Power plants are highly regulated due to their importance and vulnerability. Regulations exist for everything, ranging from worker safety to cybersecurity, and can vary depending on the type of power plant.
Nuclear power plants, for example, have higher standards than others since the consequences for any breach, attack or failure is much greater. In the U.S., the Nuclear Regulatory Committee (NRC) is in charge of creating regulations and requirements for nuclear plants in order to make sure they are secure. SMI noted that after 9/11, the NRC included more measures for airborne terrorist attacks and actions to reduce radiological release. In terms of cybersecurity, the NRC requires every nuclear plant submit a cybersecurity plan and implementation schedule against threats that could face the plant.
The NRC is also required to conduct “force-on-force” exercises with nuclear power plants every three years, as per the Energy Policy Act of 2005. Security Management International explained that these security exercises involve having someone attempt to
access critical areas of the plants and inflict as much damage as possible. Additionally, the NRC requires that each nuclear plant have an emergency planning zone (EPZ) within roughly a 10-mile radius and have emergency response exercises every two years, which is reviewed by the NRC and FEMA (Federal Emergency Management Agency). Plants must also have plans in place within a 50-mile radius to prevent ingestion of radioactive material.
Luke Bencie, Director,
Security Management
International
The North American electric industry’s primary security standard is NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection). This series of standards lay out
best practices for both cyber and physical security. Even though this is a North American standard, other countries have adopted similar best practices.
In the EU, the Directive on security of network and information systems (NIS Directive), the first EU-wide cybersecurity legislation, took effect in August 2016. Michael Rothschild, Senior Director of Product Marketing at
Indegy explained that the directive establishes minimum security standards for operators of essential services such as the electrical grid. Though it chiefly applies to the EU, anyone dealing with the EU must also comply.
For those power plants not obligated to comply with national standards such as NERC CIP, Ernie Hayden, Founder and Principal of
443 Consulting noted that they are encouraged to to follow the United States National Institute of Standards and Technology (NIST) Cybersecurity Framework; however, this is entirely voluntary. Some power plants may also be encouraged or even directed to follow other security standards such as the International Society for Automation (ISA) standards 62443 for industrial control and automation systems.
When it comes to
worker safety, the Occupational Safety and Health Administration (OSHA) in the U.S. has requirements for power plants
regarding their health and safety. For example, OSHA requires detector pumps for potential air contaminants which may arise in different types of power plants. OSHA also encourages companies to build on existing safety regulations and create additional company-specific policies, said Luke Bencie, Director, and Paige Morrison, Junior Associate, at
Security Management International (SMI).
Unfortunately, a lack of rule implementation can led to fatal incidents, such as the one in Tampa, Florida, in June 2017. SMI explained that Tampa Electric disregarded rules during a maintenance job, resulting in the death of five workers. As a result, the company was handed a “willful violation” from OSHA, the most significant violation, along with a fine of over US$100,000.
“Companies should be doing frequent hazard training with employees to ensure they are following the correct safety measures,” SMI advised.
It is also important to note that security standards always evolving due to continued presence of new security threats. As such, existing standards and regulations should be a considered a minimum baseline. Instead, organizations should aim higher and work to stay ahead of future threats.