Nuclear plant cyber security - they still don't get it

Jan. 2, 2008

There is still an "us" (nuclear) vs "them" (non-nuclear) approach being taken by the nuclear industry with respect to working with the non-nuclear community on control system cyber security. Specifically, the December issue of Nuclear News references a nuclear plant instrumentation and control system meeting specifically on cyber security that was held in Idaho Falls in Octob...

There is still an "us" (nuclear) vs "them" (non-nuclear) approach being taken by the nuclear industry with respect to working with the non-nuclear community on control system cyber security. Specifically, the December issue of Nuclear News references a nuclear plant instrumentation and control system meeting specifically on cyber security that was held in Idaho Falls in October 2006. This meeting was the same week as the ISA Expo2006 in Houston. The nuclear community should recognize the non-nuclear community has significantly more experience with the same systems which is why the timing of the Idaho meeting was so unfortunate. However, the same issue occurred this summer with the ISA Power Industry Symposium in Pittsburgh holding a cyber security track and a nuclear power cyber security meeting in Washington the same day. I see no common meetings (combined nuclear and non-nuclear) other than my annual Control System Cyber Workshop. Additionally, there is currently no nuclear participation in the ISA S99 Process Control Cyber Security standards committee which I find inexcusable.

  In the Nuclear News article, there was a reference to IAEA nuclear security technical guidance document. Section 1.3 of the document, "Computer Security at Nuclear Facilities" states: "The protection of the computer systems at nuclear facilities can, in principle, be achieved using the same methods and tools that have been developed within the computer community"¦".This statement is at best misleading. Control systems are composed of an HMI that may be Windows-based and field devices that are not. Traditional business IT security can be applied to the Windows-based HMI. However, for field devices, business IT security (policies, procedures, technologies, and testing) is NOT appropriate. It is not clear what caused the broadcast storm at Browns Ferry 3. However, a very credible cause could be inappropriate business IT testing (scanning of control system networks). There are numerous cases where inappropriate business IT security approaches have significantly impacted control system performance. 

In the November issue of Power, there are two articles on nuclear plant networks- "Plantwide Data Networks Leverage Digital Technology to the Max" and "Upgrade your BWR Recirc Pumps with Adjustable Speed Drives". Both tout the value of advanced communication networks and neither addresses the cyber security vulnerabilities they open. In the first, it is suggested that the plantwide data network (PDN) include process control (DCS, PLCs, etc) and plant communications (public address, radios, cell phones, pagers, etc). It is also suggested that process monitoring, operator support, plant security (physical), and supplemental monitoring/testing be included. These are all good ideas (ironically, 10-15 years ago before cyber security was an issue, I was writing papers and sponsoring research at EPRI encouraging this approach), but they need to include cyber security considerations in which the article is essentially silent. The second article on BWR recirculation pumps going to variable speed drives seems to ignore the Browns Ferry 3 broadcast storm experience. Variable speed drives are definitely the way to go and networking the drives are a good idea, but "¦.you still need to address the cyber component you just opened.

  Joe Weiss