Commercial Nuclear Power Plant Cyber Security Policy The birth of the current security posture for commercial nuclear power plants is linked to the security imposed on the Manhattan Project, which ultimately resulted in the creation of the atomic bomb. Following World War II, the United States Congress passed the McMahon Act, which determined how the US government would control and manage nuclear technology. The legislation also created the Atomic Energy Commission (AEC). Congress amended the McMahon Act as the Atomic Energy Act of 1954, and included provisions for the security of nuclear material. The US Executive Branch promulgated the Act into Title 10 of the Code of Federal Regulations (CFRs). 10CFR73, Physical Protection of Plants and Materials, prescribes the requirements and maintenance of physical protection systems that have capabilities for the protection of special nuclear material. Further, regulations pertinent to cyber security are located in 10CFR73.54, Protection of Digital Computer and Communications Systems and Networks, which requires that nuclear plant operators provide high assurance that digital computer and communications are adequately protected against cyber-attacks, up to and including the design basis threats. The commercial nuclear industry-lobbying group, Nuclear Energy Institute (NEI) collaborated with the federal regulators, Nuclear Regulatory Commission (USNRC) and developed NEI 08-09, Cyber Security Plan for Nuclear Power Reactors. When implemented, this document serves as a template or prototype for nuclear plant operators to develop a cyber-security plan, which satisfies 10CFR73.54. Nuclear plant operators are required to protect those digital assets subject to cyber-attack that would act to modify, destroy, or compromise the integrity or confidentiality of data and/or software; deny access to systems, services, and/or data, and impact the operation of systems, networks, and associated equipment, as they pertain to: • Nuclear safety-related and important-to-safety functions; • Security functions; • Emergency preparedness functions, including offsite communications; and • Support systems and equipment that, if compromised, would adversely affect safety, security, or emergency preparedness functions. Nuclear plant operators have until December 31, 2015, to implement the requirements of 10CFR73.54. However, due to costs and other implementation coordination issues, some nuclear plant operators are requesting an extension of the deadline by a year or two.

Most legitimate cyber security news publishers, such as Security Magazine (http://www.securitymagazine.com) and Government Security News (http://www.gsnmagazine.com/) can be considered a credible source of information. Other sources of information are found with by computer industry trade groups like the Software Engineering Institute (http://www.sei.cmu.edu/), and the Verizon data breach investigations reports (http://www.verizonenterprise.com/DBIR/2013/). Another excellent source of cyber security news is the SANS Institute (http://www.sans.org/newsletters/). However, the source, most recognized as a source of threat, vulnerabilities, updates and security news is the Mitre Corporation (http://www.mitre.org/). This organization is responsible for maintaining the Common Vulnerability Exposure (CVE) listing, a listing of the vulnerabilities associate with products and services. Actually, there are many others out there, just to numerous to list. These are by far the most credible sources of information. The respective organizations are not promoting a product to the everyday commercial consumer. Also, these organizations are staffed and supported by industry professionals and, as such, are subject to peer scrutiny. They are not likely to publish bad information. Commercial computer security suppliers, like Norton (http://us.norton.com/) and McAfee (http://www.mcafeeoffers.com/) are also good sources of information. I secure my home computer using Norton 360 and periodically (about once per month) I get a pop-up notifying me of the latest news. McAfee antivirus software may do this also. A google search for the term “data breach reports” returns a link to the identity theft vendor Lifelock (http://www.lifelock.com/), although the services provided by this supplier may be satisfactory, the web site does not provide any useful information. Other similar products may also provide dubious information. If I find conflicting information, I consider the information source and any possible motivations behind their respective pronouncements. I prefer those organizations/sources who are not attempting to promote a product.

CYBR 650 Introductory Blog -- Hello, my name is Robert Nilsson. I am a student at Bellevue University’s Cyber Security Master’s degree (MS) program. I am in my final semester and am taking two courses: CYBR 650, Current Trends in Cyber Security, and PS 639, Cyberwar and Cyber Deterrence. The CYBR 650 is a capstone course and we are currently engaged in process modeling. Based upon the subjects listed by the Discussion Board (where we post our assignments), it appears that we will be discussing processes and systems analysis, amongst other things. We will also be delving into current trends in cyber security. This blog will focus on the CYBR 650 course and will most likely be updated weekly (depending on the weekly assignment requirements) on my progress and what I’ve learned discovered during this semester. This first week I am challenged with determining a threat analysis process model. Yeah, right! I have a lot of research to complete before I begin to develop my model. What is a threat (I already know that) but how do I create a process and fit it into a flow chart. Interestingly enough, in my research, I came across a power point presentation developed by Microsoft which indicates that a flow chart is the wrong way to do this. Oh, well – I’ve got do what the assignment requires. I don’t believe Microsoft is the only player in the cyber security game anyway. So it’s off to the cyber world, getting creative and having fun learning.