Nuclear Facility Failed to Identify 23 Cyber Weak Points

Despite warnings from federal inspectors in 2015, operators failed to identify “critical digital assets” at the Pilgrim Nuclear Power Station in Plymouth, Mass.

by Christine Legere, Cape Cod Times / October 10, 2017

(TNS) -- PLYMOUTH — Operators failed to identify and document 23 "critical digital assets" that perform functions related to safety systems and emergency preparedness at Pilgrim Nuclear Power Station, despite being told about the shortcoming by federal inspectors in 2015.

A report provided to the Times by the Nuclear Regulatory Commission under a Freedom of Information Act request contains more details on two cybersecurity violations found at Pilgrim in midsummer.

The Times published a story on those violations Sept. 8, but little information on the infractions was provided at the time because they were security-related.

The identification of critical digital components is one of the early steps commercial nuclear plant owners were required to take under federal regulations aimed at beefing up cybersecurity. Once components were identified as critical, plant owners were required to protect them from radiological sabotage via cyberattack.

Identification of vulnerable systems is the second "milestone" of eight outlined in NRC regulations. Nuclear plants have been working their way through the requirements since 2012 and are required to have all eight completed by the end of this year. Federal inspectors checked out the improvements at the nation's reactors under the first seven milestones in 2015 and told operators where they fell short.

Last summer, inspectors conducted sample inspections to make certain shortcomings had been addressed.

The 23 components Pilgrim failed to identify under the second milestone would not have received the sabotage protection provided to other critical digital systems.

Although the NRC called the infraction "more than minor" because it failed to "provide assurance that a licensee's protective strategy can protect against design basis threats of radiological sabotage from external and internal threats," it categorized it as low in safety significance.

The agency cited Pilgrim for not taking corrective action to resolve a previous NRC-identified violation.

A spokesman for Pilgrim responded to the report by email: "Pilgrim has on-site Security and IT departments supported by Entergy's corporate IT and Security departments, all of which engage in robust training and implement comprehensive measures to protect against cyber and personal threats and ensure employee, plant and public safety," Patrick O'Brien wrote. "Additionally, Entergy partners with the federal government, intelligence community, and law enforcement on a broad range of cybersecurity threat information-sharing initiatives to safeguard our critical infrastructures. As the NRC report noted, the finding was of very low safety significance."

O'Brien said the deficiencies have been put on Pilgrim's corrective action list of items to be fixed.

David Lochbaum, director of the Nuclear Safety Program for the Union of Concerned Scientists, said owner-operator Entergy Corp. has a long history of violations at Pilgrim.

"In fairness to Entergy, given the overwhelming inventory of previously identified safety and security shortcomings, there may not be enough nuclear workers in the entire country to fix them all," Lochbaum wrote in an email. "Or perhaps Pilgrim has plenty of workers, but Entergy hasn't the interest in pouring more money into a lame duck reactor."

Pilgrim is scheduled to permanently close May 31, 2019.

Entergy has asked the NRC for an exemption from carrying out the eighth milestone of the cybersecurity regulations, based on the closure date.

NRC spokesman Neil Sheehan said the federal agency would make a decision on the request by the end of the year.

"Pilgrim had not even completed milestone 2, never mind 3, 4, 5, 6, 7, and now they want out of the eighth," said Mary Lampert, director of Pilgrim Watch. "The second cybersecurity milestone required Entergy to identify the vulnerable systems important to safety and emergency planning, so those systems could be fixed and defended against hacking in subsequent milestones. Looks like we are sitting ducks once again."

The second cybersecurity violation found at Pilgrim during the midsummer inspection, which also related to Milestone 2 of the eight milestones, involved failure to properly analyze site conditions, including components that, if disabled, could allow for damage to the reactor or spent fuel pool.

The NRC called the violation "more than minor" because it affects the federal objective "to provide assurance that the licensee's security system could protect against the design basis threat of radiological sabotage from external threats."

The agency said the deficiency did not require enforcement actions because the issue "did not have any actual security consequences" and "was not the result of any willful violation of NRC requirements or Entergy procedures."

Both violations in the report were related to staff performance deficiencies, the federal agency said.

Lochbaum said such violations are why Pilgrim is categorized as a "Column 4" plant by the NRC, which is one step above ordered shutdown. "They are not good at finding and fixing safety problems in a timely and effective manner as required by NRC's regulations," Lochbaum wrote.

©2017 Cape Cod Times, Hyannis, Mass. Distributed by Tribune Content Agency, LLC.