Thursday 16 January 2014

Literature Review: Nuclear Power Plant Security and Vulnerabilities

Another good article, "Nuclear Power Plant Security and Vulnerabilities", published by Mark Holt and Anthony Andrews at the Congressional Research Center, 3 January 2014:

Summary:
  •  The Energy Policy Act of 2005 (EPACT05) imposed specific criteria for NRC to consider in revising the “Design Basic Threat” (DBT).  EPACT05 required NRC to conduct force on “force-on-force” security exercises at nuclear power plants at least once every three years. When NRC  conducted 23 “force-on-force” (FOF) inspections at 22 commercial nuclear plants and one fuel cycle facilities in 2012, eleven of those inspections found performance deficiencies: 19 with low significance (green findings), one with “greater than green” finding, and three severity level IV (least serious) violations.
  • Following the 9/11 attacks, Congress enacted new nuclear security plant requirements and has repeated focused attention on regulation and enforcement by the Nuclear Regulatory Commission (NRC). 
  • The Energy Policy Act of 2005 (EPACT05) imposed specific criteria for NRC to consider in revising the “Design Basic Threat” (DBT) which specifies the maximum severity of potential attacks that a nuclear plant’s security force must be capable of repelling. In response, the NRC revised the DBT on April 18, 2007. The revisions expanded the assumed capabilities of adversaries to operate as one or more teams and attack from multiple entry points.
  • EPACT05 required NRC to conduct force on “force-on-force” security exercises at nuclear power plants at least once every three years. In these exercises, a mock adversary force from outside a nuclear plant attempts to penetrate the plant’s vital area and simulate damage to a “target set” of key safety components.
  • In March 2009, NRC published a series of security regulations that require power plants to prepare cyber-security plans, develop strategies for dealing with the effects of aircraft crashes, strengthen access controls, improve training for security personnel, and implement other new security measures.
  • In 2012, NRC  conducted 23 “force-on-force” (FOF) inspections at 22 commercial nuclear plants and one fuel cycle facilities. Eleven of those inspections found performance deficiencies: 19 with low significance (green findings), one with “greater than green” finding, and three severity level IV (least serious) violations.  One exercise resulted in the simulated destruction of or damage to a complete “target set” of vital plant components that were under mock attack.
  • Nuclear power plant vulnerability to deliberate aircraft crashes has been a continuing issue. After much consideration, NRC published final rules on June 12, 2009, to require all new nuclear power plants to incorporate design features that would ensure that, in the event of a crash by a large commercial aircraft, the reactor core would remain cool or the reactor containment would remain intact.
  • Cybersecurity – existing U.S. nuclear power reactors, designed in the 1960s and 1970s, are controlled primarily by analog systems that are resistant to cyber attack. However, new reactors are being designed with digital controls, and existing analog plants increasingly rely on digital computers to run auxiliary monitoring systems. This increasing use of digital systems in nuclear power plants, along with post 9/11 security concerns and at least one ‘worm’ infection at a US reactor, have prompted increased NRC attention to cybersecurity.
  • A year after the 9/11 attacks, NRC issued an order that included cyber attacks among the threats that nuclear plants would be required to defend against. NRC issued formal cybersecurity regulations in March 2009: “Protection of Digital Computer and Communications Systems and Networks.” NRC’s cybersecurity regulations require each nuclear power plant to submit a cybersecurity plan and implementation schedule. The plan must provide ‘high assurance” that digital computer and communications systems that perform the following functions will provide adequate protection against design basis attacks.
  • NRC began inspecting the implementation of nuclear plant cybersecurity plans in January 2013. The inspections are part of the NRC’s Cyber Security Oversight Program, which is being incorporated into the existing Reactor Oversight Program.
  • Nuclear power plants are also required by the Federal Energy Regulatory Commission (FERC) to comply with cybersecurity standards issued by the North American Electric Reliability Corporation (NERC). However, nuclear plants computer systems that are covered by NRC security regulations are exempt from NERC standards.

No comments:

Post a Comment