Vermont Yankee administrators are getting a 19-month extension to finish security upgrades designed to prevent cyberattacks.
The federal Nuclear Regulatory Commission has decided that plant owner Entergy does not have to meet a cybersecurity deadline that had been set for this month. The new completion date is July 31, 2019.
Entergy’s extension request is reasonable, federal regulators said, because there are reduced accident risks and potential targets of attacks at the shutdown plant. Officials also noted that Entergy already has completed many required cybersecurity upgrades at Vermont Yankee.
โThis completed work ensures that the most risk-significant and security critical digital assets โฆ remain secure,โ NRC spokesman Neil Sheehan said.
The NRC took a closer look at โa wide array of security concernsโ after the terror attacks on Sept. 11, 2001, Sheehan said. That included computer-related threats at nuclear plants.
The commission issued orders aimed at bolstering cybersecurity in the wake of the attacks, then formalized and expanded those with new rules in 2009.
The goal is to provide stronger protection for what the NRC calls โcritical digital assetsโ at nuclear plants nationwide. That label covers all โsystems that perform safety, security and emergency-preparedness functions,โ as well as equipment that supports or could hinder those systems, Sheehan said.
But Vermont Yankee shut down at the end of 2014, and its security and emergency-preparedness infrastructure has been shrinking since then.
For example, the plant’s 10-mile emergency planning zone was eliminated in spring 2016. And state officials recently approved a dramatic downsizing of Vermont Yankee’s high-security โprotected area.โ
In a similar vein, administrators say the plant doesn’t require as many cybersecurity measures as operating nuclear plants do.
Documents that Entergy filed with the NRC earlier this year say Vermont Yankee staffers have been implementing the government’s cybersecurity changes. That work includes isolating critical digital assets from external networks and maintaining โstringent controlโ of any portable media or mobile devices that might connect to important plant systems.
Vermont Yankee also has instituted cybersecurity training and incident response procedures, the documents say.
But administrators requested a delay in finishing their cybersecurity work, saying it is โnot considered a prudent use of (plant) resourcesโ at this point.
That’s in part because of the 2014 shutdown. โThe reduction in the number of digital computers and communication systems and networks has reduced the number of pathways for a cyberattack during decommissioning,โ administrators wrote.
The status of the plant’s radioactive spent fuel is another factor. Plant officials say the fuel has cooled to a point where the risk of fire, accident and radiological release is โsignificantly lower.โ
They also point out that all of Vermont Yankee’s spent fuel is expected to be transferred to sealed casks in 2018. Finishing that fuel move will allow another downsizing of staff and active systems at the plant.
Vermont officials have battled with the NRC and Entergy on several decommissioning-related issues. But in a letter to the NRC last month, state Public Service Commissioner June Tierney said she had โno technical objectionsโ to delaying completion of cybersecurity upgrades at Vermont Yankee.
Tierney agreed that Entergy’s proposed extension to July 2019 โdoes not represent a significant safety concern.โ She also said the state’s nuclear engineer is often at the plant site.
โThe department has firsthand knowledge on the Vermont Yankee cybersecurity plan’s implementation, and more importantly, how seriously Vermont Yankee staff takes cybersecurity concerns,โ Tierney wrote.
The newly approved 2019 deadline for finishing cybersecurity projects at Vermont Yankee may extend beyond Entergy’s ownership. The company wants to sell the plant to New York-based NorthStar Group Services, which is proposing an accelerated decommissioning project.
If that happens, Sheehan said, โNorthStar would become the new license-holder of record and would therefore be responsible for full implementation of the cybersecurity requirements.โ
