By Béla Lipták, PE, Columnist
During the last months, I wrote about the critical role that process control will play in converting our energy economy from an exhaustible to an inexhaustible one. In this series of articles, I will write about the role our profession will play during the transition when the planet seems to be drifting towards energy wars. The weapons of these wars of terror will not be limited to biological weapons and “dirty” nuclear bombs, but will also include software viruses and worms that will wage cyber warfare in attacking our infrastructure and industry, including our nuclear power plants1.
My goal with this series of articles is not to spread fear, but to describe the power of process control to protect us2. In order to illustrate my point, I selected the nuclear power industry to show how this can be done. I made that selection, because I want to deal with specific cases and nuclear power plants are convenient to illustrate the weak links that exist in this area (Figure 1).
Later I will describe the causes of such accidents as Three Miles Island or Chernobil. By the way, not too many people realize that some 11 Chernobil type nuclear power plant blocks are still in operation in Russia (at Kursk, Smolensk, Leningrad, etc.) and one is also operating until 2009 outside Russia (the Ignalina II block in Lituania). I will also discuss the causes of over 100 nuclear accidents of the past3, plus the design and control configurations including interlocks that are used today and will describe the strategies by which process control can protect them from both the common accidents and cyber attacks.
While the targets of cyber attacks of the past4 also included other industrial targets, here I will concentrate on nuclear power plants and on their existing means of protection and on the changes needed to close the existing security loopholes. I will discuss the safety needs of all three processing operations: enrichment, power generation and waste disposal.
The grounds of Davis-Besse nuclear power plant in Ohio are patrolled by armed guards and are surrounded by a double row of tall fences which are monitored electronically, just as are all other nuclear power plants. Tall fences reduce the probability of somebody driving a truck full of explosives into the plant. Yet, all of my readers know that fences do not protect against computer crashes, armed guards do not protects against viruses and software worms.
Read Bela Liptak's six part series "Process Controls Prevent Nuclear Disasters," to learn how process controls could have prevented past nuclear accidents and how it could improve the safety of the nuclear power industry. Visit www.controlglobal.com/liptaknuclear.html
On January 25, 2003 a Slammer worm penetrated the private computer network of Ohio's Davis-Besse nuclear power plant. The worm entered by first penetrating the unsecured network of a contractor and squirmed its way into the Davis-Besse corporate business network and because that network was connected to the plant’s network, but bypassed its firewall, it spread to the plant network.
The following sequence followed. At 4:00 PM the operators noticed the slowing of the plant network and at 4:50 PM the Safety Parameter Display System (SPDS) crashed. The SPDS monitors the operation of the coolant system, core temperature, radiation levels and other critical conditions. At 5:13 PM the Plant Process Computer (PPC) also crashed. Therefore, although the plant’s network was protected by a firewall, both the plant’s SPDS and PPC were disabled for about five hours. Fortunately at the time the plant was not in operation, because a hole in the reactor head was being repaired. Another reason why no harm was done is because the analog backups of the SPDS and the PPC could not be attacked by the worm.
We must remember that all our nuclear power plants are old and decades ago, the controls of all nuclear power plants were completely analog. There were no data highways and therefore the data transfer between the plants and corporate offices were secure from cyber attacks. Today, digital systems monitor the critical operating conditions (valve openings, pump status, temperatures, pressures, levels, radiation, loading, etc.) of most nuclear plants, while they are still controlled by analog controls.
Through a number of accidents we have learned that if an intruder worm tampers with the digital monitoring system (like in the case of Davis-Besse's SPDS and PPC), and if the operators are allowed to overrule the automatic safety interlocks, virus or worm attacks are possible. We have also learned that the design and practices of the operator of the Davis-Besse plant (FirstEnergy) were apparently NOT in violation of NRC’s cyber security regulations.
We also know that for financial reasons and because of management convenience, the whole nuclear industry is drifting towards installing completely digital controls to allow the remote operation of some plant functions. This trend could have disastrous consequences not only in newly built nuclear power plants, but also in refineries, chemical plants and throughout industry.