The Nuclear Regulatory Commission has adequate management controls in place for its cyber security inspection program, the NRC inspector general has said.
The program is a key element to protecting the extensive, complex and evolving systems controlling the nation’s nuclear plants. A 2009 cyber security rule established regulatory requirements for the nuclear power industry.
Following that, the NRC took several actions to form a solid basis for its inspection program. The NRC: developed, in consultation with industry, an interim inspection program based on technical milestones; created a preliminary inspector training program for headquarters- and region-based staff; performed pilot inspections at nuclear power plants and used those inspections to test and develop interim inspection guidance; created a cyber security directorate within the office of nuclear security and incident response to consolidate program management in a single organization at NRC; issued multiple supplementary guidance documents for use by NRC staff and licensees; and, engaged industry stakeholders through conferences and staff meetings.
Currently the program is responsible for critical digital components and systems associated with target set equipment, but a planned expansion of scope to cover all critical digital components and systems with a safety, security, and emergency preparedness functions presents a resource challenge.
