WASHINGTON (May 14, 2015)—The Nuclear Regulatory Commission (NRC) has ruled that it can grant an operating license to a controversial Department of Energy (DOE) plutonium fuel processing plant without determining that the DOE’s cybersecurity program can adequately protect it from cyberattacks.
In its April 23 two-to-one decision, NRC commissioners rejected an appeal of a ruling by the agency’s Atomic Safety and Licensing Board (ASLB), which itself was split two to one. It was the final issue being litigated in a hearing contesting an operating license for the Mixed Oxide (MOX) Fuel Fabrication Facility, now under construction at the DOE’s Savannah River Site in South Carolina. The facility, whose mission is to convert plutonium from surplus nuclear weapons into commercial nuclear fuel, is years off schedule and is projected to cost tens of billions of dollars more than originally estimated.
The NRC decision, released publicly on May 7, approved an unorthodox approach proposed by the facility contractor, CB&I AREVA MOX Services (originally Shaw AREVA MOX Services) to track plutonium so plant operators can rapidly detect thefts. Instead of the traditional approach, where plant personnel would periodically retrieve and inspect cans containing plutonium to verify they are intact and stored properly, MOX Services would rely almost entirely on computer systems and data to provide that assurance. This approach would be particularly vulnerable to cyberattack because it relies excessively on computer systems and de-emphasizes using human observation to verify thefts.
“The NRC’s decision reflects an astonishing level of complacency about growing cyberthreats to our nation’s critical infrastructure,” said Edwin Lyman, a senior scientist at the Union of Concerned Scientists (UCS) and an expert witness during the ASLB proceeding. “It is tantamount to leaving a door wide open for hackers, terrorists and foreign governments to interfere with the computer systems that the MOX facility will rely on to detect stolen weapon-usable plutonium. Cyber intruders could exploit these vulnerabilities to facilitate or cover up plutonium thefts by falsifying accounting records and compromising security systems.”
The intervenors—the Blue Ridge Environmental Defense League, Nuclear Watch South and the Nuclear Information and Resource Service—testified that the NRC should reject this novel, untested approach. Barring that, the intervenors argued that NRC approval of the plan should be contingent on an NRC finding that the plant’s computer systems would have stringent protection against cyberattacks to ensure that plutonium inventory data could not be manipulated. The NRC rejected their arguments, upholding the ASLB ruling that the adequacy of MOX Services’ cybersecurity program was beyond the scope of the proceeding.
The ability to accurately account for plutonium in near-real time to the kilogram (kg) level is a crucial aspect of MOX plant operations, Lyman, a physicist, explained. At peak capacity, the plant will process as much as 3,500 kg of plutonium per year, while a terrorist would only need 8 kg for a bomb. If someone claimed to have built a nuclear bomb with plutonium stolen from the MOX plant, operators would want to know as quickly as possible whether or not the threat was credible. But trying to determine whether 8 kg were missing in a facility with hundreds of times that amount in storage is akin to finding a needle in a haystack unless there is a precise, robust and reliable accounting system. The accounting system and the data it contains also must be protected against manipulation.
However, the NRC claims that since it does not currently have regulations that address cybersecurity at fuel facilities such as the MOX plant, it is not legally required to ensure that the MOX plant’s cybersecurity protections are adequate.
“Even though the NRC doesn’t have regulations in place for cybersecurity at facilities like the MOX plant, it has the authority to require stringent cybersecurity protection measures as a condition for granting an operating license,” said Diane Curran, counsel for the intervenor groups. “Instead, a majority of the NRC commissioners chose to ignore the problem.”
In his dissent on the April 23 NRC ruling, Commissioner Jeff Baran apparently agreed with the intervenors’ position as well as the position of dissenting ASLB Judge Michal Farrar.
“MOX Services does not currently have a cybersecurity plan,” Baran wrote. “I find nothing in the record stating that either the [Atomic Safety and Licensing] Board or the NRC staff made a determination regarding the adequacy of cybersecurity at MOX Services’ facility.… I see no basis for finding that MOX Services’ proposed [material control and accounting] systems will satisfy” the NRC’s regulations.
Baran was outvoted by Commissioners Kristine Svinicki and William Ostendorff. Chairman Stephen Burns did not vote.
Baran’s concern about cybersecurity was no doubt influenced by the results of an NRC working group review of voluntary cybersecurity programs at NRC-regulated fuel cycle facilities, Lyman said. In a February 2015 dissent, in which Baran called for the NRC to issue “immediately effective” cybersecurity orders for fuel cycle facilities, he commented that “what the working group found is sobering” and “the current cybersecurity vulnerabilities present at fuel cycle facilities and the lack of agreement by licensees to voluntarily implement an adequate cybersecurity program … necessitates the issues of an order.” The details of what the working group found were not made public.
The MOX project has steadily lost supporters as its projected cost has skyrocketed and its completion date has slipped. The most recent external cost review, conducted by the Aerospace Corporation, estimated a lifecycle cost of the MOX program of about $52 billion to $115 billion (in constant dollars) and a completion date as late as FY 2100. The Obama administration has said the project is “unaffordable” and is studying less costly options, but the MOX facility’s supporters in Congress have compelled the DOE to continue construction. The Aerospace report also pointed to other factors that increase the level of project risk, including cybersecurity, citing “the potential for delays due to evolving cybersecurity regulations and the need to meet those requirements prior to certification.” The report also noted that “the heavy reliance by the [MOX facility] on software and automation makes this risk particularly problematic.”
“The Aerospace report confirms that the NRC’s foot-dragging approach to cybersecurity at the MOX plant is itself a threat to the viability of the project,” said Lyman. “The NRC is not doing the applicant any favors by allowing it to kick the cyber can down the road. In its casual dismissal of the urgent threat of cyberterrorism, it is out of step with virtually every other federal agency.”