The NRC’s MOX Decision: Out of Step on Cybersecurity

May 22, 2015
Ed Lyman
Director, Nuclear Power Safety

On April 1, President Obama declared that the increasing threat of cyberterrorism was a “national emergency.” White House cybersecurity coordinator Michael Daniel said “We very much need the full range of tools across the spectrum in order to actually confront the cyber threats that we face.”

Given this warning, one might think that the U.S. government would not hesitate to utilize every tool at its disposal to protect the nation’s stockpile of weapon-usable plutonium from cyberattack-assisted thefts.  Yet on April 23, the Nuclear Regulatory Commission (NRC) turned a deaf ear to the alarm sounded by the White House.

By a slim majority vote, the NRC upheld a deeply flawed approach for monitoring plutonium at the Mixed Oxide (MOX) Fuel Fabrication Facility, now under construction at the Savannah River Site in South Carolina by the Department of Energy (DOE).

The plan’s effectiveness depends critically on the integrity of the computer systems that carry out automated operations and collect data on the plutonium being processed.  Yet the NRC approved the approach even though the plant applicant, CB&I Areva MOX Services, does not yet have a cybersecurity plan in place for protecting those systems from hackers.  The NRC’s decision rests on the assumption that whatever plan MOX Services eventually comes up with—which could be many years from now—will be good enough.

Although the MOX plant, as a U.S. government-owned facility, would normally be exempt from NRC oversight, Congress gave the NRC the authority to license the MOX plant. The purpose of this action was to ensure that the plant would have an independent regulatory review, given the many safety and security lapses that have occurred at DOE facilities over the decades.

But the NRC asserts that it does not need to review a cybersecurity plan for the facility in order to grant an operating license because the NRC doesn’t currently require that fuel cycle facilities like the MOX plant be protected against cyberattacks. (It’s working on developing such requirements.) This laissez-faire approach to cybersecurity is not responsive to the White House call for use of the “full range of tools across the spectrum” to deal with the severity of the threat.

UCS has been providing expert assistance to local citizens’ groups that challenged the MOX plant licensing for more than a decade.  Over the years, the groups have won some important concessions, including a commitment by MOX Services to improve its plan for plutonium monitoring.

But those changes don’t go far enough to offset the cyber vulnerabilities inherent in the system. If the MOX plant ever operates—a big “if,” given the financial and logistical challenges it faces—it will expose U.S. plutonium to an unacceptable risk of theft.

UCS released a statement last week condemning the NRC’s action and highlighting the thoughtful dissent of NRC commissioner Jeffrey Baran.