As recent news reports show, cybersecurity violations and piracy have been on the rise for some time, and there has been a noticeable increase in recent months, including the energy industry. As a result, President Joseph Biden has pledged his administration, in large part through the American Jobs Plan and its May 12 executive order, to strengthen cybersecurity across the country.
It should be noted that the American Jobs Plan provides $ 20 billion in energy infrastructure investments to cybermodernization and the executive order creates a “game book” in an effort to harmonize the federal response to cyber incidents. But what controls exist for the nuclear industry, including commercial users of radioactive materials, and which agency has jurisdiction over these matters? We address these issues briefly here.
EVOLUTION OF NRC CYBER SECURITY STANDARDS
The jurisdiction and regulation of NRC cybersecurity for licensees of power reactors (nuclear power plants) is well established and well documented. Following the September 11, 2001 attacks, the NRC began assessing cyber hazards and the need for protections associated with nuclear power plants. These efforts resulted in 10 CFR § 73.54, Protection of Computer Systems and Networks and Digital Communications, completed in 2009, and subsequent Regulatory Guide 5.71, designed to advise licensees on how to comply with regulatory requirements. But cybersecurity controls for users of radioactive materials are less straightforward. However, as described below, several federal agencies, including the NRC and the Food and Drug Administration (FDA), have been active in this space in recent years.
THE WORKING GROUP: TRAINING AND SCOPE
In 2012, the NRC identified the need to assess cybersecurity threats for radioactive materials licensees in SECY-12-0088. To achieve this goal, in July 2013, the NRC established the Working Group on Cybersecurity of By-Products Materials (the Working Group), which aimed to identify cybersecurity vulnerabilities among certain users of significant radioactive materials. risk ”to determine whether the NRC should initiate any regulatory action to address these vulnerabilities. (“Significant amounts of risk of radioactive materials” are those that meet the category 1 and category 2 thresholds identified in Appendix A to 10 CFR part 37.) Working group members included NRC staff and representatives of the Organization of Agreed States.
The working group identified the following four main categories of digital assets for evaluation and reported them to the Commission in its memorandum of 6 January 2016:
- Systems and devices based on digital microprocessors that support the physical security of the licensees’ facilities
- Equipment and devices with software-based control, operation and automation functions, such as gamma knives
- Computers and systems used to maintain source inventories, audit data, and records necessary for compliance with security requirements and regulations
- Digital technology used to support coordination and communications in response to incidents, such as trunk digital radio systems
JURISDICTIONS OF NRC AND FDA
The NRC has a Memorandum of Understanding (MOU) with the FDA that describes the roles, responsibilities, and jurisdiction of each agency with respect to radioactive materials. Both the NRC and the FDA maintain websites to provide more discussion about their jurisdictions. In short, while the NRC or agreement states regulate radioactive materials, the FDA reviews the safety and use of radiopharmaceuticals and machines that produce radiation but do not manufacture or use radioactive material.
CONCLUSIONS OF THE WORKING GROUP
Given the jurisdictional overlap between the NRC and the FDA, the working group limited its assessment of software systems used in medical applications to systems related to the NRC’s physical protection and radiation safety authority.
The working group completed its assessment in October 2017 and concluded that “licensees of by-product materials that pose significant amounts of risk of radioactive material do not rely solely on digital assets to ensure safety or physical protection. “. Instead, they often use a combination of different methods, such as locks and physical barriers, as well as human resources, to create an in-depth security approach. Accordingly, as deleted in the federal registry notification of May 15, 2018, the working group determined that no additional regulatory action was required because, even if the digital assets identified in the Commission’s memorandum January 6, 2016 were committed, there would be significant amounts of risk of radioactive material would only disperse if there was also “a simultaneous and specific violation of the existing physical protection measures for these licensees.”
Although the NRC did not take any regulatory action to mitigate cybersecurity threats from radioactive material licensees, it issued in 2019 the 2019-04 information notice, Effective Cyber Security Practices to Protect Digital Assets from Radioactive Materials. by-products licensees. and concludes and provides licensees with a list of practices aimed at mitigating cybersecurity threats.
The NRC also maintains updated guidelines on its website, which aims to provide “licensees [with] a better understanding of contemporary cybersecurity issues and allows licensees to consider strategies to protect digital assets (e.g., computers, digital alarm systems), including assets used to facilitate compliance with physical security requirements, like now [10 CFR Part 37]”.
It remains to be seen whether the NRC will renew any regulatory action related to licensees of radioactive material, given the recent rise in cybersecurity violations. Morgan Lewis will continue to monitor and report on any developments.