Cyber-Security Initiative for Fuel Cycle Facilities
Among its regulatory initiatives related to Domestic Safeguards, the U.S. Nuclear Regulatory Commission (NRC) is reviewing cyber-security programs at fuel cycle facilities (FCFs). In the wake of the terrorist attacks on September 11, 2001, the NRC issued a series of Security Orders (“Orders”), requiring FCF licensees to take additional security measures, including protection of digital systems and networks against cyber threats. As modern society has increased its reliance on digital systems to carry out functions that support commerce, industry, academia, medicine, and government, the threats to these systems have substantially increased since the issuance of these Orders. Cyber threats to NRC licensees are dynamic and multidimensional, because of the continuously evolving capabilities of potential adversaries and emerging technologies. Potential adversaries run the gamut from nation-state actors to individuals (i.e., “hacktivists”). In addition, recent threats against international nuclear facilities (e.g., Stuxnet, Duqu, and Flame) are evidence of malware specifically targeting control systems that operate industrial facilities.
As a result of these recent incidents, and building on the success achieved with cyber-security regulatory programs for nuclear power reactors and the emerging cyber threat, the NRC felt compelled to establish a special working group to review cyber security programs at FCFs.
For more information, please see the following topics on this page:
In 2011, the NRC formed an FCF Cyber-Security Working Group, comprising staff members from the NRC’s Office of Nuclear Material Safety and Safeguards (NMSS) and Office of Nuclear Security and Incident Response (NSIR). The purpose of the working group is to review cyber-security programs at FCFs to determine what measures are in place to protect critical digital systems from cyber attacks, and whether the NRC needs to take any additional action to requiring FCFs to strengthen their programs. The evaluations specifically considered digital systems performing, supporting, or associated with critical functions, in areas such as safety, important-to-safety, security, emergency preparedness, information security, and materials control and accountability.
To support this initiative, the working group asked certain FCFs to answer a questionnaire, conducted four site visits, analyzed the information gathered during the site visits and the licensee’s responses to the questionnaire, and issued a final report on February 25, 2012. Since issuance of the final report the NRC has been working with industry to gain more of an understanding of licensee’s protective measures related to cyber security and intrusions into their networks, as well as discussing impacts and timelines for adopting any new potential cyber security requirements. As a result of the findings in our report and our continued discussions with the industry, the NRC is taking the following steps to strengthen cyber security programs at the FCFs:
- Short-Term Actions: NRC working group is preparing a Commission (SECY) paper in 2013, to provide the Commissions for consideration options to address cyber security at FCFs that include permission to issue Security Orders ("Orders") and a guidance document, to fuel cycle licensees, to require them to adopt certain measures to strengthen their cyber security programs; the SECY paper will also seek permission to pursue rulemaking (see Long-Term Actions below). Additionally, the working group performed cyber security threat briefs (closed to the public due to sharing of sensitive information) with FCFs in 2012 and 2013, to elaborate on potential cyber threats and to demonstrate impacts to digital systems from a cyber event [e.g., cyber security workshop held at the Center for Advanced Engineering Research (CAER) in Forest, VA, on May 30. 2013].
- Mid-Term Actions: Work with the US Department of Energy to better understand their security requirements for classified computer networks and supplement to their regulations, as necessary, for those FCFs that utilize such networks.
- Long-Term Actions: Submit a Commission (SECY) paper in 2013 to seek permission to initiate the rulemaking process using a graded, risk-informed approach to formalize and strengthen FCF cyber-security programs.
The NRC has a long-standing practice of conducting its regulatory responsibilities in an open manner. For that reason, the NRC is committed to informing the public about its regulatory, licensing, and oversight activities, and providing opportunities for the public to participate in the agency’s decision-making process.
For general information about the available opportunities for public involvement in NRC activities, see Public Meetings and Involvement, Hearing Opportunities and License Applications, and NUREG/BR-0215, "Public Involvement in the Regulatory Process." For more specific information about public meetings that the NRC staff has conducted in connection with the cyber-security initiative for FCFs, please see Public Meetings and Materials, below. For other security-related meetings, please see Public Meetings on Nuclear Security and Safeguards.
Public Meetings and Materials
The NRC holds public meetings to discuss agency activities related to the cyber-security initiative for fuel cycle facilities. Materials associated with these meetings are available below. If you have any questions about our public meetings and materials, please Contact Us.
|June 12–13, 2012||
7th Annual Fuel Cycle Information Exchange (FCIX) Public Meeting (Rockville, MD)
|May 30, 2013||
NRC Fuel Cycle Facility Cyber Threat Conference (Forest, VA)