Stuxnet / Wireless / Fieldbus / Safety Instrumented Systems

Reader Feedback: No Complete Disconnect for Nuclear Plants?

You Can't Isolate a Nuclear Power Plant from Any External Data Communications

By Dick Caro

I almost always agree with Béla Lipták, but I must take exception to one of his "overrule safety" solutions to the nuclear power plant problem. (See February's Ask the Experts, "'Overrule' Safety Automation; Minimum Control Valve Size.")  You can't isolate a nuclear power plant from any external data communications.

I seem to recall an NRC requirement for "remote operation" of a nuclear power plant in case the local control center becomes damaged or is otherwise inoperable. The requirement was for that plant to be operated from a distant location sufficient to regain control, and safely operate it or shut it down in an orderly manner. This does not require an Internet connection, but it is a communications line out of the plant.

I've often heard people exclaim that there should be no Internet connections to the process control network as a solution to the potential for control systems being "hacked." Well, that didn't protect the Iranian uranium enrichment plant from the Stuxnet virus that was probably planted into the operating system of the Siemens System 7 at least a year before it was shipped.

These days, it's unrealistic to insist on no Internet connection for any process control system. There are too many vendor support services connected via the Internet that are necessary to keep a modern process control system and the attached smart instrumentation in good repair and fully operational. As always, the Internet connection must be secure and allow only previously authorized connections. It's not impossible to achieve protected access, and all communications must be encrypted to prevent damage and covert data transmission.

I didn't say it was easy, and it is usually not fast, but protected Internet connections must be allowed.

Dick Caro
CMC Associates