A Quick Look At NEI 08-09, The Cybersecurity Backbone For Nuclear Power Industry

  • The NEI 08-09 is a Cyber Security plan to protect the public from radiological sabotage in the event of a cyberattack on nuclear plants.
  • It outlines a defensive architecture and various security controls.

The history of

The nuclear energy sector needs to implement strict security measures as the consequences of an attack can be quite devastating.

  • However, it is also believed to be one of the safest industries with multiple safety systems in place.
  • The Nuclear Energy Institute (NEI) began exploring possible cybersecurity issues in 1997.
  • In March 2009, several security regulations including mandating power plants to submit a cybersecurity plan for approval to the U.S. Nuclear Regulatory Commission (NRC) were introduced.
  • In May 2010, NRC approved the NEI 08-09 Cyber Security Plan for Nuclear Power Reactors.

“The purpose of the Cyber Security Plan (Plan) is to provide a description of how the requirements of 10 CFR 73.54, 'Protection of digital computer and communication systems and networks' (Rule) are implemented. The intent of the Plan is to protect the health and safety of the public from radiological sabotage as a result of a cyber attack as described in 10 CFR 73.1.10 CFR 50.34(c), 'Physical Security Plan,' requires the inclusion of a physical security plan,” states NEI 08-09.

Looking at the NEI 08-09

The NEI 08-09 is a cybersecurity plan for nuclear power reactors that aims to assist nuclear power companies in complying with the 10 CFR 73.54.

  • It includes a defensive architecture and security controls that are based on various NIFT standards.
  • The NEI 08-09 recommends the formation of a Cyber Security Assessment Team (CSAT) of individuals with knowledge in information and digital technology, nuclear power plant operations, physical security, and emergency preparedness.
  • It also outlines identifying critical digital assets, mitigating cybersecurity controls, and examining cybersecurity practices.
  • Access controls, accountability policies and procedures, and system hardening are also discussed in detail.
  • A glossary of terms used in the NEI 08-09 are also included.