Nuclear Power Stations
Cyber security considerations for Nuclear Power Stations
When thinking about nuclear power plants the first image that may pop into mind is that of a yellow cartoon character eating donuts at a control panel, right? Or perhaps the little green, glowing (radioactive), bar that slips down the back of the same character's shirt? Well, it turns out that nuclear power stations are a little more complex than portrayed in this cartoon and so in this post, we will dive a little deeper into the complexities of a nuclear plant and what the cyber security considerations may be.
Feel free to explore some of the other topics we have covered in this series including Substations, Coal Power Stations, Process Control, and Open Cycle Gas Turbines.
Security consideration: throughout this post you will find these security
considerations. These are used to highlight some of the important processes
that may be worth considering from a security perspective. This is not an
all-encompasing analysis, though, so try and keep the following questions
in mind when reading the post -
[1] Is this a critical process that may be worth protecting?
[2] What should we do to protect the system?
* Disclaimer: this information should not be used for nefarious or unauthorised
purposes but rather as an educational tool (see the Welcome post of this
blog).Introduction
Nuclear power stations operate in a similar manner to coal power stations, namely, the conversion of chemical energy, to thermal energy and finally to electrical energy. Just as with coal power stations we also have water that is heated to steam by some form of reaction. In this case, we use uranium and the nuclear fission process to heat the water (instead of burning coal).
Various reactor configurations are available with Figure 1 providing an overview of the most common types. We won’t be diving into all of the types but rather consider the Pressurised Water Reactor (PWR) and Boiling Water Reactor (BWR).
Pressurised Water Reactor
Figure 2, below, highlights the design of a type of PWR. This specific design makes us of three cooling loops with the key design feature being, that the water between the loops does not mix.
The primary loop circulates water through the reactor (1) (that contains the uranium) by means of a coolant pump (3) resulting in a closed system. Importantly, a pressuriser (4) is employed to ensure that the water does not boil. If the water were to turn to steam, the cooling ability of the water is decreased.
The pressuriser maintains pressure by spraying water from sprayer heads at the top of the pressuriser to cool it down or use heaters to warm it up again.
Security consideration: should the sprayers or heaters not work as expected,
a loss-of-pressure-control accident could occur since the water starts to boil,
resulting in an inability to cool the core which may lead to a meltdown.A heat exchanger is used to transfer the heat that was generated in the primary loop to the secondary loop. Water is pumped into the base of the steam generator where it comes into contact with the heat exchanger. The water is heated and, steam is generated. In our example, the steam is then pumped through one high-pressure turbine (5) and three low-pressure turbines (6) which in turn drive the generators (7). The steam then comes into contact with the tertiary loop where it condenses.
The tertiary loop is compromised of cold water (perhaps from the ocean or a nearby river) and is used to reduce the temperature of the steam so that it returns to a liquid form.
Side note: our example system is capable of pumping water at a rate of 8 tons per second with the capacity to cool 40 tons of steam per second (through the use of 2 condensers).
Reactor
The reactor is a critical component of the power plant and is comprised of 3 main components. The fuel (1) takes the form of enriched uranium dioxide pellets that are stacked together to form a rod. Multiple rods, in turn, create a fuel assembly as seen in Figure 3, below.
Control rods (2) are used to control the reaction process. These are made of a combination of materials (e.g. boron) that are able to absorb large numbers of neutrons without themselves decaying. The reaction process is stopped when the rods are completely down (within the core) and full output is achieved when the rods are completely removed from the core.
Side note: the rapid shutdown of a reactor by means of the control rods is referred to as a scram.
Water, as described above, is used as a coolant and moderator (3). Besides serving the purpose of carrying heat away from the reactor, the water is also used to slow down the speed of the neutrons (moderation).
Side note: if we consider a bit of reactor physics: the effective multiplication factor is defined by the following equation:
This factor essentially considers the ratio of neutrons produced and lost during a generation. When this factor reaches unity (one) we have a critical/self-sustaining reaction. This implies that the number of neutrons that are produced equals the number of neutrons lost. The reactivity, in turn, is defined by the following equation:
A reactivity of less than zero results in a subcritical reaction whereas a reactivity of greater than zero results in a supercritical reaction (both conditions are undesirable).
This is important because the reactivity is related to the position of the control rods. During normal operation, the control rods should be placed at such a height that the reactivity is as close to zero as possible (critical reaction).
