On January 16, a movie called Blackhat will open nationwide. The movie is an international cyber thriller where a plan to disrupt the global banking system can only be stopped by a team of uniquely qualified American and Chinese partners. The movie trailer includes scenes involving a nuclear power plant.
While movies can be very entertaining, it’s important to remember the types of protections in place at Columbia Generating Station and other U.S. commercial nuclear power plants. These include:
Columbia’s critical digital infrastructure, in accordance with federal law, incorporates multiple defensive tiers that provide the greatest protection for digital equipment that can impact systems related to Safety, Security and Emergency Preparedness. The implementation of the tiers are with an emphasis on network isolation and one way data transmission configurations that protect key equipment from manipulation by outside parties.
Even the best network security and isolation can be circumvented by individuals who use USB drives and laptops to connect to plant equipment. These devices have the ability to introduce malicious software and compromise plant systems directly as a part of routine maintenance and equipment operations. Columbia implemented a broad set of controls that include antivirus scanning, laptop hardening, usage restrictions and positive control for all of the authorized devices.
A third layer of protection is the configuration of the devices themselves. Columbia is currently undergoing an extensive assessment of installed plant equipment to identity the current security baseline and developing actions to remedy any gaps identified. Implementing a secure configuration for each digital device provides defense-in-depth that can protect the digital device if malicious software was injected into the system.
Network, laptop and device configurations are all dependent on one common interface – people. The success of all of these efforts relies on conscientious individuals understanding the importance of cyber security and their role in helping to implement and maintain secure plant systems. Columbia includes cyber security training through the initial and annual general employee training process so that all security badged individuals have a fundamental understanding of the overall requirements. Additionally, training was provided last summer to the Engineering department on the impacts to the design and oversight of digital equipment; and Maintenance is receiving portable media training in the biannual block training ahead of the refueling outage in May.
Tying all of these efforts together is a comprehensive set of policies and procedures that ensure the protections for digital equipment is incorporated in the full life-cycle of a digital component, including design, procurement, installation, maintenance and retirement.
This holistic approach to protecting digital devices provides a secure environment to safely operate digital equipment. But security ultimately rests in the hands of each individual following the procedures, internalizing the training and interacting with digital devices using safe behaviors. Together we can protect the future of Columbia and help our community understand the performance of Columbia is safe and reliable – even in a digital age.
(Posted by Dean Kovacs, Energy Northwest Information Services)