Answers Sought on Alabama
Plant Shutdown
WASHINGTON (AP) - An overloaded computer network shut down a
nuclear reactor in Alabama last year, and even nine months
later, regulators cannot pinpoint the source of the failure.
The incident occurred last August at the Tennessee Valley Authority's Browns Ferry plant. Since the Sept. 11 strikes, Congress has been concerned that utilities and other high-risk facilities might be vulnerable to cyberattacks because of their reliance on computer networks to control operations.
The Nuclear Regulatory Commission says the computer malfunction did not threaten plant safety. Regulators are confident an outside hacker was not responsible.
Nonetheless, the House Homeland Security Committee this week urged a broader investigation. The chairman, Rep. Bennie Thompson, D-Miss., says there are too many unanswered questions.
"We need to know whether instances like this are internal or external, and to what extent we are going to deal with them," Thompson said in an interview. "For the NRC to rely on the operator's explanation of what happened ... does not go far enough."
Earlier this week, the NRC gave final approval for the TVA to restart a third reactor at Browns Ferry that had been shut down for 22 years due to concerns about safety and management.
Browns Ferry in rural Alabama, about 95 miles north of Birmingham, once was the nation's largest nuclear power plant.
In a report last month, the commission said TVA officials shut down the Unit 3 reactor after "excessive traffic" on the computer network caused recirculation pumps to fail, creating a potentially unstable condition.
The TVA has not determined the source of the data overload. The commission said the utility reacted appropriately and has addressed the problem by installing new "firewalls" to better control computer traffic.
NRC and TVA officials said the Browns Ferry network involved is an internal-only network and - when operated as designed - cannot accept data from outside sources. TVA spokesman Terry Johnson said the utility believes an unexplained glitch may have caused the failure.
Officials, however, would not rule out the possibility that someone could penetrate the network from outside.
"We have reasonable assurance that there is no external access to this system," said Eva Brown, the NRC's project manager at Browns Ferry. "We did an independent assessment to convince ourselves that (TVA's) conclusions were acceptable, and there was no evidence of an external source."
NRC spokesman Scott Burnell said the agency's public notice on the incident should serve to warn other operators of the potential problem, although the commission is not requiring any action.
Joe Weiss, managing partner at Applied Control Solutions and an expert on industrial computer security, said he doubts that anyone intentionally caused the Browns Ferry network to fail. But the outage raises concerns, he said.
"The whole area of cybersecurity in industrial facilities is effectively in its infancy," Weiss said. "There needs to be a greater appreciation within the nuclear community that these systems truly are connected."
Since the Sept. 11 attacks, security experts have warned of vulnerabilities in the computer networks of the nation's "critical infrastructure," including emergency response agencies, electricity providers and water treatment plants.
A 2005 report from the Environmental Protection Agency's inspector general, for example, found that water utilities had installed computer-based remote controls "with little attention paid to security," leaving valves, pumps and chemical mixers open to cyberattack.
In 2003, a computer virus temporarily disabled the safety monitoring system at the Davis-Besse nuclear station in Ohio, even though the utility thought the network was protected from such a breach.
___
Associated Press writer Ted Bridis contributed to this report.
___
On the Net:
Nuclear Regulatory Commission: http://www.nrc.gov
Tennessee Valley Authority: http://www.tva.gov
The incident occurred last August at the Tennessee Valley Authority's Browns Ferry plant. Since the Sept. 11 strikes, Congress has been concerned that utilities and other high-risk facilities might be vulnerable to cyberattacks because of their reliance on computer networks to control operations.
The Nuclear Regulatory Commission says the computer malfunction did not threaten plant safety. Regulators are confident an outside hacker was not responsible.
Nonetheless, the House Homeland Security Committee this week urged a broader investigation. The chairman, Rep. Bennie Thompson, D-Miss., says there are too many unanswered questions.
"We need to know whether instances like this are internal or external, and to what extent we are going to deal with them," Thompson said in an interview. "For the NRC to rely on the operator's explanation of what happened ... does not go far enough."
Earlier this week, the NRC gave final approval for the TVA to restart a third reactor at Browns Ferry that had been shut down for 22 years due to concerns about safety and management.
Browns Ferry in rural Alabama, about 95 miles north of Birmingham, once was the nation's largest nuclear power plant.
In a report last month, the commission said TVA officials shut down the Unit 3 reactor after "excessive traffic" on the computer network caused recirculation pumps to fail, creating a potentially unstable condition.
The TVA has not determined the source of the data overload. The commission said the utility reacted appropriately and has addressed the problem by installing new "firewalls" to better control computer traffic.
NRC and TVA officials said the Browns Ferry network involved is an internal-only network and - when operated as designed - cannot accept data from outside sources. TVA spokesman Terry Johnson said the utility believes an unexplained glitch may have caused the failure.
Officials, however, would not rule out the possibility that someone could penetrate the network from outside.
"We have reasonable assurance that there is no external access to this system," said Eva Brown, the NRC's project manager at Browns Ferry. "We did an independent assessment to convince ourselves that (TVA's) conclusions were acceptable, and there was no evidence of an external source."
NRC spokesman Scott Burnell said the agency's public notice on the incident should serve to warn other operators of the potential problem, although the commission is not requiring any action.
Joe Weiss, managing partner at Applied Control Solutions and an expert on industrial computer security, said he doubts that anyone intentionally caused the Browns Ferry network to fail. But the outage raises concerns, he said.
"The whole area of cybersecurity in industrial facilities is effectively in its infancy," Weiss said. "There needs to be a greater appreciation within the nuclear community that these systems truly are connected."
Since the Sept. 11 attacks, security experts have warned of vulnerabilities in the computer networks of the nation's "critical infrastructure," including emergency response agencies, electricity providers and water treatment plants.
A 2005 report from the Environmental Protection Agency's inspector general, for example, found that water utilities had installed computer-based remote controls "with little attention paid to security," leaving valves, pumps and chemical mixers open to cyberattack.
In 2003, a computer virus temporarily disabled the safety monitoring system at the Davis-Besse nuclear station in Ohio, even though the utility thought the network was protected from such a breach.
___
Associated Press writer Ted Bridis contributed to this report.
___
On the Net:
Nuclear Regulatory Commission: http://www.nrc.gov
Tennessee Valley Authority: http://www.tva.gov
Copyright ©2007 Associated Press. All
rights reserved. To subscribe or visit go to:
http://www.omaha.com