The Nuclear Energy Institute (NEI) in support of the US nuclear utilities has filed a request for rulemaking with the Nuclear Regulatory Commission (NRC) to modify the nuclear plant cyber security rule (www.nrc.gov, Docket ID NRC-2014-0165). The gist of the draft rulemaking is NEI and the nuclear utilities feel the NRC is making the industry spend too much money by looking at too many of the systems and components in a nuclear power plant.
In today’s environment with nuclear plants being prime cyber targets, industry should be looking at more not less. There are new ICS cyber vulnerabilities being identified what seems like weekly that affect control systems including those used in nuclear power plants. The Chinese, Russians, Iranians, etc continue to cyber attack our infrastructures - nuclear plants are certainly on their list of targets. DHS is holding cleared briefings on Havex and BlackEnergy that can affect control system HMIs in nuclear plants.
The NEI petition keeps the following in the existing rule – systems and components necessary to:
- “…prevent significant core damage and spent fuel sabotage; or
- Whose failure would cause a reactor scram.”
However, the petition wants to explicitly exclude the following categories in the existing rule:
-“safety-related and important-to-safety functions,
- security functions,
- emergency preparedness functions, including off-site communications,
- and support systems and equipment, which if compromised, would adversely impact safety, security, or emergency preparedness functions.”
The perception is the nuclear utilities want to reduce cyber security not increase it. Considering the categories they want to exclude have already contributed to core melt and nuclear plant scrams and there is so much focus on cyber security, why are NEI and the utilities doing this now?