Nuclear power plants across the U.S. will complete the full implementation of their security programs by the end of the year in order to comply with regulations set by the Nuclear Regulatory Commission (NRC) to protect against cyberattacks.
This implementation will include adding supplementary technical cyber controls, completing cyber security awareness training for employees, conducting incident response testing and drills, implementing configuration management controls, and securing supply chain protection.
These measures make up Phase 2 of the NRC’s cyber security requirements.
During Phase 1, nuclear facilities implemented measures to protect their most critical digital assets from the most prevalent kind of cyberattack. Phase 1 wrapped up in December 2012 and the NRC completed its inspection of Phase 1 processes in 2015.
The NRC originally issued cyber security requirements after the 9/11 terrorist attacks and formalized these regulations in 2009.
NRC regulations also require that crucial security systems end up isolated from the Internet and nuclear facilities must also address wireless threats, portable media, insider threats and other possibilities for attack.
In 2015, the NRC issued a regulation requiring nuclear plants to quickly notify the commission of certain cyberattacks.