Vermont Yankee receives stay for cybersecurity

VERNON — Vermont Yankee administrators are getting a 19-month extension to finish security upgrades designed to prevent cyberattacks.

The federal Nuclear Regulatory Commission has decided that plant owner Entergy does not have to meet a cybersecurity deadline that had been set for this month. The new completion date is July 31, 2019.

Entergy's extension request is reasonable, federal regulators said, because there are reduced accident risks and attack targets at the shutdown plant.

Officials also noted that Entergy already has completed many required cybersecurity upgrades at Vermont Yankee.

"This completed work ensures that the most risk-significant and security critical digital assets remain secure," NRC spokesman Neil Sheehan said.

The NRC took a closer look at "a wide array of security concerns," after the terror attacks Sept. 11, 2001, Sheehan said. That included computer-related threats at nuclear plants.

The commission issued orders aimed at bolstering cybersecurity in the wake of the attacks, then formalized and expanded those with new rules in 2009.

The goal is to provide stronger protection for what the NRC calls "critical digital assets" at nuclear plants nationwide. That label covers all "systems that perform safety, security and emergency-preparedness functions," as well as equipment that supports or could adversely affect those systems, Sheehan said.

But Vermont Yankee shut down at the end of 2014, and its security and emergency-preparedness infrastructure has been shrinking since then.

For example, the plant's 10-mile emergency-planning zone was eliminated in spring 2016. And state officials recently approved a dramatic downsizing of Vermont Yankee's high-security "protected area."

In a similar vein, administrators say the plant also doesn't require as many cybersecurity measures as other, still-operating nuclear plants do.

Documents that Entergy filed with the NRC earlier this year say Vermont Yankee staffers have been implementing the government's cybersecurity changes.

That includes isolating critical digital assets from external networks and maintaining "stringent control" of any portable media or mobile devices that might connect to important plant systems.

Vermont Yankee also has instituted cybersecurity training and incident response procedures, the documents say.

But administrators requested a delay in finishing their cybersecurity work, saying it is "not considered a prudent use of (plant) resources" at this point.

That's in part because of the 2014 shutdown. "The reduction in the number of digital computers and communication systems and networks has reduced the number of pathways for a cyberattack during decommissioning," administrators wrote.

The status of the plant's radioactive spent fuel is another factor. Plant officials say the fuel has cooled to a point where the risk of fire, accident and radiological release is "significantly lower."

They also point out that all of Vermont Yankee's spent fuel is expected to be transferred to sealed casks in 2018. Finishing that fuel move will allow another downsizing of staff and active systems at the plant.

Vermont officials have battled with the NRC and Entergy on several decommissioning-related issues. But in a letter to the NRC last month, state Public Service Department Commissioner June Tierney said she had "no technical objections" to delaying completion of cybersecurity upgrades at Vermont Yankee.

Tierney agreed that Entergy's proposed extension to July 2019 "does not represent a significant safety concern." She also noted that the state's nuclear engineer is often at the plant site.

"The department has firsthand knowledge on the Vermont Yankee cybersecurity plan's implementation, and more importantly, how seriously Vermont Yankee staff takes cybersecurity concerns," Tierney wrote.

The newly approved 2019 deadline for finishing cybersecurity projects at Vermont Yankee may extend beyond Entergy's ownership. The company wants to sell the plant to New York-based NorthStar Group Services, which is proposing an accelerated decommissioning project.

If that happens, Sheehan said, "NorthStar would become the new license-holder of record and would therefore be responsible for full implementation of the cybersecurity requirements."

Mike Faher can be contacted at


If you'd like to leave a comment (or a tip or a question) about this story with the editors, please email us. We also welcome letters to the editor for publication; you can do that by filling out our letters form and submitting it to the newsroom.

Powered by Creative Circle Media Solutions