While designing a nuclear power plant, the safety of the power site contains two types of it, protecting the power plant from the natural disasters such as earthquake and tsunami, and also from a man-made attack. Recently, the Chairman of IAEA Yukiya Amano cited that nuclear power plants have been targeted by hackers ever since three years ago. Just as many other industrial control system, the cyber-controlling system at nuclear power plant is very easy to be the attack target. David-Besse Nuclear Power Plant in Ohio and Brown Ferry Nuclear Power Plant in Alabama were both affected by internet virus before. The nuclear energy industry began addressing cyber security more comprehensively after previous terrorist attacks.
The most effective way is to isolate the security system at nuclear energy facilities from the internet. Isolated key control systems using either air gaps, which do not implement any network or internet connectivity, or installed robust hardware-based isolation devices that separate front-office computers from the control system, thus making the front-office computers useless for attacking essential systems. As a result, key safety, security and power generation equipment at the plants are protected from any network-based cyber attacks originating outside the plant.
Another approach is enhanced and implemented strict controls over the use of portable media and equipment. Where devices like thumb drives, compact disks and laptops are used to interface with plant equipment, measures are in place to minimize the cyber threat. These measures include authorizing use of portable assets to the performance of a specific task, minimizing the movement from less secure assets to more secure assets, and virus scanning. As a result, nuclear power plants are well protected from attacks which was propagated through the use of portable media.
Training and insider mitigation programs have been enhanced to include cyber attributes. Individuals who work with digital plant equipment are subject to increased security screening, cyber security training and behavioral observation.
The cyber protection measures of nuclear power palnt include maintaining equipment listed in the plant configuration management program and ensuring changes to the equipment are performed in a controlled manner. A cyber security impact analysis is performed before making changes to relevant equipment. The effectiveness of cyber security controls is periodically assessed, and enhancements are made where necessary. Vulnerability assessments are performed to ensure that the cyber security posture of the equipment is maintained.
As in the U.S. Nuclear Regulatory Commission (NRC) has extensive regulations in place that are closely monitored and regularly inspected to ensure cyber security at nuclear power plants. The NRC Cyber Security Directorate provides centralized oversight for this important area. In China, for example, after more than 10 years updating, a completed cyber security system was established in Daya Bay Nuclear Power Plant, which contains an independent access port and firewall system.
With the increasing concern on the cyber security, it will also become a topic of the 5th edition of Asia Nuclear Business Platform next May. For more information on this industry gathering, email [email protected]