I wanted to begin this blog with a bit of background. I am a nuclear engineer. I was under contract to US DOE's Pacific Northwest National Laboratory to help review of the US Nuclear Regulatory Commission's (NRC) Regulatory Guide on nuclear plant cyber security. I have reviewed the International Atomic Energy Agency (IAEA) nuclear plant cyber security guide. And, I am the Managing Director of the International Society of Automation (ISA) Nuclear Plant Standards.
There has been significant discussions in Congress and the Executive Branch about voluntary information sharing by the critical infrastructures. A concern has been the willingness of end users to share information. Nuclear plants are required to meet NRC cybersecurity guidelines. The nuclear plant guidelines are based on Regulatory (Reg) Guide 5-71.
Why are these two apparently disconnected thoughts in the same paragraph? It turns out an international utility has performed what I believe to be the most comprehensive technical ICS cyber assessment of any industrial facility by an independent 3rd party (I was tasked by the 3rd party and the utility to do an independent review of the assessment report). The utility requested the additional assessment to identify potential Stuxnet vulnerabilities that may have been overlooked by a less rigorous assessment. The utility wanted to share why they did this additional detailed assessment with industry at the ICS Cyber Security Conference (www.icscybersecurityconference.com). However, their plant designer and control system supplier are pressuring the utility not to share this information. Consequently, the presentation will not be made and this critical information not shared. To me, this is disconcerting for two reasons:
- The information developed in this international plant applies to US nuclear plants.
- This establishes a precedent where information sharing of an end-user's own facility can be blocked if a vendor feels it could affect their position in the marketplace.
The international utility has already provided the cyber security report to their nuclear regulator. Consequently, I believe the technical results from the rigorous assessment effectively paint the NRC in a corner. By going beyond the requirements in Reg Guide 5-71, the international utility found cyber vulnerabilities they would not have found if they had not done such a rigorous assessment. As best as I can tell, all US nuclear plants have submitted documentation to meet NEI-0809, which is even less rigorous than Reg Guide 5-71. The question is how can the NRC allow US nuclear plants to meet a security requirement that has been demonstrated to be inadequate to identify critical cyber vulnerabilities? It also begs the question of how the NRC can allow an operating nuclear plant to have their new digital safety system licensed when it uses the same systems as were compromised by Stuxnet.
It should also be noted that this blocking of information sharing has also prevented Ralph Langner from speaking on cyber vulnerability of high value targets. I will now be modifying the conference agenda to discuss information sharing issues.
As I keep saying, the system is broken.