NRC Withdraws Cybersecurity Rulemaking

Yesterday the Nuclear Regulatory Commission (NRC) published a notice in the Federal Register (83 FR 22413-22414) announcing that they were discontinuing their rulemaking activities on “Cyber Security for Byproduct Materials Licensees” (RIN 3150-1756). This rulemaking first appeared in the Unified Agenda during the Obama Administration in the long-term actions section. It was moved to the Active Agenda in the Spring of 2017 and then back to the long-term actions in the most recent agenda.

Background

The Byproduct Materials Cyber Security Working Group was formed in 2013 to look into the potential need for a cybersecurity rulemaking for facilities that stored Category 1 or Category 2 quantities of radioactive material (does not include the radioactive material contained in any fuel assembly, subassembly, fuel rod, or fuel pellet; see 10 CFR 37.5).

The working group identified four sets of digital assets that the NRC should evaluate with respect to cyber threat protection:

• Digital/microprocessor-based systems and devices that support the physical security of the licensee's facilities. These include access control systems, physical intrusion detection and alarm systems, video camera monitoring systems, digital video recorders, door alarms, motion sensors, keycard readers, and biometric scanners;

• Equipment and devices with software-based control, operation, and automation features, such as panoramic irradiators and gamma knives;

• Computers and systems used to maintain source inventories, audit data, and records necessary for compliance with security requirements and regulations; and

• Digital technology used to support incident response communications and coordination such as digital packet radio systems, digital repeater stations, and digital trunk radio systems.

The most recent, publicly-available document (Update to the U.S. Nuclear Regulatory Commission Cyber Security Roadmap, ML15201A509, 2-28-17) noted that (pg 7):

“The working group plans to complete its evaluation of the [180] questionnaire [sent to all NRC and Agreement State licensees that possess Categories 1 and 2 quantities of radioactive Materials] responses, its consequence analysis, and any follow-up communication with stakeholders in early 2017. As a result, the working group intends to develop recommendations for a path forward by spring/summer 2017.”

Question: Why does the NRC still use antiquated on-line tools to provide access to public documents? Why can I not provide a link to the document listed above? The NRC does not provide links to their documents.

NRC Conclusion

The NRC staff completed its evaluation in October 2017 and concluded that:

“The NRC staff concluded that byproduct materials licensees that possess risk-significant quantities of radioactive material do not rely solely on digital assets to ensure safety or physical protection. Rather, these licensees generally use a combination of measures, such as doors, locks, barriers, human resources, and operational processes, to ensure security, which reflects a defense-in-depth approach to physical protection and safety. As a result, the staff concluded that a compromise of any of the digital assets identified in the January 6, 2016, Commission memorandum would not result in a direct dispersal of risk-significant quantities of radioactive material, or exposure of individuals to radiation, without a concurrent and targeted breach of the physical protection measures in force for these licensees.”

Based upon that recommendation, the NRC is discontinuing rulemaking activity to develop cyber security requirements for byproduct materials licensees possessing risk-significant quantities of radioactive materials.

Commentary

Since I have not seen (and probably never will see for legitimate security reasons) the final NRC staff report, it is hard to draw any hard conclusions about the decision reached by the NRC.

Having said that, I see little in the language in this announcement that provides me with any level of comfort that the Commission took a hard look at anything beyond the immediate security of these materials. There is no language that would indicate that operational security (the security of the devices that manipulate or move the covered materials) has been adequately addressed.

Additionally, since these materials are ideally suited to employment in weapons of mass confusion (radiologically enhanced improvised explosive devices), I am also concerned about the security of information systems that deal with the ordering and shipping of these commercial products. The diverted delivery of legitimate shipments via electronic changes in orders or shipping documents provide a legitimate scenario for terrorists to acquire the material necessary to build a radiological dispersion device (‘dirty bomb’).

Again, the NRC and its staff may very well have looked at these potential vulnerabilities, but there is nothing in this announcement that provides any indication that this is so. Perhaps this is something that Congress out to take a look at.