Russian Cyber Attacks Call for Stringent Security Standards at US Nuclear Plants, But Plant Owners Want Them Weakened

Statement by Edwin Lyman, Union of Concerned Scientists

Published Mar 16, 2018

WASHINGTON (March 16, 2018)—Yesterday, the Department of Homeland Security and the Federal Bureau of Investigation officially confirmed that Russian hackers have been targeting US nuclear power plants and other critical facilities since at least 2016. Regardless, the US nuclear industry has been pressuring the Nuclear Regulatory Commission to relax its cyber security standards.

Below is a statement by Edwin Lyman, a senior scientist at the Union of Concerned Scientists.

“The Department of Homeland Security alert is a stark reminder that nuclear power plants are tempting targets for cyber attackers. Although the systems that control the most critical safety equipment at US nuclear plants are analog-based and largely immune to cyber attacks, many other plant systems with important safety and security functions are digital and could be compromised. For instance, electronic locks, alarms, closed-circuit television cameras, and communications equipment essential for plant security could be disabled or reprogrammed. And some plants have equipment, such as cranes that move highly radioactive spent fuel, that utilize computer-based control systems that could be manipulated to cause an accident.

“Reports that the recent attacks on nuclear power plants were limited to their administrative systems and did not affect systems that have direct safety and security functions are not cause for complacency. Sophisticated cyber intruders could access administrative systems to obtain—or plant—compromising information to coerce key personnel to assist in a damaging attack.

“Therefore, the nuclear industry’s petition to limit the scope of Nuclear Regulatory Commission cyber-protection safeguards to only those systems with a direct impact on safety is foolhardy at best and, at worse, downright dangerous. The NRC has been deliberating over the industry’s ill-conceived proposal for nearly four years. In light of the growing cyber threat to nuclear plants highlighted by yesterday’s alert, the agency should now simply reject it.”