USACM Calls For Stronger Cybersecurity In Power Plants

By Cameron
March 21, 2005

In a letter to the Nuclear Regulatory Commission (NRC), USACM advocates for stronger cybersecurity in power plants across the nation. The letter points out the critical role of computer-controlled safety systems in today’s power plants and the importance of securing these systems:

“Cybersecurity experts often cite the importance of supervisory control and data acquisition (SCADA) systems and other computer-mediated and controlled systems. Exploitation of vulnerabilities in these systems could have catastrophic effects. Threats to such systems come not only from individuals bent on terrorism or other mischief, but also from subtler sources such as lack of secure design, programming and implementation errors, and human factor issues.”

“In seeking to update the almost decade-old guidance you recognize that protecting computer systems is a crucial component of securing our nation’s critical infrastructure. Taking proactive, standards-based steps toward securing computer systems is a necessary and worthwhile process – one long advocated by cybersecurity experts and USACM.”

Late last year, the NRC proposed a draft regulatory guide that would establish voluntary standards for the use of computers in safety systems of nuclear power plants and asked for public comment. The guide spells out its broad goals:

Computer-based systems must be secure from electronic vulnerabilities, as well as from physical vulnerabilities, which have been well addressed. Security of computer-based system software relates to the ability to prevent unauthorized, undesirable, and unsafe intrusions throughout the life cycle of the safety system.

The draft proposal mentions that the standards are based on accepted IEEE standards; however, there is some contention as reported by SecurityFocus , as industry argued the proposal was overly regulatory in comments before the Commission:

“Capri Technology, a small California firm that builds specialized systems and software for nuclear plants, calls the regulations “premature,” and says the proposal could deter plant operators from installing new digital safety systems entirely.

“The NRC tries to promote the use of digital technology in the nuclear power industry on the one hand, but then over-prescribes what is needed when a digital safety system is proposed,” wrote company president William Petrick, in comments filed with the commission.”

USACM’s letter takes a different tack noting that the goals of this guidance are worthy and that the NRC should look toward making the practices mandatory.

USACM’s letter also follows comments by the Patrick Wood III, Commissioner of the Federal Electric Regulatory Commission, that industry is not doing enough to secure against cyber-based attacks.