Problems arise with cybersecurity at Shippingport nuclear power plant in Beaver
Earthquakes, saboteurs and trespassers — the Beaver Valley nuclear power plant has shown signs of trouble in guarding against all of them.
Now it's got a new-age security concern, too: hackers.
The Shippingport plant received two violations for shortcomings federal inspectors found in the plant's cybersecurity program on Sept. 13. The Nuclear Regulatory Commission reported the problems in a letter sent to plant officials on Monday, but it did not elaborate in public documents or interviews, standard protocol to keep security information from would-be attackers.
Akron-based FirstEnergy Corp., the plant's owner, has fixed the problems, said spokeswoman Jennifer Young. But Young played down the plant's exposure to cyberthreats, noting many of its controls have not been upgraded from analog to digital technology, which is more susceptible to hacking.
“The nuclear plants by design are pretty isolated from what we normally think of as cybersecurity issues,” Young said. “When it comes to control of the plant, we're in very robust shape. That doesn't mean that we rest on that.”
Those assurances did little to quell broader concerns from critics about the timeliness of the NRC's effort to address cybersecurity at nuclear plants. The NRC ordered plants to bolster security against hacking and other threats after 9/11. But it took eight years to issue cybersecurity rules and four more years to start inspections.
“What this boils down to right now is absolutely inexcusable. Since the mid-'90s it was quite apparent the Internet was going to take off and create a whole host of cybersecurity issues,” said Scott Portzline, a Harrisburg volunteer who researches security issues for the activist group Three Mile Island Alert. “What they have done so far is drag their feet.”
The commission found the problems during a wave of inspections it is doing around the country, part of its first attempt to ensure last generation's plants are prepared for a new generation's problems. Hackers, cyber warriors and even data glitches pose threats, with the power to cause malfunctions that can stop electric generation or start a nuclear meltdown.
The rules are still so new that the commission isn't taking enforcement action against Beaver Valley for its problems, Young said. That is a common practice the commission uses, pushing power plants to make improvements but forgoing sanctions as companies adjust to the first-time application of new rules, said Dave Lochbaum, director of the Nuclear Safety Project at the Union of Concerned Scientists.
“There are always competing priorities. But one of the things we had to do was allow the companies time to acquire the proper software, make the technological changes and live up to our order that raises the level of cybersecurity,” commission spokesman Neil Sheehan said in response to criticism. “They have been moving forward on this.”
FirstEnergy officials believe Beaver Valley did well compared to other plants, Young said. Of about 10 that faced similar audits, some had no problems at all, said Lochbaum, who reviewed some of the reports made public in the commission's database. Others had violations similar to Beaver Valley's.
Three Mile Island near Harrisburg had two violations in its June inspection, the commission said in its letter to that plant's owner, Exelon Corp. That plant is famous for the worst nuclear disaster in U.S. history, a partial meltdown and radiation leak in 1979.
Beaver Valley had several issues in the past 18 months. Last year the commission cited it for problems likely related to plant access, Lochbaum said, and in April it may have failed part of a drill that included a mock physical attack. The commission also audited the plant for earthquake risks in July because plant officials last year found dozens of minor problems officially called “potentially adverse seismic conditions.”
Cyber warfare and computer viruses are new types of concerns but ones officials are scrambling to address in all parts of public life. Emergency officials are only just setting a plan to deal with cyber attacks that could target public infrastructure in Beaver County, said Wes Hill, the county's emergency management director.
The nuclear industry, like others that existed before the rampant growth of the Internet, has to catch up with emerging security threats, said Ronald Marks, a George Washington University senior fellow on intelligence issues. Nuclear plants have to be particularly wary, he said, of internal security threats.
Beaver Valley, built in the 1970s, still relies on many analog controls, keeping it isolated from the threats of the digital universe, Young said. But an aging generation of nuclear plants is finding it harder to replace analog equipment as it wears out, increasingly exposing them to the digital world, Lochbaum said. They also have to be wary of flash drives, laptops and other digital connections that workers can bring into plants, opening holes and exposing the plants' systems to outside threats, experts said.
“It's a matter of time before someone gets in and something happens,” Marks said. “My concern lies mostly with what the event will be. At the beginning, it's going to be closer to Homer Simpson than it is to Three Mile Island.”
Timothy Puko is a staff writer for Trib Total Media. Reach him at 412-320-7991 or firstname.lastname@example.org. Staff writer Andrew Conte contributed to this report.