NRC Approves Oyster Creek's Cyber-Security Plan

The Nuclear Regulatory Commission (NRC) recently approved the cyber-security plan for Oyster Creek Generating Station.

Nuclear power plants use digital and analog systems to monitor and operate equipment. The security plan would ensure that servers operated on site are properly protected against hackers, viruses and other threats, said Neil Sheehan, spokesperson for the NRC.

“A (cyber-security plan) is essentially the security plan that each nuclear plant has to follow to show that the computer and IP systems they use are completely secure and safe and set up with public safety in mind,” said Suzanne D’Ambrosio, spokesperson for Oyster Creek.

According to the NRC’s license amendment, the plan provides “high assurance that digital computer and communication systems and networks … are adequately protected against cyber attacks up to and including the DBT (Design Basis Threat).”

Each plant is required to provide the NRC with a description of their defensive model and protective strategy, security controls, process for addressing each security control, commitment to maintain the cyber-security program, and documentation that supports NRC inspection activities, Sheehan said.

“Essentially we need to have a plan in place that absolutely protects the integrity of the plant and the safety of the public with regard to the computer and IP systems,” D’Ambrosio said. “Like every other industry in the country, it’s vital that companies protect their computer infrastructure. Even more so at a nuclear power plant.”

The plan covers a variety of areas including security functions; emergency preparedness functions, including off-site communications; and support systems and equipment which, if compromised, would adversely impact SSEP (Safety, Security and Emergency Preparedness) functions, Sheehan said.

After reviewing Oyster Creek’s cyber-security plan, the NRC concluded that the power plant complies with the standards and requirements of the Atomic Energy Act of 1954 and the Ccommission's rules and regulations.

The NRC has been encouraging the enhancement of cyber security at nuclear power plants for several years.

In 2001, shortly after 9/11, the NRC issued an advisory to power plants regarding the need to enhance cyber security. They also issued a guidance document to nuclear power plants on cyber security self-assessment methods in 2004.

Nuclear Power plants were required under a cyber-security rule implemented by the NRC in 2009 to identify critical digital assets, establish a defensive architecture to protect these assets and apply security controls to these assets.

Plans were submitted to the NRC by Nov. 23, 2009. Upon requesting additional information, revised plans were submitted in July and August of 2010.

The NRC reviewed the plans and prepared a Safety Evaluation Report for each nuclear power plant.

For more information on the NRC’s regulations for cyber-security plnas, click here.

For a copy of the NRC's report on the plans for nuclear power plants throughout the state, see the attached .pdf.