Security consideration: if the control rods cannot be placed in their correct
position, a supercritical condition could occur which, if not rectified,
could result in dangerous conditions. A power excursion incident (the rapid
increase in reactor power output resulting in a rapid increase in heat)
can happen very rapidly. Boiling Water Reactor
Figure 4, below, shows a more detailed view of the construction of a General Electric Boiling Water Reactor (BWR). This reactor follows a different design from the one that we discussed above. The rector vessel assembly serves, among others, the following purposes:
- House the reactor core.
- Support and align the fuel and control rods.
- Provide cooling and water circulation.
- Remove water from the steam leaving the core.
- Provide emergency cooling.
The base and the head of the reactor are cylindrical (bottom and top head) in nature but the head can be removed to aid in the refueling process. (15) and (16) highlight the fuel assemblies and control rods we were exposed to earlier whilst (24) shows the neutron monitoring systems. Elements (6) and (3) are used to separate the water droplets from the steam whilst (5) and (9) describe important emergency cooling systems that we will encounter later on in this post.
Figure 5, below, provides a block diagram of the GE-BWR/6. It is evident that water enters the reactor, where it is heated to steam, separated from water droplets, and leaves the reactor at the top to flow to the main turbine.
General Electric provides three different types of containment designs, namely, the Mark I, II, and III. Figure 6 highlights the design of a Mark III containment structure.
Security consideration: a meltdown occurs when the reactor is not able to
sufficiently control the reaction anymore resulting in heat being
generated that exceeds the design specifications. The fuel rods will begin to
melt and potentially breach the reactor vessel. In the case of Chernobyl,
the very hot material then came into contact with water, causing the rapid
production of steam resulting in an explosion. Besides the explosion, the
release of high levels of radioactive matriel may prove harmful for the
environment.Process Control
As with any of our other power plants, process control is important. For a detailed explanation of this process, feel free to read the Process Control post, however, process control is especially important in our nuclear power plants since a failure/disruption/manipulation may lead to significant consequences.
In our nuclear power plant, we will find the typical sensors (e.g. temperature, level, flow, etc.) and actuators (valves, water pumps, etc.) as well as the important actuators that control the position of the control rods.
In this post we will consider two different designs/configurations:
Side note: the control systems currently implemented within a nuclear power plant may vary in implementation. The following implementations are simply designs.
European Pressurized Reactor
Figure 7, highlights an example overview of a nuclear plant's Instrumentation & Control (I&C) architecture. Level 0 contains the typical field devices e.g. sensors and actuators.
Let us consider some of these components in a little more detail:
- The actuators are connected to the Priority Actuation and Control System (PACS) which is used to monitor and control both safety and non-safety-related systems. As seen in Figure 8, below, a dedicated controller is used to interpret normal bus signals for normal operation. These signals are compared to safety signals, though, to ensure that the correct prioritisation is achieved. Note the bidirectional signals for both control and monitoring. The prioritisation module can also be used to resolve conflicts for operational signals from different systems.
Security consideration: If the safety signals were to not reach the PACS, or,
the incorrect safety signals reach it, the system may incorrectly manipulate
the actuators potentially resulting in unwanted/dangerous conditions.- The Protection System (PS) is responsible for bringing the plant to a controlled state (in a different system this role may be fulfilled by a Safety Instrumented System (SIS)/safety PLC). Safety functions may include tripping the actor and triggering Emergency Core Cooling Systems (ECCSs) amongst others whilst operating independently of other systems.
- The Safety Automation Systems (SAS) is “dedicated to automatic and manual control and measuring and monitoring functions needed to bring the plant to a safe shutdown state.”
- The Safety Information and Control System (SICS) can be used to manage the plant for a short period of time should the PICS become unavailable and can control certain safety-related processes.
Security consideration: Many of the safety functions are related to heat
removal. The reason for this is that a runaway (out of control) reaction
could result in excessive amounts of heat being generated, which, if not
controlled, could result in a meltdown. A meltdown may result in an
uncontrolled release of dangerous radioactive particles.The non-safety related systems are as follows:
- The Process Information and Control System (PICS) provides the main control interface for the reactor and larger plant and will, for example, show alarms and provide operators with suggestions for control actions.
- The Reactor Control, Surveillance, and Limitation System (RCSL) is used to monitor and control the reactor and steam systems to ensure that parameters do not reach tripping conditions. Instead of letting the process reach an unsafe state, thereby necessitating the need for the safety systems to take over, the RCSL will monitor key parameters to ensure that the reactor remains within safe and efficient operating conditions.
Security consideration: If the threshold parameters for the RCSL are not
set correctly, the process may be allowed to enter a state in which the safety
systems take over, potentially resulting in an unnecessary reactor shutdown.Of additional interest in Figure 7 are the different control interfaces (Human-System Interface Systems) defined as:
- The Main Control Room (MCR) which provides the main control interface and may look something similar to the control room shown in Figure 9, below. From this position, operators are able to view all important process parameters provided by the PICS. The safety systems can also be monitored from here and other peripheral systems such as cameras and fire systems are also available.
