The Nuclear Regulatory Commission said safety was not compromised at the Davis-Besse nuclear power plant along Lake Erie in Ohio, partly because the plant was shut down in February 2002 after workers found a hole in the 6-inch-thick steel cap covering the plant's reactor vessel.
The two computer systems affected by the widespread "Slammer" Internet disruption in January are regularly used by plant operators for monitoring pressure and temperature during accidents, but they are not formally considered safety equipment, NRC spokesman Matthew Chiramal said.
In an information notice disclosed Tuesday, the commission urged operators of the nation's 103 nuclear plants to take steps to prevent similar problems. The government did not make these steps mandatory although outside computer experts said the recommendations were common sense.
"They're supposed to take something like this pretty seriously," Chiramal said. "If they have something like this, they should go ahead and fix it."
The NRC also said it published its recommendations nearly nine months after the incident because the plant's operator, FirstEnergy Nuclear, only recently acknowledged the disruptive effects of the Slammer infection on its systems. A plant spokesman publicly confirmed the infection Aug. 20.
"We heard about it through the grapevine," Chiramal said.
The government said FirstEnergy Nuclear determined that a contractor had established an unprotected high-speed computer connection to its corporate network that allowed the "Slammer" infection to spread internally. The utility also had failed to install a corrective software patch from Microsoft Corp. that had been available since July 2002.
"Even with these failures the plant wasn't in violation of cybersecurity guidelines the NRC has in place. Those guidelines must be totally wrong," said Chris Wysopal of AtStake Inc., who will testify next week at a congressional hearing on defending computers against worms and viruses. "This just showed a lack of best practices."
The government last year ordered plant operators to monitor computer connections that bypass protective technology, such as firewalls. FirstEnergy told regulators that, although the order was sent to technology employees it was never forwarded to the plant's computer engineers.
FirstEnergy said last month it planned to significantly reduce its technology department, laying off 185 to 230 of its 1,000 technology workers. It said those employees were no longer needed because of new technology that made it more efficient and because of its $4.5 billion merger in 2001 with GPU Inc.
FirstEnergy Nuclear said that, in response to the infection, it was documenting all external connections to its computer network, installing additional protective software and instructing employees to be more diligent about patches.
The NRC said it requires all plant safety systems to be isolated from other parts of a company's computer network or be connected in limited ways that prevent disruptions from affecting them.
The attacking infection, alternately called "Slammer" or "Sapphire," never was traced. It scanned for victim computers so randomly and aggressively that it saturated many of the Internet largest data pipelines, slowing e-mail and Web surfing globally.
Disruptions shook popular perceptions that vital national services, including banking operations and 911 centers, were largely immune to such attacks. It interfered with computers at the nation's largest residential mortgage firm and briefly prevented many customers of Bank of America Corp., one of the largest U.S. banks, and some large Canadian banks from withdrawing money from automatic teller machines.
A report this summer by the North American Electric Reliability Council also described the Slammer infection blocking commands that operated some power utilities, although it caused no outages.