NetSPI empowers Xcel Energy to improve IT security

Nuclear power plants generate a significant percentage of the nation’s energy. They also present a tempting target for a number of groups intent on launching cyber attacks. Terrorists may seek to damage the nation’s critical infrastructure. Criminals may attack plant systems to extort money. Spies for other countries may use cyber tools as part of their espionage activities. Hackers may try to break into networks and systems for bragging rights. Disgruntled insiders, who could be employees or contractors, could use their specialized knowledge to cause damage to a system or to steal data.

In operating such plants, it is critical for utilities to understand and mitigate the risks that can lead to limiting condition for operation (LCO) or total shutdowns, or even contribute to catastrophic events. That’s why regulatory compliance, IT security, and risk management are top priorities for Xcel Energy Nuclear (formerly NMC). They turned to NetSPI for help with these critical jobs.

Xcel Energy Nuclear, a company with a big responsibility

Formed in 1999, Xcel Energy Nuclear originally provided operations, management, computing, and engineering support and services to nuclear power plants owned by several utilities in the Upper Midwest. Today, it operates nuclear power pants in Minnesota for owner-utility Xcel Energy. An expert in nuclear power operations, the company strives to be at the forefront of compliance, risk management, and information security. Since 2002, NetSPI has been a key partner of Xcel Energy Nuclear through on-going security assessments and development of its cyber security program. Through this relationship with NetSPI, the company has been able to reduce its operational risk and ensure regulatory compliance.

NEI 04-04, cyber threats, network architecture

The Nuclear Energy Institute’s NEI 04-04 establishes requirements for a risk-informed, performance-based cyber security program at nuclear power reactors. NetSPI helped Xcel Energy Nuclear plan its assessment of risks to plant assets and also helped conduct a pilot assessment, working alongside company personnel from the plants.

More broadly, NetSPI looked at all the regulatory requirements for the plants operated by the company and produced a roadmap detailing what was needed to ensure compliance with these requirements in a reasonable time frame. This effort produced a program charter for the company’s information security efforts, as well as detailed policies and procedures to make the charter a living part of daily operations. For example, NetSPI helped the company to identify various cyber threats, determine the impact these threats could have on plant and corporate operations, and specify the company’s response, including under what circumstances outside verification of an incident would be called for.

In addition, NetSPI examined the company’s network architecture, especially its network segmentation, data flow, and security controls. One objective was to ensure the separation of business applications from plant systems, to prevent a problem with an office application from affecting the critical plant process systems and networks.

NetSPI has excelled at interpreting regulations and applying them at our nuclear plants. NetSPI consultants understand nuclear plant operations and their IT security risks.

Rick Schuster
Manager of Distribution Architecture at Xcel Energy Nuclear

Vulnerability assessments

Paralleling the initiative to establish a program charter and develop policies and procedures, NetSPI also conducted several assessment efforts for Xcel Energy Nuclear. These included a series of corporate-level and plant-level vulnerability assessments that addressed the security of networks, servers, and applications. In a project for one plant, NetSPI performed a test to detect unauthorized wireless access points (APs).

NetSPI also assisted two company-operated plants by assessing the security of their Plant Process Computer Systems (PPCS). These systems provide critical data to reactor operators, and the integrity and availability of that data are of paramount importance to the operation of the plant. NetSPI evaluated PPCS networks, systems, and applications for vulnerabilities, and it made recommendations that helped Xcel Energy Nuclear reduce the risk to these crucial systems and protect efficient plant operations.

What Xcel Energy has to say about NetSPI

Rick Schuster, Manager of Distribution Architecture for Xcel Energy Nuclear, explained how NetSPI has helped:

NetSPI has excelled at interpreting regulations and applying them at our nuclear plants. NetSPI consultants understand nuclear plant operations and their IT security risks. They work with both the IT and the nuclear operations groups to understand the overall risk and compliance posture of the organization. Their recommendations are based on extensive knowledge of nuclear operations, and that gives us confidence in our operational integrity. In addition, NetSPI has been a key resource assisting with our efforts to comply with NEI 04-04, NRC directives, and other regulations.

Gregory Morris, a Senior Analyst Engineer at Xcel’s Prairie Island nuclear plant, described NetSPI’s contribution this way:

NetSPI came to Xcel Energy Nuclear with the expertise that was needed to review and develop the NEI 04-04 program, and to secure our Emergency Response and Control Systems (ERCS). The process was a true partnership that brought together plant operations, corporate IT, and management to evaluate risk, compliance, and security. Not only were their deliverables helpful and pragmatic, but their experience helped our team learn about information security, risk analysis, and compliance, which are crucial to our future.

NetSPI and nuclear power

With its extensive nuclear experience, NetSPI has worked to interpret regulations and develop programs to meet the requirements of NEI, NRC, and other regulatory bodies, while working to ensure optimal operational functionality at nuclear generating plants. The firm’s experience across the utility industry has equipped NetSPI with the knowledge and processed needed to design effective, secure, and compliant programs.