New Cybersecurity rules by Nuclear Regulatory Commission from Nov 2015

Industrial CyberSecurity
Spread the love

Washington DC, Nov 1, 2015-The US Nuclear Regulatory Commission has mandated new rules, to nuclear power plants in reporting cyberattacks against their networks after President Obama said that the US does not seem to be doing enough to prevent cyber attacks on critical infrastructure.

Nuclear Power Station

The new rules will be mandatory after they are published in the Federal Register.

“This rule establishes new cyber security event notification requirements that contribute to the NRC’s analysis of the reliability and effectiveness of licensees’ cyber security programs and plays an important role in the continuing effort to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat,” a notice pending publication in the Federal Register reads.

It is great that finally Nuclear plants are getting their cyber security measures in place. Unfortunately there are quite a few myths floating around in the power generation (nuclear as well as fossil fuel), oil & gas, chemicals and other process industries about the invulnerability of their control systems from routine cyber attacks. Nothing could be further from the truth, as outlined in a recent article on LinkedIn related to Industrial Cybersecurity. The article talks about the top 5 myths about Industrial cybersecurity, that includes the most pervasive one-if my DCS (or SIS or other Control System) is not connected to the internet (air-gapped), then I have nothing to worry. This is a total and complete fallacy as the Stuxnet incident amply showed. Malware can be spread via infected USB drives and other connections to control systems that are hidden from management (such as configuration ports, serial ports, etc) of controllers and other hardware.

On Thursday President Obama declared November “Critical Infrastructure Security and Resilience Month,” a follow-up to October’s “National Cybersecurity Awareness Month.”

“By some estimates, we are currently underinvesting in our infrastructure by hundreds of billions of dollars each year,” Obama said in a White House proclamation Thursday. “Not only is it a threat to our national security, but failing to maintain and strengthen our infrastructure also jeopardizes our economic growth and closes doors of opportunity for all our citizens.”

The new rules can be downloaded from here.