Open in app

Sign in

Write

Sign in

Coal Power Stations

Cyber security considerations for Coal Power Stations

Dietmar Marggraff
10 min readApr 5, 2023
Coal Power Station.

A coal power station is likely the first type of power station that pops into mind when we consider electricity generation. Large, circular towers with steam exiting from the top, right? Well behind those towers is a much larger process which we will be exploring in today’s post. Feel free to explore some of the other topics we have covered in this series including Substations, Open Cycle Gas Turbines, and Process Control.

Security consideration: throughout this post you will find these security 
considerations. These are used to highlight some of the important processes
that may be worth considering from a security perspective. This is not an 
all-encompasing analysis, though, so try and keep the following questions 
in mind when reading the post - 
[1] Is this a critical process that may be worth protecting?
[2] What should we do to protect the system?
* Disclaimer: this information should not be used for nefarious or unauthorised
purposes but rather as an educational tool (see the Welcome post of this
blog).

Introduction

Figure 1, below, provides a relatively detailed overview of the different components of a coal power station. The first step, which we will not cover in detail in this post, is the extraction of coal from the ground through the process of mining. The coal is transported to the power station (typically by rail or truck) where it is processed further and subsequently consumed by a boiler/generator unit (a plant will usually have more than one generation unit). In this post, we will be considering a setup of 6 x 618MW generation units. In the rest of this post, we will be considering the rest of the components in turn (we will use {n} to reference elements in Figure 1 throughout the rest of the post).

Figure 1: Overview of a coal power plant.

Side Note: a coal power station is classified as a ‘thermal’ power station as it uses heat to generate electricity / converts thermal to electrical energy.

Coal Mill

6 x 618MW generation units consume about 50,000 tons of coal a day. The coal is transported to an on-site stockyard where it is buffered (to ensure that the power station does not run out of coal). The coal is moved into a bunker {2} where it is fed into the coal mill {3}. In the mill, the coal is pulverised into a fine powder because this burns quicker (almost like gas) than the coal in its normal form.

Security consideration: if the speed of the conveyor belt is suddenly increased
and the belt has not been tensioned correctly a fire may occur if the belt
starts to slip.

Figure 2, below, provides an overview of the coal pulverisation process. The coal enters the hopper where it is pulverised in the mill before air is used to force it to the burners. In this control system, there are several variables that need to be considered including:

  • Primary airflow
  • Pulveriser differential pressure
  • Coal/air temperature
  • Pulveriser exhaust pressure
  • Coal silo level
Figure 2: Control system overview for a pulverised fuel mill.

In this case, the primary control surface is the speed of the primary fan. The differential pressure transmitters provide inputs for the primary air flow and miller feeder controllers. The miller feeder controller in turn manipulates the speed at which coal is allowed to enter the mill.

Security Consideration: overfeeding the mill could result in damage to 
equipment or a halting of the process (if the mill is not able to process
the coal). If variables such as coal/air rate are changed, the efficiency of
the power station could be affected and in the worst-case the burners 
may need to be restarted (if for example no coal enters the burners).

Boiler

As discussed above, air is used to transfer the pulverised coal into the boiler via 36 burners {4} where the mixture is ignited into a fireball.

Side note: boilers provide coal power stations with their distinctive rectangular shape with the buildings often being in excess of 35 stories high, as seen in Figure 3, below. Boilers are designed to convert the chemical energy of coal into thermal energy in the most efficient way possible.

Figure 3: Power station with boilers.

Some of the parameters we need to consider in the boiler include, but are not limited to:

  • Fuel flow rate
  • Boiler temperature distribution
  • Burner tilt angle (if applicable)
  • Burner flame
Security consideration: if uniform combustion conditions in the burners are
not achieved this could have an effect on the effiency (e.g. increased
required fuel rate, emissions). The worst case impact could be a unit derate
or event an outage.

Forced draught fans force preheated air (~250ºC) into the boiler {5}. In order to start the process, oil is injected at high pressure whereby it is atomised and ignited using a fuel injection system. At full load, the temperature in the boiler reaches ~1,200ºC.

Side note: some of the thermal energy from the boiler is used to preheat water and the air provided by the forced draught fans.

Induced draught fans extract the exhaust (flue) gas from the boiler through Smoke Stacks {7} after particulate matter has been removed by bag filters/precipitators and gas conditioning systems (newer systems) {6}. The Smoke Stacks can reach in excess of 270m high, however, the exact height may vary based on the design.

Security consideration: axial flow fans can experience a stall condition. This
typically occurs when the angle of attack of the fan is too high and the 
pressure it can produce is decreased. The angle of attack can be changed by
changing the input air flow rate (higher flow rate increases the angle of 
attack and lower flow rates decrease it). A stall condition will increase the
vibrations and an extended stall could cause damage to the blades.
Security consideration: centrifugal fans can experience a condition referred 
to as a surge. This occurs when the output pressure is higher than the 
specification and air starts to flow back into the fan. In certain fans this
could cause damage.

Steam production

The most important function of the boiler is to generate thermal energy which can be used to heat water to turn it into steam. Figure 4, highlights two different types of drum boilers. A natural boiler simply makes use of gravity and the difference in pressure between segments A-B and B-C to ensure that water and steam are circulated. If more control is needed over the flow rate (which is affected by boiler height, and heat input among other parameters), a pump can be installed.

Figure 4: Drum-type boilers.

Irrespective of the boiler type, demineralised water (to prevent corrosion) is pumped into the boiler through a series of pipes (in the flue) referred to as the economiser (sections A-C in Figure 4). The steam drum {19} is used as a separator and water/steam reservoir. In our 618MW generating unit example, the steam drum measures 24m in length, 2.2m in diameter, ways 259tons, and operates at 18.1MPa.

