United States Nuclear Regulatory Commission - Protecting People and the Environment
Home > Nuclear Security and Safeguards > Domestic Safeguards > Physical Protection > Regulatory Initiatives > Cyber-Security Initiative for Fuel Cycle Facilities

Cyber-Security Initiative for Fuel Cycle Facilities

Among its regulatory initiatives related to Domestic Safeguards, the U.S. Nuclear Regulatory Commission (NRC) is reviewing cyber-security programs at fuel cycle facilities (FCFs). In the wake of the terrorist attacks on September 11, 2001, the NRC issued a series of Security Orders (“Orders”), requiring FCF licensees to take additional security measures, including protection of digital systems and networks against cyber threats. As modern society has increased its reliance on digital systems to carry out functions that support commerce, industry, academia, medicine, and government, the threats to these systems have substantially increased since the issuance of these Orders. Cyber threats to NRC licensees are dynamic and multidimensional, because of the continuously evolving capabilities of potential adversaries and emerging technologies. Potential adversaries run the gamut from nation-state actors to individuals (i.e., “hacktivists”). In addition, recent threats against international nuclear facilities (e.g., Stuxnet, Duqu, and Flame) are evidence of malware specifically targeting control systems that operate industrial facilities.

As a result of these recent incidents, and building on the success achieved with cyber-security regulatory programs for nuclear power reactors and the emerging cyber threat, the NRC felt compelled to establish a special working group to review cyber security programs at FCFs.

For more information, please see the following topics on this page:

Background

In 2011, the NRC formed an FCF Cyber-Security Working Group, comprising staff members from the NRC’s Office of Nuclear Material Safety and Safeguards (NMSS) and Office of Nuclear Security and Incident Response (NSIR). The purpose of the working group is to review cyber-security programs at FCFs to determine what measures are in place to protect critical digital systems from cyber attacks, and whether the NRC needs to take any additional action to requiring FCFs to strengthen their programs. The evaluations specifically considered digital systems performing, supporting, or associated with critical functions, in areas such as safety, important-to-safety, security, emergency preparedness, information security, and materials control and accountability.

To support this initiative, the working group asked certain FCFs to answer a questionnaire, conducted four site visits, analyzed the information gathered during the site visits and the licensee’s responses to the questionnaire, and issued a final report on February 25, 2012. Since issuance of the final report the NRC has been working with industry to gain more of an understanding of licensee’s protective measures related to cyber security and intrusions into their networks, as well as discussing impacts and timelines for adopting any new potential cyber security requirements. As a result of the findings in our report and our continued discussions with the industry, the NRC is taking the following steps to strengthen cyber security programs at the FCFs:

  • Short-Term Actions: NRC working group is preparing a Commission (SECY) paper in 2013, to provide the Commissions for consideration options to address cyber security at FCFs that include permission to issue Security Orders ("Orders") and a guidance document, to fuel cycle licensees, to require them to adopt certain measures to strengthen their cyber security programs; the SECY paper will also seek permission to pursue rulemaking (see Long-Term Actions below). Additionally, the working group performed cyber security threat briefs (closed to the public due to sharing of sensitive information) with FCFs in 2012 and 2013, to elaborate on potential cyber threats and to demonstrate impacts to digital systems from a cyber event [e.g., cyber security workshop held at the Center for Advanced Engineering Research (CAER) in Forest, VA, on May 30. 2013].  
  • Mid-Term Actions: Work with the US Department of Energy to better understand their security requirements for classified computer networks and supplement to their regulations, as necessary, for those FCFs that utilize such networks.
  • Long-Term Actions: Submit a Commission (SECY) paper in 2013 to seek permission to initiate the rulemaking process using a graded, risk-informed approach to formalize and strengthen FCF cyber-security programs.

To top of page

Public Involvement

The NRC has a long-standing practice of conducting its regulatory responsibilities in an open manner. For that reason, the NRC is committed to informing the public about its regulatory, licensing, and oversight activities, and providing opportunities for the public to participate in the agency’s decision-making process.

For general information about the available opportunities for public involvement in NRC activities, see Public Meetings and Involvement, Hearing Opportunities and License Applications, and NUREG/BR-0215, "Public Involvement in the Regulatory Process." For more specific information about public meetings that the NRC staff has conducted in connection with the cyber-security initiative for FCFs, please see Public Meetings and Materials, below. For other security-related meetings, please see Public Meetings on Nuclear Security and Safeguards.

To top of page

Public Meetings and Materials

The NRC holds public meetings to discuss agency activities related to the cyber-security initiative for fuel cycle facilities. Materials associated with these meetings are available below. If you have any questions about our public meetings and materials, please Contact Us.

Date Description
June 12–13, 2012

7th Annual Fuel Cycle Information Exchange (FCIX) Public Meeting (Rockville, MD)

May 30, 2013

NRC Fuel Cycle Facility Cyber Threat Conference (Forest, VA)

To top of page

Page Last Reviewed/Updated Wednesday, November 06, 2013