Nuclear plant cyber security - they still don't get it

There is still an "us" (nuclear) vs "them" (non-nuclear) approach being taken by the nuclear industry with respect to working with the non-nuclear community on control system cyber security. Specifically, the December issue of Nuclear News references a nuclear plant instrumentation and control system meeting specifically on cyber security that was held in Idaho Falls in October 2006. This meeting was the same week as the ISA Expo2006 in Houston. The nuclear community should recognize the non-nuclear community has significantly more experience with the same systems which is why the timing of the Idaho meeting was so unfortunate. However, the same issue occurred this summer with the ISA Power Industry Symposium in Pittsburgh holding a cyber security track and a nuclear power cyber security meeting in Washington the same day. I see no common meetings (combined nuclear and non-nuclear) other than my annual Control System Cyber Workshop. Additionally, there is currently no nuclear participation in the ISA S99 Process Control Cyber Security standards committee which I find inexcusable.

  In the Nuclear News article, there was a reference to IAEA nuclear security technical guidance document. Section 1.3 of the document, "Computer Security at Nuclear Facilities" states: "The protection of the computer systems at nuclear facilities can, in principle, be achieved using the same methods and tools that have been developed within the computer community"¦".  This statement is at best misleading. Control systems are composed of an HMI that may be Windows-based and field devices that are not. Traditional business IT security can be applied to the Windows-based HMI. However, for field devices, business IT security (policies, procedures, technologies, and testing) is NOT appropriate. It is not clear what caused the broadcast storm at Browns Ferry 3. However, a very credible cause could be inappropriate business IT testing (scanning of control system networks). There are numerous cases where inappropriate business IT security approaches have significantly impacted control system performance. 

In the November issue of Power, there are two articles on nuclear plant networks- "Plantwide Data Networks Leverage Digital Technology to the Max" and "Upgrade your BWR Recirc Pumps with Adjustable Speed Drives". Both tout the value of advanced communication networks and neither addresses the cyber security vulnerabilities they open. In the first, it is suggested that the plantwide data network (PDN) include process control (DCS, PLCs, etc) and plant communications (public address, radios, cell phones, pagers, etc). It is also suggested that process monitoring, operator support, plant security (physical), and supplemental monitoring/testing be included. These are all good ideas (ironically, 10-15 years ago before cyber security was an issue, I was writing papers and sponsoring research at EPRI encouraging this approach), but they need to include cyber security considerations in which the article is essentially silent. The second article on BWR recirculation pumps going to variable speed drives seems to ignore the Browns Ferry 3 broadcast storm experience. Variable speed drives are definitely the way to go and networking the drives are a good idea, but "¦.you still need to address the cyber component you just opened.

  Joe Weiss

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

  • Hi Joe, Happy New Year.

    I have been reviewing the proposed reference material for the Critical Infrastructure and Control Systems Security Curriculum, DRAFT Version 1.0.

    I don't know if you have read the above document. I would love to hear what your thoughts are on the course outline at some stage.

    That aside for now, the material referenced a heap of public (web) material including the Three Mile Island Incident final report. I am certain that you would have read this at least once or twice before.

    I think some of the cultural issues you have raised in this blog posting can be seen evident in the report material and worthy of a re-read from that. A self assessment to see what lessons have or have not been learned that were highlighted by the report would also be an interesting score sheet I suspect.

    The "Need to Know" ethos is very much part of the culture and understandingly so. Still, as you say there are common frames of reference within control systems regardless of the process that can benefit from sharing between verticals and lessons that can and should be learned from reading any incident synopsis.

    Out in the open, there are always going to be issues with discussions in sensitive to national and global or even local interest process control systems and this too may be part of the reluctance or resistance you are coming across?

    I struggle with every word I type to try and discuss what we can without creating a disadvantage for “my team� and to convey my meaning, perhaps this is also behind the issue of uptake as well.

    I am surprised that the final report findings have not been released for Browns Ferry3 as I thought these were due to be available before Christmas? Hopefully there will be some lessons learned for those of us that are enlightened enough to listen.

    All the best for the coming year ahead. I have a steep hill to climb myself trying to change the culture in the water industry, locally where things are much more amenable to open discussions. This is still I fear going to result in a lot of effort to bring about lasting change but worth it in the long run.

    Reply

RSS feed for comments on this page | RSS feed for all comments