Nebraska Public Power District officials are pushing back on a New York Times report that Russian hackers gained access to communications systems at the Cooper Nuclear Station near Brownville in 2017.
The June 15 story detailed a more aggressive approach toward combating an escalating series of cyberattacks from Russian state actors, including the Trump administration granting United States Cyber Command more authority to go on the offensive without requiring presidential approval.
The Times asserted that when Gen. Paul Nakasone took over at Cyber Command and the National Security Agency, both agencies were in the midst of an investigation into the purported hack at Cooper Nuclear Station, on the banks of the Missouri River, and the Wolf Creek Nuclear Operating Corp., 165 miles away in Burlington, Kansas.
"The hackers got into communications networks," the Times reported, "but never took over control systems."
On Wednesday, NPPD said there is no evidence of any intrusion into the Cooper Nuclear Station's computer systems, either its communications and business systems linked to other public power offices in the state, or the reactor control system, which is isolated and not connected to the internet.
"If there had been (an intrusion), we would have had to report that to the Nuclear Regulatory Commission," spokesman Mark Becker told the Journal Star. "We had nothing to report because we found nothing."
In a letter to employees on Monday, NPPD said its security team reached out to the Department of Homeland Security, the FBI, the Electricity Information Sharing and Analysis Center, and other agencies to ask about the alleged breach.
"All our government partners have assured us that if such a threat existed and had been validated by them, we would have been contacted," the letter states.
Becker said Wednesday NPPD had responded to questions from the Times in May, but that the story that appeared in Sunday's edition did not include that information.
An email between the newspaper and the public entity shared with the Journal Star indicates NPPD's response was cut from the story before it was published.
The Times said in the email to NPPD that it confirmed the accuracy of its reporting through an unnamed government official and that it stood by the story.
While NPPD cast doubt on the report of Russians gaining access to the Cooper Nuclear Station's communications network, Becker said attempted foreign-based cyberattacks against Nebraska power plants are not unusual.
"We continually see people knocking on the door, but they are not getting in," he said, adding NPPD is not always able to ascertain the origin of the attacks.
NPPD has taken several steps to upgrade the physical and cybersecurity of its power generation facilities across the state in recent years, including Cooper Nuclear Station.
The boiling water reactor, the largest single-unit electrical generator in the state and the only remaining nuclear power plant in Nebraska, came online in 1974 and was re-licensed by the Nuclear Regulatory Commission to continue operating through 2034.
As part of that re-licensing process, NPPD conducted "extensive upgrades" to the plant's security, both in physical and cyber infrastructure as well as training for staff, according to Tom Kent, NPPD's chief operating officer.
"The nuclear industry in general, over the last decade, has implemented new standards and requirements to ensure we are providing adequate levels of protection to cyber assets," Kent said.
Along with adding new technology, NPPD and other entities that maintain nuclear plants have improved training programs and security processes "to harden those facilities against intrusions," he added.
Matt Wald, a spokesman at the Nuclear Energy Institute, said cybersecurity remains a priority for the remaining nuclear power plants, and the Nuclear Regulatory Commission reviews each facility's plan to prevent cyberattacks from occurring.
As is the case for Cooper Nuclear Station, the age of the nuclear power generating facility may be its greatest defense against digital intrusion. Most nuclear power plants in the U.S. predate the internet and remaining unconnected from the World Wide Web is an effective security feature.
"They are not addressable from the internet; you cannot scan them from the internet," Wald said.
Reactors upgraded to be operated through digital control centers — like parts of Cooper Nuclear Station — remain intentionally isolated from the internet, per guidelines from the Nuclear Regulatory Commission. The process for installing new software on those systems requires a technician to be on site with a laptop computer or a flash drive, which gives nuclear facilities greater control over who has access to their systems.
Wald said hackers, state-sponsored or otherwise, may target power plants for purposes other than disrupting the electric grid, such as gaining access to an organization's communications, payroll or personnel files.
But attempting to access a nuclear reactor's operations through the internet, Wald said, is "like trying to hack your toaster."
Since the Times story was published over the weekend, Kent said NPPD has "spent a lot of time investigating to see if there was any truth" to the allegations it contained.
"We have found none," he said.
NPPD will continue its efforts to stay ahead of what Kent called "the bad actors" probing its facilities and other critical infrastructure looking for openings.
"It's a constant battle to stay ahead of them, and that's something we constantly look to improve," he said. "You can't stay stagnant in this world."