Most organizations with industrial control systems (ICS) fall into one of two categories: regulated and non-regulated. For those subject to government imposed regulatory requirements, the selection of a cybersecurity framework is obviously compelling. Such is the case with the nuclear energy industry and NEI 08-09.

The nuclear energy industry is one of the safest industries. It is protected by multiple back-up safety systems, robust physical defenses and plant security forces with rigorous training. Since the September 11 terrorist attacks, the industry has continued to improve its safety systems to prepare for emerging threats such as the impact from a wide-bodied commercial airliner and cyber attacks on critical operational systems. Each U.S. nuclear power plant is equipped with extensive security measures to protect the facility from intruders and to protect the public from the possibility of exposure to radioactive releases caused by acts of sabotage. The U.S. Nuclear Regulatory Commission (NRC) calls nuclear power plants “among the best-protected private sector facilities in the nation.”

The Rule: 10 CFR 73.54

The Nuclear Sector has a long history of addressing cybersecurity issues. In 1997, through the Nuclear Energy Institute (NEI), the industry began looking at potential issues associated with the increasing use of digital technologies at power reactors. At this time, there was a concern regarding the potential impacts associated with the change in millennia—referred to at that time as the “Y2K” issue.

In response to the increasing threat of cyber-related attacks, the NRC amended its design basis threat requirements in 2007 to include a cyber attack as an attribute of the adversary. The NRC describes a cyber attack as:

The capability to exploit site computer and communications system vulnerabilities to modify or destroy data and programming code, deny access to systems, and prevent the operation of the computer (Read more...)