On Monday August 20, 2018, the Nuclear Regulatory Commission (NRC) issued Proposed Revision 1 to Regulatory Guide 5.71, Cyber Security Programs for Nuclear Power Plants. The Proposed Revision 1 is a major step forward as the new version addresses many of the holes in the original version. Ironically the same day, my abstract, “The Hole in Nuclear Plant Cyber Security – Insecure Process Sensors”, was accepted by the American Nuclear Society for the February 2019 11th Nuclear Plant Instrumentation, Control and Human-Machine Interface Technologies Conference in Orlando, FL. The review process included input from NRC representatives.
Cyber security of process sensors has not been addressed effectively in Regulatory Guide 5.71 (original and proposed Revision 1) and NEI-0809 as there is no mention of the word “sensors”. This is a significant safety concern because there are numerous NRC safety requirements on sensors because of their potential safety significance. Those requirements were why I was working on sensor health monitoring and attempting to eliminate response time testing of pressure and differential pressure sensors while managing the EPRI Nuclear Instrumentation and Diagnostic Program in the late 1980s-early 1990s. During that effort, I found a very significant common cause, non-detectable failure in analog pressure, level, and flow sensors in nuclear safety applications. That failure mode actually affected nuclear safety in several nuclear plants. Both versions of Regulatory Guide 5.71 and NEI-0809 mention DIGITAL Instrumentation and control systems. However, analog sensors can also be cyber vulnerable. Process sensor protocols are not secure. An example is the HART Communication Protocol (Highway Addressable Remote Transducer) which may not be used in nuclear safety applications but is used in nuclear plants. This is a hybrid analog+digital protocol that uses the cyber vulnerable XML programming language. HART can communicate over legacy 4–20 mA analog instrumentation current loops, sharing the pair of wires used by the analog host systems. In 2014, a Russian IT research organization presented the results of ICSCorsair, the compromise of the wired-HART protocol. Researchers also have demonstrated that wireless-HART sensors and actuators can be compromised. Many of the Serial to Ethernet convertors have known cyber vulnerabilities and can be used a pathway to compromise the analog signals or settings such as span, range, and damping before they become Ethernet packets. In fact, serial-to-Ethernet convertors were compromised in the 2015/2016 Ukrainian cyber attacks. Additionally, process noise (the fluctuations seen in the sensors) are a direct reflection of the health of the sensors and the process. However, the serial-to-Ethernet convertors have filtered much of the higher frequency noise so that it is not possible for network anomaly detection methodology to identify if the sensors has been compromised before it becomes an Ethernet packet. The PLCs and HMIs ASSUME the sensor values are uncompromised (unless they are out of band) and will therefore directly take action (right or wrong) based on the sensor input. This effectively defeats situational awareness as required by Regulatory Guide 5.71 and NEI-0809. There is a need to fill the hole in nuclear plant cyber security to maintain the safety of nuclear power plants.
Joe Weiss