Just before sunrise on April 18 of last year, a San Onofre worker sent an anonymous message to the nuclear plant’s majority owner Southern California Edison. The worker said more than half of San Onofre’s employees were not up to date or had not completed the plant’s cyber security training. The training is designed to teach workers how to protect against cyber threats from hackers and hostile foreign governments.
The worker called the lapse “embarrassing.” He asked, “How can a required training, to access the protected area, not be taken by individuals for years, in multiple (virtually all) station organizations, at all levels of the organizational structure from individual contributors to directors? I know if I were auditing SONGS, this would be a major issue ….”
The anonymous warning prompted a San Onofre manager to take a closer look, according to documents leaked to KPBS. The manager found that the company’s cyber security training was overdue for 1,200 workers. He also discovered 15 senior managers, including Edison’s Chief Nuclear Officer Peter Dietrich and the staffer responsible for cyber security training -- Doug Bauder --were not up to date on the company’s training program, according to the documents. The manager wrote that four members of the nuclear plant’s emergency response organization were lagging in the training as well.
The manager concluded the training gap could make San Onofre more susceptible to cyber security breaches. It's not clear how large a risk because both Edison and federal regulators would not respond to specific concerns raised by insiders.
But cyber attacks can wreak havoc on a nuclear plant.
A plant like San Onofre contains about 1,000 times the long-life radioactivity of the Hiroshima bomb, according to UC Santa Cruz nuclear policy lecturer Daniel Hirsch. To keep the radioactivity inside the reactor, the fuel has to be cooled constantly by a computerized system of valves and pumps.
“A cyber attack on a nuclear facility can send spurious signals, opening valves that should be closed, dumping water that should remain and can potentially cause a meltdown that could result in many tens of thousands of cancers,” Hirsch said.
Cyber threats at nuclear plants are not just hypothetical. President Obama calls the cyber threat one of the most serious economic and national security challenges the nation faces.
“Our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems,” President Obama said.
And U.S. intelligence officials have reportedly carried out cyber attacks against Iran’s nuclear enrichment facilities.
The Nuclear Regulatory Commission ordered cyber security training at U.S. nuclear plants as an upgrade after 9/11. But spokeswoman Lara Uselding refused to answer questions specifically about the concerns raised at San Onofre. The NRC began inspection this week of San Onofre's cyber security training, a check it called "routine."
Edison spokeswoman Jennifer Manfre called the allegation that workers were out of compliance “categorically false.” She said the plant’s personnel are in compliance with a set of cyber security guidelines that are put out by the Nuclear Energy Institute, a trade group and lobbying arm of the nuclear industry.
Manfre said San Onofre did have a “site-specific training requirement” but that Edison later concluded it was unnecessary.
“It was determined that the training was redundant. As a good solid business practice, it was removed,” she said.
She acknowledged that determination came only after San Onofre employees sent warnings that workers and management were out of compliance with the site specific training in April and May of last year.
Site-specific training refers to instruction that's tailored for employees at a certain nuclear power plant. Manfre's view that site specific training is unnecessary for San Onofre, in light of Edison's general training program, appears to conflict with statements from the NRC.
In a second request for comment to the NRC this week, spokesman Victor Dricks said nuclear plants must develop a "site-specific" cyber security plan with an implementation date. He said the full implementation date for San Onofre is the end of 2015.
Cyber security training has been an issue for some time at San Onofre.
According to inside documents, there were warnings dating back to 2008 of a “lack of cyber security awareness and compliance” with the San Onofre program.
The following year, San Onofre started to identify who should receive cyber security training, the documents said. In 2010, it was decided that all workers with access to San Onofre should undergo the training. But in 2011, according to internal records, there was again confusion over which workers should receive the training.
It was against this backdrop that in 2012 a manager found nearly half of the nuclear plant’s work force had fallen behind on the facility's cyber security instruction.
Given that history, nuclear policy lecturer Hirsch said Edison’s explanation that San Onofre’s cyber security program was unnecessary is inadequate.
“Edison decided this training was necessary,” said Hirsch, who also heads the Committee to Bridge the Gap, a non-profit organization focusing on nuclear safety and disarmament. “Edison failed to do the required training and when that was pointed out, rather than produce compliance, it simply decided to change the rules. If the program was redundant, that is something they should have known long ago but for four years they had it in place and required compliance and failed to comply.”
Compliance has been an issue for San Onofre in another area. Last year, KPBS reported that San Onofre had violated fire safety rules 250 times from 2009 through 2012 despite warnings from federal regulators. And the NRC received more safety complaints from San Onofre workers than from any other nuclear plant in the country from 2007 through 2011. The plant has the highest number of safety complaints so far this year.
San Onofre was closed last year after a tube inside a steam generator leaked radioactivity. The company wants to restart the facility at a lower capacity.
Scott Portzline of Three Mile Island Alert – a nonprofit citizens group that favors alternatives to nuclear power -- said cyber security is just as important as physical security at the plant.
“Cyber security represents thousands of ways into the plant and if any one of those ways is left unguarded, it could represent handing the keys to the kingdom over to the wrong people,” Portzline said.