Problems arise with cybersecurity at Shippingport nuclear power plant in Beaver
Earthquakes, saboteurs and trespassers — the Beaver Valley nuclear power plant has shown signs of trouble in guarding against all of them.
Now it's got a new-age security concern, too: hackers.
The Shippingport plant received two violations for shortcomings federal inspectors found in the plant's cybersecurity program on Sept. 13. The Nuclear Regulatory Commission reported the problems in a letter sent to plant officials on Monday, but it did not elaborate in public documents or interviews, standard protocol to keep security information from would-be attackers.
Akron-based FirstEnergy Corp., the plant's owner, has fixed the problems, said spokeswoman Jennifer Young. But Young played down the plant's exposure to cyberthreats, noting many of its controls have not been upgraded from analog to digital technology, which is more susceptible to hacking.
“The nuclear plants by design are pretty isolated from what we normally think of as cybersecurity issues,” Young said. “When it comes to control of the plant, we're in very robust shape. That doesn't mean that we rest on that.”
Those assurances did little to quell broader concerns from critics about the timeliness of the NRC's effort to address cybersecurity at nuclear plants. The NRC ordered plants to bolster security against hacking and other threats after 9/11. But it took eight years to issue cybersecurity rules and four more years to start inspections.
“What this boils down to right now is absolutely inexcusable. Since the mid-'90s it was quite apparent the Internet was going to take off and create a whole host of cybersecurity issues,” said Scott Portzline, a Harrisburg volunteer who researches security issues for the activist group Three Mile Island Alert. “What they have done so far is drag their feet.”
The commission found the problems during a wave of inspections it is doing around the country, part of its first attempt to ensure last generation's plants are prepared for a new generation's problems. Hackers, cyber warriors and even data glitches pose threats, with the power to cause malfunctions that can stop electric generation or start a nuclear meltdown.
The rules are still so new that the commission isn't taking enforcement action against Beaver Valley for its problems, Young said. That is a common practice the commission uses, pushing power plants to make improvements but forgoing sanctions as companies adjust to the first-time application of new rules, said Dave Lochbaum, director of the Nuclear Safety Project at the Union of Concerned Scientists.
“There are always competing priorities. But one of the things we had to do was allow the companies time to acquire the proper software, make the technological changes and live up to our order that raises the level of cybersecurity,” commission spokesman Neil Sheehan said in response to criticism. “They have been moving forward on this.”
FirstEnergy officials believe Beaver Valley did well compared to other plants, Young said. Of about 10 that faced similar audits, some had no problems at all, said Lochbaum, who reviewed some of the reports made public in the commission's database. Others had violations similar to Beaver Valley's.
Three Mile Island near Harrisburg had two violations in its June inspection, the commission said in its letter to that plant's owner, Exelon Corp. That plant is famous for the worst nuclear disaster in U.S. history, a partial meltdown and radiation leak in 1979.
Beaver Valley had several issues in the past 18 months. Last year the commission cited it for problems likely related to plant access, Lochbaum said, and in April it may have failed part of a drill that included a mock physical attack. The commission also audited the plant for earthquake risks in July because plant officials last year found dozens of minor problems officially called “potentially adverse seismic conditions.”
Cyber warfare and computer viruses are new types of concerns but ones officials are scrambling to address in all parts of public life. Emergency officials are only just setting a plan to deal with cyber attacks that could target public infrastructure in Beaver County, said Wes Hill, the county's emergency management director.
The nuclear industry, like others that existed before the rampant growth of the Internet, has to catch up with emerging security threats, said Ronald Marks, a George Washington University senior fellow on intelligence issues. Nuclear plants have to be particularly wary, he said, of internal security threats.
Beaver Valley, built in the 1970s, still relies on many analog controls, keeping it isolated from the threats of the digital universe, Young said. But an aging generation of nuclear plants is finding it harder to replace analog equipment as it wears out, increasingly exposing them to the digital world, Lochbaum said. They also have to be wary of flash drives, laptops and other digital connections that workers can bring into plants, opening holes and exposing the plants' systems to outside threats, experts said.
“It's a matter of time before someone gets in and something happens,” Marks said. “My concern lies mostly with what the event will be. At the beginning, it's going to be closer to Homer Simpson than it is to Three Mile Island.”
Timothy Puko is a staff writer for Trib Total Media. Reach him at 412-320-7991 or firstname.lastname@example.org. Staff writer Andrew Conte contributed to this report.
Show commenting policy
TribLive commenting policy
You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.
We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.
While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.
We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers.
We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.
We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.
We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.
We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.
- Few homeowners expected to benefit from Bank of America’s $16.65B settlement
- Thousands of American steel jobs believed lost to import surge
- Utility regulator seeks $639,000 in penalties from electric supplier
- GM’s legal team targeted in federal investigation
- Microsoft keeping $93B offshore, off U.S. tax rolls
- Central banks around globe moving in different directions
- Dynegy to spend $6.25B on power plant acquisitions
- Beware mergers’ bad spawn
- Instead of clarity, Federal Reserve Chair Yellen offers more uncertainty on interest rate hikes
- Advocacy group requests investigation of Chrysler power system failures
- Google Maps opens business doors to online views for shoppers