Amid growing concern about cyber attacks
on America’s infrastructure, Westinghouse Electric Corp. on Wednesday
signed an agreement with an Intel Corp. subsidiary to provide
cybersecurity software to nuclear power plant control systems around the
world.
The agreement with McAfee Inc. means
Westinghouse will offer systems to new and existing nuclear power
plants, whether designed by Cranberry-based Westinghouse or a
competitor. The companies did not disclose terms of their deal.
Large-scale systems — known as supervisory control and data acquisition, or SCADA, systems — are critical to operation of facilities from water treatment plants to banks to power plants.
“But SCADA systems themselves have been
very vulnerable to cyber attacks, such as denial of service or just
about anything else you can do,” said E. Douglas Harris, executive
director of the CyberSecurity and Emergency Preparedness Institute at
the University of Texas, Dallas.
The government worked with the nuclear energy
industry to make power plants “less vulnerable than other places,” he
said, and they are safer than most industrial sites. “But there’s no
perfect SCADA system that people can’t eventually break through,” said
Harris. “The cyber criminals and cyber terrorists can always find a
way.”
The United States is home to 104 nuclear
power plants, including 62 designed by Westinghouse or affiliate
Combustion Engineering.
Most of them employ digital technology, which
McAfee’s software serves, to control some or all systems, said a
Westinghouse official.
Westinghouse digital instrumentation and
control systems met Nuclear Regulatory Commission guidelines but this
agreement “enables Westinghouse to now offer attack detection and
prevention capabilities from an industry-leading cybersecurity company
that our customers recognize and trust,” said David Howell, senior vice
president of Westinghouse Nuclear Automation.
About 45 percent of the world’s 440 nuclear
reactors are Westinghouse designs. The company employs about 14,000
people, including about 6,000 in Western Pennsylvania, mostly at its
headquarters.
A year after the Sept. 11, 2001, attacks, the
NRC ordered power plants to enhance defenses against cyber attacks. By
early 2007, the commission’s guidelines included specific requirements
for digital instrumentation and controls. It finalized comprehensive
guidelines in early 2010.
“It is a basic feature of nuclear power plants
that systems that control the reactor are isolated from the outside
world,” said commission spokesman Scott Burnell.
“But that being said, we have
cybersecurity requirements today that take into account that there are
other parts of the grid and the control systems for the grid that have
to be protected against cyber attack.”
The McAfee systems detect and prevent cyber
attacks on digital control systems that a saboteur launches directly
from inside a plant or through corporate network connection from the
outside.
Cyber attacks recently hit several high-profile corporations, including Pittsburgh’s biggest bank.
PNC Bank’s online banking systems were
overwhelmed on Sept. 26 and 27 with a “denial of service” cyber attack
that froze customers out of accounts. On Wednesday, Barnes & Noble
Inc. said someone bugged card payment devices in 63 stores, including
two in the Pittsburgh area.
FirstEnergy Corp. operates two Westinghouse
nuclear reactors at its Beaver Valley plant in Shippingport and two
nuclear reactors in northern Ohio. All run on older analog, not digital,
technology and are protected against cyber attack, said Jennifer Young,
a utility spokeswoman.
She said if FirstEnergy upgrades the plants to
digital, “cybersecurity would be an important consideration in
selecting that system.”