During the last months, I wrote about the critical role that process control will play in converting our energy economy from an exhaustible to an inexhaustible one. In this series of articles, I will write about the role our profession will play during the transition when the planet seems to be drifting towards energy wars. The weapons of these wars of terror will not be limited to biological weapons and “dirty” nuclear bombs, but will also include software viruses and worms that will wage cyber warfare in attacking our infrastructure and industry, including our nuclear power plants1.
Later I will describe the causes of such accidents as Three Miles Island or Chernobil. By the way, not too many people realize that some 11 Chernobil type nuclear power plant blocks are still in operation in Russia (at Kursk, Smolensk, Leningrad, etc.) and one is also operating until 2009 outside Russia (the Ignalina II block in Lituania). I will also discuss the causes of over 100 nuclear accidents of the past3, plus the design and control configurations including interlocks that are used today and will describe the strategies by which process control can protect them from both the common accidents and cyber attacks.
While the targets of cyber attacks of the past4 also included other industrial targets, here I will concentrate on nuclear power plants and on their existing means of protection and on the changes needed to close the existing security loopholes. I will discuss the safety needs of all three processing operations: enrichment, power generation and waste disposal.
The grounds of Davis-Besse nuclear power plant in Ohio are patrolled by armed guards and are surrounded by a double row of tall fences which are monitored electronically, just as are all other nuclear power plants. Tall fences reduce the probability of somebody driving a truck full of explosives into the plant. Yet, all of my readers know that fences do not protect against computer crashes, armed guards do not protects against viruses and software worms.
On January 25, 2003 a Slammer worm penetrated the private computer network of Ohio's Davis-Besse nuclear power plant. The worm entered by first penetrating the unsecured network of a contractor and squirmed its way into the Davis-Besse corporate business network and because that network was connected to the plant’s network, but bypassed its firewall, it spread to the plant network.
The following sequence followed. At 4:00 PM the operators noticed the slowing of the plant network and at 4:50 PM the Safety Parameter Display System (SPDS) crashed. The SPDS monitors the operation of the coolant system, core temperature, radiation levels and other critical conditions. At 5:13 PM the Plant Process Computer (PPC) also crashed. Therefore, although the plant’s network was protected by a firewall, both the plant’s SPDS and PPC were disabled for about five hours. Fortunately at the time the plant was not in operation, because a hole in the reactor head was being repaired. Another reason why no harm was done is because the analog backups of the SPDS and the PPC could not be attacked by the worm.
We must remember that all our nuclear power plants are old and decades ago, the controls of all nuclear power plants were completely analog. There were no data highways and therefore the data transfer between the plants and corporate offices were secure from cyber attacks. Today, digital systems monitor the critical operating conditions (valve openings, pump status, temperatures, pressures, levels, radiation, loading, etc.) of most nuclear plants, while they are still controlled by analog controls.
Through a number of accidents we have learned that if an intruder worm tampers with the digital monitoring system (like in the case of Davis-Besse's SPDS and PPC), and if the operators are allowed to overrule the automatic safety interlocks, virus or worm attacks are possible. We have also learned that the design and practices of the operator of the Davis-Besse plant (FirstEnergy) were apparently NOT in violation of NRC’s cyber security regulations.
We also know that for financial reasons and because of management convenience, the whole nuclear industry is drifting towards installing completely digital controls to allow the remote operation of some plant functions. This trend could have disastrous consequences not only in newly built nuclear power plants, but also in refineries, chemical plants and throughout industry.
While in the above discussion I concentrated on the Davis-Besse accident, I should note that this one Slammer attack has much wider implications. After this nationwide attack the National Security Telecommunications Advisory Committee concluded that the American electric grid as a whole is controlled by a “Byzantine network riddled by security holes, including unsecured SCADA systems and by unprotected connections between plant and company business networks.”
How To Improve Nuclear Power Plant Security
In order to improve nuclear plant security it is essential to realize both the need for totally separating the corporate business networks from the plant networks and to realize that digital firewalls do not guarantee this separation. This separation must be absolute and software firewalls are not! Because the safety of the public is involved, the implementation of this separation cannot be left up to each plant owner or operator, but must be mandated by the NRC; otherwise the people living near nuclear power plants, (such as the residents of Long Island, N.Y.) can not feel safe.
Therefore, the NRC must totally forbid not only the remote operation of nuclear plants, but also the linking of plant operations networks with corporate LANs (local area networks). The convenience and cost savings associated with these corporate links cannot justify the risk they cause to the public. This also means that the NRC should require total separation between the corporate networks of utilities and the SCADA networks of the plants. These SCADA networks control the remote terminal units (RTUs) sprinkled throughout the plants, directly monitoring and/or controlling the operation of power plant equipment.
As I will be discussing in more detail in the coming articles, the steps to be taken to guarantee plant safety and security are not limited to providing digital separation. For example, one must also guarantee both the reliability of the data reaching the operators AND must protect the plant from operator errors, which can be unintended OR INTENTIONAL. The 21st-century interpretation of Murphy’s law says that it is just as possible for an operator to smuggle a bomb into the control room as it is to smuggle in a software package.
Therefore, the protection in nuclear power plants must be served by both redundancy and automation. In addition, the redundancy should not be a simple backup, but a triple- redundancy voting system implemented for both the hardware and the software of the plant. This means that in all nuclear power plants, all critical measurements and status indicators would be made by three accurate sensors, and the control system would act on the “majority view” which would automatically schedule the “disagreeing sensor” for maintenance and recalibration. The same would apply to all software packages including SCADA, SPDS, PPC, etc. networks in the plant. Similarly, in case of the digital systems and networks, as soon as one disagrees with the “majority view,” that one would be disabled and checked for virus or worm attacks.
In the area of protecting the plant from intentional or unintentional operator errors, I would provide hardwired interlocks on all critical safety systems and would configure the controls in such a way that the operators cannot bypass them or shut them down. In addition, I would set up a national review board that would not only train and check the background of operators, but would also arrange for the review of all existing process control loops in all 125 nuclear power plants to make sure that the conditions that have caused the over 100 accidents7 of the past are not still present in any of them.
In the area of nuclear waste management, we know that each reactor produces 20 tons of nuclear waste per year, and this waste is locally stored, usually in steel casks at temporary waste sites. These casks can be penetrated by regular weapons will release radioactive cesium gas. While these waste sites can be guarded 24 hours a day, the only safe solution would be to have a permanent waste repository. In the meanwhile, process control can much improve the security of these waste sites right now.
In addition to making the nuclear power plants more secure I would also require the NCR to use the tools of process control to improve the security of the uranium enrichment, transportation and waste storage (including military waste) in order to minimize the potential for theft. For obvious reasons, here I will not elaborate on the tools process control can provide to monitor and protect such sites, but just mention that it should be utilized if we want to protect societies around the globe from possible “dirty bomb” attacks.
I will continue this series in the January issue.
Béla Lipták, PE, control consultant, is also editor of the Instrument Engineers’ Handbook and is seeking new co-authors for the for coming new edition.