At a lab on the campus of Purdue University, researchers are testing something that has never been done before in the U.S. energy industry, but has potentially huge implications for the future of nuclear power. They are attempting to demonstrate how to operate a nuclear reactor with all-digital, network-connected instruments and controls, while, at the same time, mitigating the cybersecurity risk of someone hacking into those digital systems.
Earlier this year, federal regulators granted Purdue University Reactor Number One, a research reactor that has been running since 1962, a license to go entirely digital, eschewing the analog wires and tubes that were state-of-the-art at the start of the atomic age and continue to dominate many of the nuclear power reactor fleet's most important safety systems.
While U.S. nuclear plants have been incorporating digital technology over time, many important systems designed to prevent the release of dangerous radiation are still typically analog. For cybersecurity reasons, the digital controls that do exist have to be "air gapped," meaning they are physically isolated from outside networks.
At Purdue, researchers are using the safety of the laboratory to take the exact opposite approach. The digital controls will have wireless connections that the researchers assume can be hacked so they can test how a digital control room can maintain the safety of the reactor even in the face of a cyber threat. "Can we detect that there was an intrusion and how does that affect the rest of the facility?" Clive Townsend, the reactor's supervisor, explained to Utility Dive.
Extending nuclear lives
This research comes at a time when the U.S. nuclear industry is seeking to go further than they have before with digitization. The reactor fleet is getting old and, for the most part, not being replaced by new reactors. If nuclear power is going to continue generating anywhere near the more than half of U.S. CO2 emissions-free electricity that it provides now, extending the life of existing nuclear plants is necessary. As a result, the nuclear industry has been stressing the advantages of digital systems for life extension, including the ability to more easily replace digital equipment as it ages compared to analog equipment that may be decades-old and no longer available.
"It is urgent that we get on with this," Doug True, the chief nuclear officer for the industry trade association the Nuclear Energy Institute (NEI), said at a May briefing on digital instrumentation and control before the U.S. Nuclear Regulatory Commission (NRC). "We have plants that are aging, we have plants that are making decisions about moving into subsequent license renewal where digital controls are important."
"By narrowing [the cybersecurity guidance for nuclear plants], you are assuming you know exactly what the adversary is going to do, and that's a mistake."
Acting Director of the Nuclear Safety Project, The Union of Concerned Scientists
Last week the NRC approved a key milestone for Florida Power & Light's application to renew its license for the Turkey Point nuclear plant for another 20 years, potentially allowing Turkey Point to be operate for a total of 80 years, something no U.S. nuclear plant has achieved.
One of the plants right behind Turkey Point in the application process for an 80-year license is Dominion Energy's Surry Power Station in Virginia, where two reactors started operating in 1972 and 1973, respectively, and without license extensions, will have to retire by 2032 and 2033.
"We are evaluating converting several analog systems to digital" at Surry, Dominion spokesman Kenneth Holt told Utility Dive. Those systems include the annunciators — the panels in the control room full of indicators that light up with warning signs about the reactor status — and the equipment that shows the position of control rods within the reactor core.
"It is difficult to find replacement parts" for many of the analog systems, Holt said. In some cases, "the manufacturer went out of business 20 years ago."
Strict rules on cybersecurity, however, pose a challenge to the goal of introducing more digital equipment into a plant. Any digital device or piece of software that the NRC has determined is connected to the systems meant to prevent radiological sabotage undergoes rigorous and continual scanning, updates and other actions to ensure it has not been and cannot be compromised by cybersecurity threats. In addition, any plant employee who has access to this equipment must undergo regular background checks, tests for reliability and trustworthiness and psychological assessments.
There has been some disagreement between the industry and regulators as to which digital equipment should be subjected to the highest level of scrutiny. The NRC's broad application of its cybersecurity rules has "resulted in reactor licensees having to implement cyber security controls on hundreds to thousands of digital assets, most of which have no direct relationship to radiological sabotage," like digital indicators on non-safety-related equipment, fax machines, hand-held calibration devices, radios, pagers and calculators NEI wrote in its petition. The group is asking the NRC to narrow its application to only those digital assets that, if compromised in a cyber attack, "would be inimical to the health and safety of the public."
That change would lead to a "substantial reduction in burden" for plant operators' use of digital equipment, while "maintaining adequate protection against cyber attacks," the petition said.
But NEI filed that petition in June 2014, kicking off an NRC review that is still ongoing. As reactors continue to age, the NRC is conducting cybersecurity inspections of the country's nuclear plants. Those inspections will likely be likely wrapped up by the fourth quarter of 2020, according to a recent NRC update.
The challenge with adding more digital instruments and controls is "not a hurdle that's beyond what the utilities are more than willing to put up with to get the safety benefits they could get from modernizing their older systems."
cybersecurity expert, Nuclear Energy Institute
The NRC's caution about changing the cybersecurity rules is appropriate, according to Edwin Lyman, the acting director of the Nuclear Safety Project at the Union of Concerned Scientists. In an interview, Lyman said the unpredictability of cybersecurity threats means that regulators should keep the guidance for what equipment is subject to the strongest cybersecurity protections as broad as possible.