Security consideration: One of the reasons for the meltdown of Unit 2 at
Three Mile Islands was that operators turned off the emergency pumps
because sensors indicated that the system contained too much water when,
in fact, it contained too little. It is imperative that operators and
control systems receive the correct process data to ensure that informed
decisions can be made.- Should the MCR become unavailable, the Remote Shutdown Station (RSS) becomes the next control interface. The RSS provides operators with the functionality to disconnect the MCR and shut down the plant in a safe manner.
- The Technical Support Centre (TSC) provides a view-only perspective into the plant and can be used for additional support during an accident/ post-accident management.
Advanced Pressurised Water Reactor
Figure 10, below, highlights a second design/configuration designated as the Advanced Pressurised Water Reactor.
Side Note: many of the systems we discussed above are implemented again, but with different names/configurations, and as such, we will not go into the same level of detail.
Protection and Safety Monitoring System (PSMS): this system performs the monitoring and automatic shutdown of the plant should an unsafe condition be observed/detected. The Plant Control and Monitoring System (PCMS) perform the plant control during normal operation. The PCMS is typically used to control the positions of valves and various other actuators to control the process.
The APWR described above is based on the Mitsubishi Electric Total Advanced Controller Platform (MELTAC) solution. The architecture of the system is shown in Figure 11, below. The controllers communicate via the Futurebus+ protocol.
Security consideration: if the signals between the different controllers
and the VDUs are not correct, the system could respond in unexpected/
dangerous ways. Cooling
As discussed above, many of the safety systems relate to the ability to control the fission reaction (typically by controlling the heat). In order to perform this function, various cooling systems are implemented (in this case we will consider the GE-BWR/6 as a use-case again, as shown in Figure 12).
Decay Heat Removal
When the reactor is shut down, it will continue to produce heat. The Residual Heat Removal (RHR) system will continue to circulate water through the reactor but bypasses the turbines and transfers the steam straight to the condensor.
Standby Liquid Control System
Whilst the control rods can be used to control the reaction, an additional neutron poison (boron) can also be injected into the core to cool it down further.
Emergency Core Cooling System
Dependent on the exact reactor design, the reactor may make use of a variation of the following Emergency Core Cooling System (ECCS). These are typically employed to protect the core during a loss of the normal cooling system. The type of emergency cooling that is employed, is related to the rate at which coolant is being lost. The ECCS is comprised of high- and low-pressure systems:
- The high-pressure system is comprised of a high-pressure Cooling Injection (HPCI) system and an Automatic Depressurization System (ADS).
- The low-pressure system is comprised of a Low-Pressure Cooling Injection (LPCI) system and a Core Spray (CS) system.
The HPCI is employed whilst the reactor is still under pressure. If the loss of coolant is rapid enough, though, resulting in a rapid loss of pressure, the LPCI will be employed. Should the HPCI fail during an emergency, the ADS is employed to rapidly reduce the pressure, through an array of emergency safety valves, so that the LPCI can take over. If the HPCI is capable of replacing all coolant that is being lost, it will be employed until the pressure has been reduced to a suitable level allowing for the low-pressure systems to take over. Figure 13, below, provides an overview of the configuration of the high- and low-pressure cooling systems.
The core spray system, as seen in Figure 13, above, is comprised of two independent pump systems which serve the purpose of spraying water on top of the fuel assemblies.
Security consideration: it is integral that the electronic components of the
ECCS such as the automated valves and pumps operate correctly when called
upon. If the incorrect ECCS are employed or they are employed incorrectly,
it may not be possible to get the reaction under control potentially resulting
in a meltdown.As described above, the cooling systems form a vital component of a nuclear power plant, not just for electricity generation but also for reaction control.
Conclusion
In this post, we considered, at a very high level, how a nuclear power plant works, how it can be controlled, and some of the important cooling/safety systems. It is important to note that an actual control system is orders of magnitude more complex than what was described in this post.
Side Note: to gain some insight into the complexity, United States Nuclear Regulatory Comission (US NRC) has fortunately provided us with the application documents for a US-APWR, ESBWR, and various other reactor designs where the documentation for just the I&C system exceeds 600 pages.
Various protection mechanisms are employed in nuclear power plants, however, they are only effective if they can, and do operate as required.
Security consideration: we managed to identify several security
considerations throughout this post. Nevertheless, we may have missed
something. Feel free to leave a comment with additional considerations!