The US Department of Homeland Security (DHS) recently confirmed that state-sponsored hackers successfully gained access to the control rooms of US electric utilities and likely had the ability to disrupt power flows. The Wall Street Journal report describes the activities as part of a long-running campaign targeting US utilities. These cyberattacks were first disclosed in a Technical Alert issued by DHS earlier this year. The attacks are another example of the need for continued vigilance in protecting industrial control systems and the importance of strong vendor and supply chain cybersecurity controls for utilities.
The attackers reportedly gained access to secure networks by first exploiting the networks of trusted third-party vendors through the use of familiar tactics, such as spear-phishing emails and watering-hole attacks. Armed with vendor access credentials, the attackers then pivoted into the utilities’ isolated “air-gapped” networks and began gathering information on their operations and equipment. The extent of the attack remains unclear based on publicly available information, and DHS did not state whether any nuclear power stations were targeted in this latest round of attacks. Importantly, however, DHS stated that some companies may not yet know they were victims of the attacks because the hackers used the credentials of actual employees to access networks, thus making detection more difficult.
The Nuclear Regulatory Commission (NRC) already requires each Part 50 licensee to have a cybersecurity plan in place and to conduct a review of the plan at least every 24 months. The critical safety and security systems at nuclear power stations are generally isolated from the internet to provide an additional layer of security for these important systems. Given the sustained pace of cyberattacks and this recent attack on “air-gapped” systems, nuclear power utilities should expect greater focus on cybersecurity plans, including supply chain and vendor integrity issues.
The NRC periodically reviews its regulations and guidance related to cybersecurity topics. It is currently engaged in preliminary rulemaking activities to establish cybersecurity regulations for fuel cycle facilities and has issued a draft regulatory guide. It is also likely that the NRC will consider these recent attacks in the context of its existing regulatory guides on cybersecurity programs and the use of computers at nuclear power plants, which were issued in 2010 and 2011, respectively.
The NRC also engages with other federal agencies, including DHS, the Federal Energy Regulatory Commission (FERC), and the North American Electric Reliability Corporation (NERC) on cybersecurity efforts. In 2010, the NRC signed a memorandum of understanding (MOU) with NERC to clarify the regulatory roles and responsibilities of each organization, including inspection protocols and enforcement actions. And in June 2018, the NRC signed an MOU with FERC regarding the treatment of “Critical Energy/Electric Infrastructure Information.” These MOUs enable the NRC to more closely work with NERC and FERC to address cybersecurity risks to the electrical system.
As we counsel NRC-regulated entities that regularly encounter cybersecurity issues in the licensing and compliance contexts, we will continue to closely follow developments on this front.