As is clear from recent news reports, cybersecurity hacks and breaches have been trending upward for some time, and there has been a noticeable uptick over the last several months—including in the energy industry. As a result, President Joseph Biden has committed his administration, in large part through the American Jobs Plan and his executive order of May 12, to strengthen cybersecurity across the nation.
Notably, the American Jobs Plan makes $20 billion in energy infrastructure investments contingent on cybermodernization, and the executive order creates a “playbook” in an effort to harmonize the federal response to cyberincidents. But what controls are in place for the nuclear industry, including commercial users of radioactive materials, and which agency has jurisdiction over such matters? We address these issues briefly here.
Evolution of the NRC’s Cybersecurity Regulations
The NRC’s jurisdiction over and regulation of cybersecurity for power reactor (nuclear power plant) licensees is well established and well documented. Following the attacks of September 11, 2001, the NRC began evaluating cyberrisks and the need for associated protections at nuclear power plants. These efforts resulted in 10 CFR § 73.54, Protection of Digital Computer and Communication Systems and Networks, finalized in 2009, and the subsequent Regulatory Guide 5.71, designed to advise licensees on how to meet the regulatory requirements. But cybersecurity controls for radioactive material users are less straightforward. Nevertheless, as described below, several federal agencies, including the NRC and the Food and Drug Administration (FDA), have been active in this space over the last several years.
The Working Group: Formation and Scope
In 2012, the NRC identified a need to evaluate cybersecurity threats for radioactive materials licensees in SECY-12-0088. To accomplish that goal, in July 2013, the NRC established the Byproduct Materials Cyber Security Working Group (the Working Group), whose goal was to identify cybersecurity vulnerabilities among certain users of “risk-significant radioactive materials” to determine if the NRC should initiate any regulatory action to address those vulnerabilities. (“Risk-significant quantities of radioactive materials” are those that meet the Category 1 and Category 2 thresholds identified in Appendix A to 10 CFR Part 37.) Members of the Working Group included NRC Staff and representatives from the Organization of Agreement States.
The Working Group identified the following four primary categories of digital assets for evaluation, and reported them to the Commission in its January 6, 2016 memorandum:
- Digital/microprocessor-based systems and devices that support the physical security of licensees’ facilities
- Equipment and devices with software-based control, operation, and automation features, such as gamma knives
- Computers and systems used to maintain source inventories, audit data, and records necessary for compliance with security requirements and regulations
- Digital technology used to support incident response communications and coordination, such as digital trunk radio systems
NRC and FDA Jurisdictions
The NRC has a memorandum of understanding (MOU) with the FDA that outlines the roles, responsibilities, and jurisdiction of each agency with respect to radioactive materials. Both the NRC and the FDA maintain webpages to provide further discussion of their jurisdictions. In sum, while the NRC or agreement states regulate radioactive materials, the FDA reviews the safety and use of radiopharmaceuticals and machines that produce radiation but do not make or use radioactive material.
The Working Group’s Conclusions
Given the jurisdictional overlap between the NRC and the FDA, the Working Group limited its evaluation of the software systems used in medical applications to the systems related to the radiation safety and physical protection authority of the NRC.
The Working Group completed its evaluation in October 2017 and concluded that “byproduct materials licensees that possess risk-significant quantities of radioactive material do not rely solely on digital assets to ensure safety or physical protection.” Instead, they tend to use a combination of different methods, such as physical locks and barriers, as well as human resources, to create a defense-in-depth approach to security. Consequently, as outlined in its May 15, 2018 Federal Register notice, the Working Group determined that no additional regulatory action was necessary because even if the digital assets identified in the January 6, 2016 Commission memorandum were compromised, risk-significant quantities of radioactive material would only be dispersed if there were also “a concurrent and targeted breach of the physical protection measures in force for these licensees.”
Although the NRC did not take any regulatory action to mitigate cybersecurity threats for radioactive materials licensees, it issued Information Notice 2019-04, Effective Cyber Security Practices to Protect Digital Assets of Byproduct Materials Licensees, in 2019. The information notice describes the Working Group’s evaluation and conclusion and provides licensees with a list of practices intended to mitigate cybersecurity threats.
The NRC also maintains updated guidance on its website, which aims to provide “licensees [with] a better understanding of contemporary cyber security issues and enables licensees to consider strategies to protect digital assets (e.g., computers, digital alarm systems), including those assets used to facilitate compliance with physical security requirements such as [10 CFR Part 37].”
It remains to be seen whether the NRC will renew any regulatory action related to radioactive material licensees given the recent uptick in cybersecurity breaches. Morgan Lewis will continue to monitor and report on any developments.