Committee on Homeland Security chairman Bennie G. Thompson, D-Miss., and Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology chairman James R. Langevin D-R.I., released a letter to Dale E. Klein, chairman of the Nuclear Regulatory Commission regarding what they called a cybersecurity incident at a U.S. nuclear power plant. They released the letter, which actually was sent May 14.
In the letter, Thompson and Langevin ask that Klein move to "institute comprehensive cybersecurity policies and procedures on safety and non-safety systems" at nuclear plant licensees.
The letter goes on to describe an incident they say occurred August 19, at the Brown's Ferry Unit 3 facility, which was manually shut down following the loss of both of the recirculation pumps. The plant is located in northern Alabama. Browns Ferry operates two nuclear generating units.
Thompson and Langevin said in the letter that plant personnel determined that the root cause of failure was related to "excessive traffic" on the plant's computer network. The licensee notified the Nuclear Regulatory Commission of the incident, and corrective actions were implemented, which included placing a firewall on the plant's integrated computer system network.
"In accord with current regulations, NRC staff decided against investigating the failure as a 'cybersecurity incident' because:
1.) The failing system was a 'non-safety' system rather than a 'safety' system, and
2.) It was determined by the licensee that the incident did not involve an external cyber attack on the system," Thompson and Langevin wrote.
They went on to say they have "deep reservations" about the regulatory commission's hesitation to investigate the incident. They added that the incident showed that a nonsafety system actually can affect the plant's safety.
Langevin and Thompson also pointed out in the letter that plant administrators couldn't determine whether the incident was caused by a network disruption within the plant or by an outside hacker.
"Conversations between the Homeland Security Committee staff and NRC representatives suggest that it is possible that this incident could have come from outside the plant," they wrote. "Unless and until the cause of the excessive network load can be explained, there is no way for either the licensee or the NRC to know that this was not an external distributed denial-of-service attack. Without a thorough, independent review of the logs and associated data, the assumption that this incident is not an outside attack is unjustifiable."
The congressmen went on to ask if the regulatory committee has determined the source of the "data storm" and if they plan to investigate it. They requested a written response to their letter by June 14.