate steps – through orders — to ensure that computer systems used to operate nuclear power plants were not accessible even by “insiders” who could attack the cyber systems directly from within the plant.
Later, the NRC went even further with a new regulation that required all the nuclear power plants to have a cyber security plan and a timeframe for implementing protections of those key systems related to safety, security and emergency preparedness functions.
In addition any power company seeking to build a new nuclear power plant will need to include a cyber-security plan as part of their application to the NRC.
The NRC has its own cyber security experts on staff and works closely with other federal experts, including U.S. Cert – the U.S. Cyber Emergency Readiness Team – to monitor what’s happening in cyber space here and around the world, and to take actions if necessary to protect the vital systems in nuclear power plants.
The Seventh Annual GFIRST National Conference is being held at the Gaylord Opryland Hotel and Convention Center in Nashville, TN from August 7 – 12, 2011. The conference is open to all interested in learning more about cybersecurity and incident response.