Security Strategy, Plan, Budget

Congressmen want explanation on possible nuclear power plant cybersecurity incident

Two Democratic congressmen want to know whether America's nuclear power plants are at risk to a cybersecurity attack.

U.S. Rep. Bennie G. Thompson, D-Miss., chairman of the House Committee on Homeland Security, and Rep. James R. Langevin, D-R.I., chairman of the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, have asked Dale E. Klein, chairman of the U.S. Nuclear Regulatory Commission (NRC), to investigate the nation's nuclear cybersecurity infrastructure.

They said a cybersecurity "incident" resembling a DoS attack on Aug. 19, 2006 left the Browns Ferry Unit 3 nuclear power facility in northern Alabama at risk.

According to a letter from Thompson and Langevin, Brown's Ferry personnel said "excessive traffic" led to the loss of the plant's water recirculating pumps.

The plant's licensee, the Tennessee Valley Authority (TVA), notified the NRC of the incident on Aug. 26 of last year. The TVA said it took "corrective actions," such as installing a firewall on the plant's network.

"In accord with current regulations," Thompson and Langevin wrote, "NRC staff decided against investigating the failure as a ‘cybersecurity incident’ because the failing system was a 'non-safety' system rather than a 'safety' system. Also, it was determined by the licensee that the incident did not involve an external cyberattack on the system."

The congressmen later wrote, "We have deep reservations about the NRC's hesitation to conduct a special investigation into this incident."

The letter from Thompson and Langevin, dated May 18, asked that Klein institute comprehensive cybersecurity policies and procedures on safety and non-safety systems for U.S. nuclear power plant licensees.

"Conversations between the Homeland Security Committee staff and NRC representatives suggest that it is possible that this incident could have come from outside the plant. Unless and until the cause of the excessive network load can be explained, there is no way for either the licensee or the NRC to know that this was not an external [DDoS] attack," the congressmen wrote. "Without a thorough, independent review of the logs and associated data, the assumption that this incident is not an outside attack is unjustifiable."

Thompson and Langevin's letter also asked the regulatory committee whether it has determined the source of what they called the "data storm," and whether it is planning an investigation. They also asked for the NRC to submit a written response to their letter by June 14.


Get more IT security news. Click here for SC Magazine Blogs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.