The Nuclear Regulatory Commission is facing a mass exodus of cybersecurity experts in the years ahead, which could limit its ability to ensure the nation’s nuclear power plants are safe from digital attacks, an internal watchdog found.
Nearly one-third of NRC’s cybersecurity inspectors will be eligible for retirement by the end of fiscal 2020, and agency officials worry they aren’t training enough people to take their place, according to the NRC Inspector General. With nuclear power stations becoming increasingly popular targets for online adversaries, the shortage of cyber expertise could leave the agency struggling to do its job, auditors said.
“If staffing levels and skill sets do not align with cybersecurity inspection workload requirements, NRC’s ability to adapt to a dynamic threat environment and detect problems with [nuclear power plants’] cyber security programs could be compromised,” they wrote in a recent report.
In 2009, the NRC started explicitly requiring nuclear power stations, most of which are privately owned, to defend their IT infrastructure against cyberattacks. Plants were expected to have the protections in place by the end of 2017, and the agency is in the midst of verifying facilities met the deadline.
As of March 31, NRC officials had inspected 24 of the 57 power plants under its jurisdiction. While assessments “generally provide reasonable assurance that nuclear power plant licensees adequately protect digital computers, communications systems and networks,” auditors said, the agency could be hindered if the NRC doesn’t ramp up its recruitment and training efforts.
The agency is actively training inspectors to evaluate cybersecurity protections but often those employees also have other responsibilities, like inspecting fire safety. As more inspectors retire, NRC will have to stretch its already limited resources even thinner, potentially limiting its ability “to manage cyber security risk,” auditors said.
The situation at NRC is a symptom of the government’s broader struggle to recruit tech and cyber talent amid an aging workforce.
The IG advised NRC to improve its process for addressing skill gaps and managing its workforce, leaning on practices laid out in its existing Strategic Workforce Planning initiative.
Auditors also urged the agency to include more performance testing in its cybersecurity inspections. While today’s inspections focus largely on compliance, collecting data on vulnerability assessments, patching frequency and software management could make the process more efficient and effective, auditors wrote.