I attended the Nuclear Information Technology Strategic Leadership (NITSL) conference last week, which featured some very interesting discussions on cyber security. One of the keynote speakers described the state of the industry’s physical security, which, when compared with information security, is in very good shape. She discussed the quite substantial investment that her organization had made over the past eight years.
In general, since 9/11 the nuclear power industry has spent billions on physical security upgrades and programs at US plants. This spending is in addition to the significant budgets for physical security allocated since the industry’s inception. Physical security has always been well addressed systematically within plants. This means significant security input from design (Design Basis Threat analysis) through post-implementation testing (Force on Force Drills). Annual spending per plant on physical security is estimated at $10M to $15M.
The impact of a physical security event has the potential to be catastrophic. At the upper end of impact, these events range up to compromise of the core reactor itself. While the impact of an event of this nature would be catastrophic, this risk scenario was planned for in initial plant design and with subsequent physical security programs. So, while the potential impact may be great and the threat high, because of significant risk mitigation through design and ongoing physical security programs, the overall risk is low.
While the impact of a cyber security incident may not be quite as dramatic, it still has the potential to be very damaging. As plant IT environments become more networked and control systems are integrated within IT, the potential for a catastrophic event based on a cyber security incident greatly increases. The threat level is orders of magnitude higher at a nuclear power plant; they are attacked on an ongoing basis.
At the conference last week, the discussion revolved around what the final cyber security standard will be for the industry. There have been steps to develop a common risk and compliance framework through the NRC and NEI, but there has not been agreement on how to secure the US nuclear power industry. This needs to be addressed immediately (and one hopes it will be), but more importantly, power companies and plants need to begin to allocate appropriate budget to implement and maintain their cyber security programs. The investment will be substantial, and the organizations will need to plan accordingly. One way to look at the budgeting for cyber security is that, while it may not be quite as costly as physical security, it will be on that order of magnitude.