PLYMOUTH — Despite reports of hackers attempting to breach networks connected to U.S. nuclear power stations, one of the nation’s worst performers is looking for a pass from federal cybersecurity requirements.
Pilgrim Nuclear Power Station hopes to skate through its final year and a half of operation without all required cybersecurity measures in place. Entergy Corp., the plant’s owner and operator, submitted a request in March to push out the December 2017 deadline for completion of federal cybersecurity requirements to December 2020.
Operations are set to cease at Pilgrim June 1, 2019, so the requirement would never have to be met.
Currently the plant is classified by the Nuclear Regulatory Commission as one step above mandatory shutdown, based on its poor performance. Only three of the nation’s fleet of 100 commercial nuclear plants are currently in that performance category.
The recent advisory of hacking attempts from the Department of Homeland Security and the FBI, coupled with Pilgrim’s request for an extension on cybersecurity requirements, has caused concern among Pilgrim watchdogs.
“Planning to close Pilgrim in two years should not release Entergy from being accountable for mandated public safety upgrades,” said Diane Turco, president of the Cape Downwinders citizens group. “But the NRC has already granted them other extensions.”
The extension request is still under review by the Nuclear Regulatory Commission, but based on past history it will likely be granted. The agency first granted Entergy an extension in 2014, then a second extension in 2016.
“I think what is totally beyond the pale is that the NRC spent time on cybersecurity, on the problems and on what we should do, and then they give Pilgrim a pass,” said Mary Lampert, president of the citizens group Pilgrim Watch.
The 9/11 terrorist attacks prompted the Nuclear Regulatory Commission to take a close look at physical and cybersecurity at the nation’s nuclear power plants. After enacting some initial regulations that beefed up protections, the agency published a cybersecurity rule in 2009.
Those regulations include requirements to ensure that the functions of digital computers, communication systems and networks associated with safety and emergency preparedness at the plants are protected from cyberattacks.
Compliance was laid out in two phases. The first phase, which was completed in 2012, involved implementation of controls to protect a plant’s most important digital assets. The second phase, to be completed by the end of this year, entails full implementation of all the changes that were required. Pilgrim has completed the first seven “milestones” of the cyber security plan, but it has not yet completed the final milestone.
That final milestone includes additional cyber controls, cybersecurity training for employees, incident response drills and testing, according to NRC spokesman Neil Sheehan.
“Because it is has already achieved milestones 1 to 7, Pilgrim differs little from other U.S. nuclear power plants, with the bulk of the cybersecurity upgrades already in place,” Sheehan said.
He added his agency requires notification of any cyber event that affects critical systems, and it has received no such reports from any of its plants to date.
Sean Mullin, co-chairman of the Pilgrim Nuclear Decommissioning Citizens Advisory Panel, said he hopes the group will sit down with Entergy in the next couple months to discuss what the company is doing about these attempts at cyber inroads.
Mullin stressed all reports to date show hacking has been related to the business side of energy-producing companies.
“What people need to understand is that the attempts to penetrate are very similar to attempts on home computers,” Mullin said. “There’s no evidence that I have seen that they’ve breached the operational side.
“The central question is whether such attempts can be ramped up and used on the operational side.”
Entergy spokesman Patrick O’Brien emailed the following statement: “Pilgrim is seeking a change in the schedule for implementation of the final cybersecurity milestone, which is consistent with other nuclear plants preparing for near-term decommissioning. Pilgrim is currently scheduled to permanently shut down in 2019. We will not have any additional comments on this issue at this time,” he wrote.
David Lochbaum, director of the Nuclear Safety Program for the Union of Concerned Scientists, said the segregation of systems at nuclear power plants provides some protection.
“Their computer systems control non-safety equipment,” Lochbaum wrote. “True, hackers could cause a nuclear plant to shut down unexpectedly, but the safety systems are designed to automatically step in and perform the necessary cooling functions.
“Few control systems for emergency equipment are digital and therefore they are not susceptible to computer hacking,” Lochbaum added.