NEI reports inadequacy in NRC cybersecurity rules

The Nuclear Energy Institute (NEI) reported on Oct. 8 that new rules adopted by the U.S. Nuclear Regulatory Commission (NRC) are not technically adequate in relation to regulation.

According to the NEI, the proposed rule assumes uniformity of risks across all nuclear fuel cycles. They state that the current level of regulation and voluntary actions of licensees are sufficient. They also note that different categories of fuel licenses require different regulation in the need for digital asset protection.

Fuel-cycle facilities are categorized with Category I licensees house the more strategic materials such as enriched plutonium and uranium. Lower categories have lower quantities and lesser materials including low-enriched uranium and uranium hexafluoride. Despite this, facilities in all categories are required to have the same level of digital asset protection.

“Before proceeding with a rulemaking, we believe the NRC must justify this significant change in its approach to security, ” NEI Vice President of Nuclear Operations Joseph Pollock said.

Facilities that fall under Categories II and III are considered to be unlikely targets of sabotage or cybernetic attack. Pollock also argues that digital assets would need greater protection measures than physical assets. The NEI suggests a thorough examination into the proposed rule before it is implemented.