Scientists Fear Cyber-Security Reduction Could Make San Onofre A Target for Hackers

NBC 7 Investigates found the plant’s operators and regulators approved a plan to remove the closed-power plant’s enhanced cyber-security systems in place.

With reports of American power plants across the country having their systems accessed by hackers, one group of scientists are calling out the Nuclear Regulatory Commission (NRC) and Southern California Edison for their recent decision to remove enhanced cyber-security systems at the San Onofre Nuclear Generating Station.

“It defies logic and it's not technically sound,” Dr. Edwin Lyman, a Nuclear Scientist with the Union of Concerned Scientists told NBC 7 Investigates.

Scientists like Lyman point to a report released just last week as evidence for power plant operators to take cyber-security more seriously, even at closed power plants like San Onofre. 

“Spent fuel remains dangerous, as long as it’s at the plant it has to be protected,” Lyman said, “Cyber-security is an essential element of that protection.”

NBC 7 Investigates has learned San Onofre is moving forward with removing current cyber-security systems in place.

The process started last year when Southern California Edison, the company that owns San Onofre, wrote the NRC asking to "terminate the SONG's Cyber Security Plan."

NRC staff reports show regulators agreed with Edison's assessment on removing cyber-security and approved their request, saying spent fuel at the plant is less of a risk and the "consequences of a cyber-attack" on the plant are now "much lower."

A spokesperson for Southern California Edison told NBC 7 Investigates the cyber-security reduction does not reduce safety since the plant still has armed security on-site.

“San Onofre, like the rest of nation’s nuclear power plants, has been well protected from possible cyber threats,” Southern California Edison spokesperson Maureen Brown said in an email to NBC 7 Investigates, “It is designed as an island of operation that is disconnected from the Internet and external networks except for limited applications that are well controlled.”

To read more of Southern California Edison’s statement, click here.

“There are a wide range of ways that a cyber-attacker could influence and assist in an eventual physical attack on the plant and that’s what I worry about most,” Lyman said.

Some of those ways include viruses or phishing attacks sent to security personnel by email. This was how hackers reportedly tried to compromise a Kansas power plant's systems last year. 

Other fears Lyman and his fellow scientists have include hackers gaining access to the plant's electronic locks, alarms, or their ability to jam communications, preventing security warnings of a physical attack.

Lyman believes So-Cal-Edison and the NRC are prioritizing costs over safety with the cyber-security reduction.

According to a 2017 congressional research report, companies that own U-S nuclear power plants are facing severe financial pressure, caused by growing supplies of renewable energy, low-cost natural gas and stagnant electricity demand.  

The NRC told us So-Cal-Edison's removal of the current cyber-security systems "is consistent with maintaining adequate protection of the public health and safety and the common defense and security." 

To read all of the NRC’s answers to our questions, click here.  

“You must consider the possibility for a physical attack on a nuclear power plant,” Lyman said, fearing a cyber-attack, coordinated with a physical attack, could be disastrous. 

The NRC says if attackers attempted to sabotage the plant and cause a nuclear meltdown, workers would have about 10 hours to intervene and prevent this from happening. That 10-hour "cushion" is one major reason why the NRC allowed Southern California Edison to drop their cyber-security program.

Contact Us