Security consideration: in the event of a simple forced loop, a reversal
of the pump direction may cause damage either by disrupting the process or 
by forcing the process into an unwanted condition (forcing water up when it 
is supposed to mvoe down).

Figure 4 is a slight oversimplification of what such a system may look like in practice. Our system makes use of 7 bore pipes as downcomers that divert water down to ~10m above the ground on the outside of the boiler. These pipes terminate in distribution headers which then divert the water into steam generator tubes forming the four walls of the boiler.

The pipes lead back up to the steam drum and form the roof of the boiler. The steam is separated from the water and flows into a bank of tubes referred to as superheaters {8} which use the flue gases to further heat the steam (from ~350ºC in the steam drum to 535ºC). There are three stages of superheating but these do not fall within the scope of this post.

Some systems may have a re-heat system where the steam from the High Pressure (HP) {9} turbines is reheated to 535ºC and then fed into the Intermediate Pressure (IP) {11} and Low Pressure (LP) {12} Turbines, which will be discussed below.

During startup or load rejection (sudden loss of load resulting in over-frequency), the HP turbine bypass system can be used to keep the boiler operational. The steam from the superheater passes through a pressure-reducing valve to the cold reheat inlet {10}. After being reheated, the steam flows through an IP/LP bypass system to reduce the pressure followed by an attemperator which reduces the temperature further, thereby allowing the steam to enter the condenser. In this way, the boiler can be operated without the turbine.

Security consideration: should the bypass valves not open during a load 
rejection event the turbine may overspeed potentially resulting in damage.

Side note: an attemperator controls the temperature whilst a desuperheater removes superheat by using a controlled stream of water. The desuperheater reduces the steam to the saturation point.

Some of the parameters we need to consider in steam production include, but are not limited to:

  • Drum pressure
  • Reheater pressure
  • Superheater, Reheater, Economiser temperature

Turbine

The turbine is the main component that converts thermal energy into mechanical energy. As discussed above, a turbine may in fact be comprised of multiple turbines as seen in Figure 5, below. The turbines operate at 3000rpm or 50Hz (note that this may vary dependent on the grid requirements).

Figure 5: Steam turbine.

The steam turbine is designed in such a way that each rotor only uses a specific amount of steam to ensure that the energy is converted as efficiently as possible. In our 618MW example, the distribution of power generation is as follows: HP 154.5MW (25%), IP 278.1MW (45%), and 2 x LP 92.7MW (15%).

The steam entering the HP and IP turbines does so through insulated lines to minimise the energy losses. Emergency Stop Valves (ESVs) and control valves are hydraulically controlled to ensure that the stream entering the turbines is controlled. Inside the turbine, two sets of blades are used, one is connected to the casing and is used to direct the steam flow. The second is connected to the rotor and is used to power the generator.

Security consideration: if the valves are opened too wide, the turbine 
may spin the generator above 50Hz potentially causing damage as the grid
attempts to slow down the generator again (pole slip). Alternatively, if the 
pipes do not contain pressure relief valves, and the control valves are all
shut, an overpressure event may damage the pipes.

Condensation

As mentioned above, demineralised water is used. Since it is expensive, though, the water is used repeatedly. However, once the steam exits the LP turbines it first needs to be condensed. A condenser {16} is a large container filled with 32K brass/titanium tubes that are filled with cooling water. The difference in temperature between the steam (40ºC) and cooling water (19ºC) results in condensation taking place.

The warm water from the condenser is pumped to the cooling tower {20} where it is sprayed onto layers of plastic. In a natural cooling tower, as seen in Figure 6, below, a draught of air blows up through the water and cools it down. As the water rises to the top, it condenses when it meets the cold air and forms ‘clouds’.

Figure 6: Cooling tower.

Side Note: the above-described cooling process makes use of a ‘wet cooling’ system. Other systems including direct and indirect ‘dry cooling’ systems can also be used to decrease the amount of water that is used, however, these are of scope for this post.

Security consideration: corrosion, among other problems could occur if the
steam or water is not kept at the correct purity. Specific water 
treatment processes need to be followed including controlling the oxygen 
concentration in the water.

Generator

In our post on the Fundamentals of the Electrical Grid, we explored how generators work {13}, {14}, so feel free to read more about them there.

Control

As one may be able to imagine, running a plant with six generation units requires quite a bit of monitoring. Our example plant comprises three unit control rooms each servicing two units. An outside control room monitors auxiliary systems such as conveyor belts with water treatment making use of its own control room. Finally, a station control room is used to communicate with the national command center.

Security consideration: a manipulation of the valves as discussed above or 
the distribution of ransomware onto all operator stations may cuase a 
Denial-of-Service (DoS) condition since the plant will likely have to shut 
down.

All operations including normal, cold, warm, or hot start-ups can be performed from the control rooms using either manual, partially automatic, or fully automatic processes. Various data logging and monitoring tools are used to ensure that the plants operate correctly.

Conclusion

Alright, so we have had to take in quite a bit of information again. Hopefully, though, we have gained a better understanding of the operating principles of a coal power station: coal is burned, to heat water, and spins a turbine which powers a turbine. Based on the information we have learned today, which systems do you think an attacker may target and how? Can we use this information to better protect our coal power stations?

Security consideration: we managed to identify several security 
considerations throughout this post. Nevertheless, we may have missed 
something. Feel free to leave a comment with additional considerations!
Electrical
Electrical Engineering
Cybersecurity
Hacking
Electricity

--

--

Dietmar Marggraff

Written by Dietmar Marggraff

28 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams