NRC v FERC oversight - between a rock and a hard place
From Electric Light & Power:
FERC proposes to close nuke cyber security gap
In an April 8, 2008 public joint meeting of FERC and the NRC, NRC staff indicated that the agency has proposed regulations to address cyber security at nuclear generating plants, but raised a concern about a potential gap in regulatory coverage because the requirements only will be directly associated with reactor safety security and emergency response, and will not extend to power continuity systems.
I’ve pondered the ramifications of this for a while.
One company, two regulatory bodies.
In the end, I believe that safety and security will be the casualty.
Nuclear power generating facilities in the US are regulated by the United States Nuclear Regulatory Commission.
Over the last year, NRC has gotten on the cyber security bandwagon. They have released a draft regulatory guide that, in theory, will increase the cyber security posture of nuclear power facilities.
In the absence of broad guidance, the industry has been operating under a policy developed by the industry, and approved by the NRC as an acceptable approach for ensuring cyber security.
Both these documents (much to my distress) are withheld from public disclosure.
The NRC’s job is to oversee the nuclear fleet (and other non-military nuclear related industry) and protect the public from potential harmful effects of radiation. After all, nuclear power plants in the US are using a radioactive isotope of Uranium (U235) as a heat source.
Since safety is the NRC’s primary mission, continuity of power concerns may be secondary.
The Federal Energy Regulatory Commission, on the other hand, is tasked with ensuring the safety, security, and continuity of the power grid.
In non-nuclear facilities, there is not an additional regulatory body concerned with the fuel source. The entire scope of operations falls under the regulatory oversight of the FERC.
The gap in regulatory oversight of nuclear generating facilities lies in the area between those set of assets that can be considered “safety related” and those that are considered non-safety related, but are important to continuity of power.
And things get really ugly when certain devices play both roles.
And that’s where this ball of wax gets really out of hand.
NRC is developing one set of standards for securing safety systems, and FERC (via NERC) has developed standards to ensure continuity of power.
Anyone who’s made it past basic algebra knows you can’t maximize two variables in an equation. You can maximize safety, or you can maximize your ability to ensure continuity of power, but not both.
Having grown up in Washington, I think I can smell which way the wind is blowing here.
The result will be that many systems will be under the regulation of two different entities, both with competing interests.
In the end, the operator will have to make a choice, and no matter which he chooses, he fails at achieving the requirements of either body.
In the situation, the best the operator can do is to shoot for the minimum set of configurations that meets all the requirements that match both sets of regulation.
I have to tell you, given that we are talking about a nuclear power reactor, I’d rather the operator not skimp on safety to ensure continuity of power.
What should be done?
It’s my opinion, having read the NRC’s draft regulatory guide, and spent some time looking over the NERC CIP’s that what we really need to do is take a step back.
I believe that continuity of power is a byproduct of the secure operation of any power facility.
I believe as well that safety is a byproduct of the same secure operation.
That said, I believe that what is best will be the development of a set of cyber security policies and procedures that are facility agnostic, and that ensure that digital systems within power generating facilities are secured.
Let the chips fall where they may. Implementing such a plan my require major modifications to the regulatory framework, but if it is what needs to be done, it needs to be done.
I can assure you that crackers do not care if FERC or NRC is running the show.
Bill