The NRC’s MOX Decision: Out of Step on Cybersecurity

, Director of Nuclear Power Safety, Climate & Energy | May 22, 2015, 4:00 pm EST
Bookmark and Share

On April 1, President Obama declared that the increasing threat of cyberterrorism was a “national emergency.” White House cybersecurity coordinator Michael Daniel said “We very much need the full range of tools across the spectrum in order to actually confront the cyber threats that we face.”

Given this warning, one might think that the U.S. government would not hesitate to utilize every tool at its disposal to protect the nation’s stockpile of weapon-usable plutonium from cyberattack-assisted thefts.  Yet on April 23, the Nuclear Regulatory Commission (NRC) turned a deaf ear to the alarm sounded by the White House.

By a slim majority vote, the NRC upheld a deeply flawed approach for monitoring plutonium at the Mixed Oxide (MOX) Fuel Fabrication Facility, now under construction at the Savannah River Site in South Carolina by the Department of Energy (DOE).

The plan’s effectiveness depends critically on the integrity of the computer systems that carry out automated operations and collect data on the plutonium being processed.  Yet the NRC approved the approach even though the plant applicant, CB&I Areva MOX Services, does not yet have a cybersecurity plan in place for protecting those systems from hackers.  The NRC’s decision rests on the assumption that whatever plan MOX Services eventually comes up with—which could be many years from now—will be good enough.

Although the MOX plant, as a U.S. government-owned facility, would normally be exempt from NRC oversight, Congress gave the NRC the authority to license the MOX plant. The purpose of this action was to ensure that the plant would have an independent regulatory review, given the many safety and security lapses that have occurred at DOE facilities over the decades.

But the NRC asserts that it does not need to review a cybersecurity plan for the facility in order to grant an operating license because the NRC doesn’t currently require that fuel cycle facilities like the MOX plant be protected against cyberattacks. (It’s working on developing such requirements.) This laissez-faire approach to cybersecurity is not responsive to the White House call for use of the “full range of tools across the spectrum” to deal with the severity of the threat.

UCS has been providing expert assistance to local citizens’ groups that challenged the MOX plant licensing for more than a decade.  Over the years, the groups have won some important concessions, including a commitment by MOX Services to improve its plan for plutonium monitoring.

But those changes don’t go far enough to offset the cyber vulnerabilities inherent in the system. If the MOX plant ever operates—a big “if,” given the financial and logistical challenges it faces—it will expose U.S. plutonium to an unacceptable risk of theft.

UCS released a statement last week condemning the NRC’s action and highlighting the thoughtful dissent of NRC commissioner Jeffrey Baran.

Posted in: Nuclear Terrorism Tags: , , , , , , ,

Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.

Show Comments

Comment Policy

UCS welcomes comments that foster civil conversation and debate. To help maintain a healthy, respectful discussion, please focus comments on the issues, topics, and facts at hand, and refrain from personal attacks. Posts that are commercial, self-promotional, obscene, rude, or disruptive will be removed.

Please note that comments are open for two weeks following each blog post. UCS respects your privacy and will not display, lend, or sell your email address for any reason.

  • NavyFlyer1325

    More of the same Imperial Doublespeak from the Obama Administration … par for the course. Why would we expect anything else from this man, his handlers, or his minions?