"By narrowing [the guidance], you are assuming you know exactly what the adversary is going to do, and that's a mistake," Lyman said.
A piece of equipment that may not initially appear to be directly related to radiological sabotage could become critical if a cyber attack is combined with a physical attack, according to Lyman. For example, a hack of digital communications devices used by plant security could not lead to a radiological accident by itself, but if the devices were hacked while a physical attack threatened the reactor core, security's ability to respond and prevent the attack could be compromised.
Bill Gross, a cybersecurity expert for NEI, told Utility Dive that the industry's current cybersecurity policies are robust and prevent intrusions from a number of angles. Beyond air gapping, "we don't let portable media or the laptops we use to go outside the plant. We keep them in the plant in the maintenance locker." Any device that could contain a virus, malware or worm is "virus-scanned" on the way out of the locker and virus-scanned on the way back in.
The challenge with adding more digital instruments and controls is "not a hurdle that's beyond what the utilities are more than willing to put up with to get the safety benefits they could get from modernizing their older systems," Gross said.
Improving reactor performance
Those safety benefits, in part, stem from how digitization can improve the way a reactor operates in general.
The nuclear fleet has recently seen several reactors forced to retire early due to the reactors' inability to cover their costs of operation in a low power price environment, and more plants could be at risk of the same fate.
Digital controls can reduce the costs of operating a nuclear plant and help it earn more revenue in several ways.
"From an engineering standpoint, the ability [to] do self-diagnostics, plant monitoring, get information from the [digital] system to allow improvements in engineering and improvements in plant reliability is substantial."
Senior Vice President and Chief Nuclear Officer, Dominion Energy
At the May briefing before the NRC, Dominion Energy Senior Vice President and Chief Nuclear Officer Dan Stoddard presented historical data that show "tangible performance improvements" for plants that have upgraded from analog to digital controls of their feedwater pumps and steam turbines. For example, pressurized water reactors that have made those digital steam turbine upgrades have a rate of unplanned outages, or "scrams," that is one-seventh the rate for those reactors that still have analog controls, according to Stoddard's presentation.
"From an engineering standpoint, the ability [to] do self-diagnostics, plant monitoring, get information from the [digital] system to allow improvements in engineering and improvements in plant reliability is substantial," Stoddard said.
But despite the benefits, some plant operators have found these types of digital upgrades to be difficult to justify due to the upfront cost and the time and effort spent going through the regulatory process to get NRC approval for the changes.
Almost a decade ago, Duke Energy's Oconee facility in South Carolina became the first nuclear plant in the country to switch from analog to digital controls of the systems that monitor the temperature and pressure of the reactor itself and the status of the reactor coolant — the most important reactor systems in terms of safety. Those new controls allowed Oconee to gauge temperature and pressure in real time so the reactor can run more efficiently and problems can be automatically mitigated, according to Duke.
But the upgrades were also expensive and time-consuming. "They eventually got done, but it was a burden. It took a long time," NEI Senior Project Manager Stephen Vaughn told Utility Dive.
While Oconee eventually got a great deal of value out of these digital upgrades because they allowed the plant to generate more electricity, no further digital conversion projects are planned at this time, according to Duke Energy spokeswoman Rita Sipe.
While many nuclear plants continue to install digital instruments and controls on a smaller scale, due to "regulatory uncertainty," "cybersecurity compliance" and "cost," there are no digital conversions for reactor protection systems like those done at Oconee currently planned or in progress at any U.S. plant, Stoddard told the NRC in May, and there have not been any more recently, an NEI spokesman said in an email to Utility Dive.
Just the start
As the industry gains more experience incorporating digital controls, the benefits may grow, making those upfront costs easier for plant owners to stomach.
"The fact that the NRC is accepting a digital console for a small research reactor [...] signals the regulatory body moving toward approval in a large industry reactor."
Reactor Supervisor, Purdue University Nuclear Engineering
For example, the NRC allowed the Purdue reactor to use a digital console with parts certified under international standards, rather than the much costlier domestic standards the NRC usually requires.
"The fact that the NRC is accepting a digital console for a small research reactor, with parts certified under the [international] standards, signals the regulatory body moving toward approval in a large industry reactor," Townsend said in a statement from the university.
NEI officials point out, however, that the test reactor is a tiny fraction of the size of an operating power reactor, so the results of its work with all-digital systems may not always apply to the industry at large.
Still, "from a digital technology perspective, there are some lessons we can learn from it," Vaughn said of the Purdue project.
But it could take years before the team has conclusions about how reactors can leverage the full benefits of digital systems while maintaining cybersecurity. "We are just getting started," Townsend said.
Correction: A previous version of this article misquoted a word by Bill Gross about scanning computers and other devices at nuclear plants. The updated sentence is: Any device that could contain a virus, malware or worm is "virus-scanned" on the way out of the locker and virus- scanned on the way back in.