Cybersecurity and the NRC: A Primer for Radioactive Materials Licensees | Morgan Lewis – Up & Atom

As is clear from recent news reports, cybersecurity hacks and breaches have been trending upward for some time, and there has been a noticeable uptick over the last several months—including in the energy industry. As a result, President Joseph Biden has committed his administration, in large part through the American Jobs Plan and his executive order of May 12, to strengthen cybersecurity across the nation.

Notably, the American Jobs Plan makes $20 billion in energy infrastructure investments contingent on cybermodernization, and the executive order creates a “playbook” in an effort to harmonize the federal response to cyberincidents. But what controls are in place for the nuclear industry, including commercial users of radioactive materials, and which agency has jurisdiction over such matters? We address these issues briefly here.


The NRC’s jurisdiction over and regulation of cybersecurity for power reactor (nuclear power plant) licensees is well established and well documented. Following the attacks of September 11, 2001, the NRC began evaluating cyberrisks and the need for associated protections at nuclear power plants. These efforts resulted in 10 CFR § 73.54, Protection of Digital Computer and Communication Systems and Networks, finalized in 2009, and the subsequent Regulatory Guide 5.71, designed to advise licensees on how to meet the regulatory requirements. But cybersecurity controls for radioactive material users are less straightforward. Nevertheless, as described below, several federal agencies, including the NRC and the Food and Drug Administration (FDA), have been active in this space over the last several years.


In 2012, the NRC identified a need to evaluate cybersecurity threats for radioactive materials licensees in SECY-12-0088. To accomplish that goal, in July 2013, the NRC established the Byproduct Materials Cyber Security Working Group (the Working Group), whose goal was to identify cybersecurity vulnerabilities among certain users of “risk-significant radioactive materials” to determine if the NRC should initiate any regulatory action to address…