As a nuclear engineer who has worked inside and outside of the nuclear industry, I have my thoughts on why nuclear plants are so far behind non-nuclear facilities in securing control systems. I spent 5 years managing the EPRI Nuclear Plant Instrumentation and Diagnostics Program. Even though EPRI’s purview is R&D, I did not do “bleeding edge” research on new instrumentation and controls technologies because it would not be useable in nuclear plants until demonstrated elsewhere. I then spent 5 years managing the EPRI Fossil Plant Instrumentation & Controls Program. Here, I was able to do “bleeding edge” research in instrumentation, controls, and communications (I received 2 patents on instrumentation and controls technologies). What became obvious to me was non-nuclear facilities would implement new technologies such as Internet access and modern telecommunications if they thought it would be financially prudent while nuclear plants could not implement new technologies until it was well-proven elsewhere. This means the non-nuclear community has vastly more experience and expertise than the nuclear community in cyber security. Yet, the nuclear community refuses to take advantage of these resources. Why???
The prevailing wisdom is that nuclear plants are isolated and not connected or interconnected. At least for some nuclear plants, that is simply not true! I personally know of many nuclear plants with remote connectivity to and from their nuclear plant networks. One interesting case was mentioned at the Applied Control Solutions Conference in Knoxville last August by a representative from a nuclear utility. He mentioned they installed firewalls between their nuclear plant networks and Corporate network because their nuclear plant networks were infecting the Corporate network with malware, not the other way around.
Commercial nuclear plants have several interesting aspects:
1) Nuclear plants have been viewed as being isolated and immune to cyber events. However, there have been several documented cases where nuclear plants have experienced cyber events. Several other cyber events have occurred that have not resulted in reactor scrams or other “unusual events” and so are not documented.
2) Because all “unusual events” result in some form of NRC notification, it is possible to glean information from nuclear plant events that would not be available from non-nuclear plants.
3) In most cases, nuclear plant personnel have not participated in non-nuclear control system cyber activities such as ISA S99. As mentioned above, this has kept the nuclear industry from obtaining the relevant valuable expertise and experience from others.
4) The nuclear industry guidance for cyber security (NEI-0404) was developed primarily from an IT perspective and is also primarily a programmatic document that does not address the unique aspects of control systems. Similar to the NERC CIPs, NEI-0404 would not have prevented many of the cyber events that have occurred. Moreover, some of the guidance in NEI-0404 potentially could have either caused or exacerbated some of the cyber events that have already occurred.
Other specific details about nuclear plants and cyber security include:
- In the November 2007 issue of Power, there are two articles on nuclear plant networks- “Plantwide Data Networks Leverage Digital Technology to the Max” and “Upgrade your BWR Recirc Pumps with Adjustable Speed Drives”. Both tout the value of advanced communication networks and neither addresses the cyber security vulnerabilities they open. In the first, it is suggested that the plantwide data network (PDN) include process control (DCS, PLCs, etc) and plant communications (public address, radios, cell phones, pagers, etc). It is also suggested that process monitoring, operator support, plant security (physical), and supplemental monitoring/testing be included. These are all good ideas (ironically, 10-15 years ago before cyber security was an issue, I was writing papers and sponsoring research at EPRI encouraging this approach), but they need to include cyber security considerations in which the article is essentially silent. The second article on BWR recirculation pumps going to variable speed drives seems to ignore the Browns Ferry 3 broadcast storm experience. Variable speed drives are definitely provide a productivity improvement and networking the drives are a good idea, but ….you still need to address the cyber component you just opened.
- November 2007, EPRI issued Technical Report 1015087, “Instrumentation and Control Strategies for Plant-Wide and Fleet-Wide Cost Reduction”. The report states: “Coordinated improvements to shared communications and computing infrastructure, plant processes, and organization…”. This statement almost cries out that cyber security will be an issue. The report simply says to consider cyber, not what to do.
- The December 2007 issue of Nuclear News references an IAEA nuclear security technical guidance document. Section 1.3 of the document, “Computer Security at Nuclear Facilities” states: “The protection of the computer systems at nuclear facilities can, in principle, be achieved using the same methods and tools that have been developed within the computer community…”. This statement is at best misleading. Control systems are composed of an HMI that may be Windows-based and field devices that are not. Traditional business IT security can be applied to the Windows-based HMI. However, for field devices, business IT security (policies, procedures, technologies, and testing) often is NOT appropriate. Several recent nuclear plant cyber events would not have been prevented by traditional IT security. Moreover, they could have been CAUSED by applying inappropriate IT security techniques.
The recent nuclear plant cyber incident resulted in an automatic scram from settings that closed valves. The cause is not one that has been considered by many and could also explain previously unexplained trips in fossil plants, chemical plants, and other process facilities. To prevent events like this from happening, it will require developing appropriate design criteria, appropriate policies and procedures, and most of all the need to have control system domain expertise as part of the cyber team. What is also interesting about this event is that none of the existing cyber monitoring would have detected the event. Additionally, certain IT practices such as automatic patch management could CAUSE an event like this given the “right” conditions and plant design. As a result of the wide-ranging (non-nuclear) implications of this recent event, we will dedicate a session at the August Control System Cyber Security Conference in Chicago to this event.
One other interesting aspect of nuclear plant cyber security is the gap in regulations for grid reliability and continuity of nuclear power. NRC is responsible for nuclear plant safety, not continuity of nuclear power. Since nuclear power makes up about 20% of US electric power generation and each nuclear plant represents a large portion of local generation, loss of nuclear power generation can, and has, had a significant impact on grid reliability (see Northeast Outage and recent Florida outage). NRC was involved in the Browns Ferry event not because of the broadcast storm, but because the operator chose to shut the plant down. If the operator would have chosen not to shut the plant down, NRC would not have been notified, yet the grid would still have experienced the loss of more than 700 megawatts. This could easily affect grid stability and reliability. Consequently, there is a need to either develop new standards or include nuclear plant continuity of power in existing cyber security standards for grid reliability.
Joe Weiss
Leaders relevant to this article: