Cyberattacks against industrial control systems have increased over the last decade, making it more critical than ever for system owners to have the tools necessary to understand the cyber resilience of their systems. However, existing tools are often qualitative, subject matter expertise-driven, or highly generic, making thorough, data-driven cyber resilience analysis challenging. The ADROC project proposed to develop a platform to enable efficient, repeatable, data-driven cyber resilience analysis for cyber-physical systems. The approach consists of two phases of modeling: computationally efficient math modeling and high-fidelity emulations. The first phase allows for scenarios of low concern to be quickly filtered out, conserving resources available for analysis. The second phase supports more detailed scenario analysis, which is more predictive of real-world systems. Data extracted from experiments is used to calculate cyber resilience metrics. ADROC then ranks scenarios based on these metrics, enabling prioritization of system resources to improve cyber resilience.
The purpose of this report is to document updates on the apparatus to simulate commercial vacuum drying procedures at the Nuclear Energy Work Complex at Sandia National Laboratories. Validation of the extent of water removal in a dry spent nuclear fuel storage system based on drying procedures used at nuclear power plants is needed to close existing technical gaps. Operational conditions leading to incomplete drying may have potential impacts on the fuel, cladding, and other components in the system during subsequent storage and disposal. A general lack of data suitable for model validation of commercial nuclear canister drying processes necessitates well-designed investigations of drying process efficacy and water retention. Scaled tests that incorporate relevant physics and well-controlled boundary conditions are essential to provide insight and guidance to the simulation of prototypic systems undergoing drying processes. This report documents a new test apparatus, the Advanced Drying Cycle Simulator (ADCS). This apparatus was built to simulate commercial drying procedures and quantify the amount of residual water remaining in a pressurized water reactor (PWR) fuel assembly after drying. The ADCS was constructed with a prototypic 17×17 PWR fuel skeleton and waterproof heater rods to simulate decay heat. These waterproof heaters are the next generation design to heater rods developed and tested at Sandia National Laboratories in FY20. This report describes the ADCS vessel build that was completed late in FY22, including the receipt of the prototypic length waterproof heater rods and construction of the fuel basket and the pressure vessel components. In addition, installations of thermocouples, emissivity coupons, pressure and vacuum lines, pressure transducers, and electrical connections were completed. Preliminary power functionality testing was conducted to demonstrate the capabilities of the ADCS. In FY23, a test plan for the ADCS will be developed to implement a drying procedure based on measurements from the process used for the High Burnup Demonstration Project. While applying power to the simulated fuel rods, this procedure is expected to consist of filling the ADCS vessel with water, draining the water with applied pressure and multiple helium blowdowns, evacuating additional water with a vacuum drying sequence at successively lower pressures, and backfilling the vessel with helium. Additional investigations are expected to feature failed fuel rod simulators with engineered cladding defects and guide tubes with obstructed dashpots to challenge the drying system with multiple water retention sites.
The harmonized automatic relay mitigation of nefarious intentional events (HARMONIE) special protection scheme (SPS) was developed to provide adaptive, cyber-physical response to unpredictable disturbances in the electric grid. The HARMONIE-SPS methodology includes a machine learning classification framework that analyzes real time cyber-physical data and determines if the system is in normal conditions, cyber disturbance, physical disturbance, or cyber-physical disturbance. This classification then informs response, if needed and/or suitable, and included cyber-physical corrective actions. Beyond standard power system mitigations, a few novel approaches were developed that included a consensus algorithm-based relay voting scheme, an automated power system triggering condition and corrective action pairing algorithm, and a cyber traffic routing optimization algorithm. Both the classification and response techniques were tested within a newly integrated emulation environment composed of a real-time digital simulator (RTDS) and SCEPTRE™. This report details the HARMONIE-SPS methodology, highlighting both the classification and response techniques, and the subsequent testing results from the emulation environment.
Recent high profile cyber attacks on critical infrastructures have raised awareness about the severe and widespread impacts that these attacks can have on everyday life. This awareness has spurred research into making industrial control systems and other cyber-physical systems more resilient. A plethora of cyber resilience metrics and frameworks have been proposed for cyber resilience assessments, but these approaches typically assume that data required to populate the metrics is readily available, an assumption that is frequently not valid. This paper describes a new cyber experimentation platform that can be used to generate relevant data and to calculate resilience metrics that quantify how resilient specified industrial control systems are to specified threats. Demonstration of the platform and analysis process are illustrated through a use case involving the control system for a pressurized water reactor.
Recent high profile cyber attacks on critical infrastructures have raised awareness about the severe and widespread impacts that these attacks can have on everyday life. This awareness has spurred research into making industrial control systems and other cyber-physical systems more resilient. A plethora of cyber resilience metrics and frameworks have been proposed for cyber resilience assessments, but these approaches typically assume that data required to populate the metrics is readily available, an assumption that is frequently not valid. This paper describes a new cyber experimentation platform that can be used to generate relevant data and to calculate resilience metrics that quantify how resilient specified industrial control systems are to specified threats. Demonstration of the platform and analysis process are illustrated through a use case involving the control system for a pressurized water reactor.
The purpose of this report is to document updates to the simulation of commercial vacuum drying procedures at the Nuclear Energy Work Complex at Sandia National Laboratories. Validation of the extent of water removal in a dry spent nuclear fuel storage system based on drying procedures used at nuclear power plants is needed to close existing technical gaps. Operational conditions leading to incomplete drying may have potential impacts on the fuel, cladding, and other components in the system. A general lack of data suitable for model validation of commercial nuclear canister drying processes necessitates additional, well-designed investigations of drying process efficacy and water retention. Scaled tests that incorporate relevant physics and well-controlled boundary conditions are essential to provide insight and guidance to the simulation of prototypic systems undergoing drying processes. This report documents testing updates for the Dashpot Drying Apparatus (DDA), an apparatus constructed at a reduced scale with multiple Pressurized Water Reactor (PWR) fuel rod surrogates and a single guide tube dashpot. This apparatus is fashioned from a truncated 5×5 section of a prototypic 17×17 PWR fuel skeleton and includes the lowest segment of a single guide tube, often referred to as the dashpot region. The guide tube in this assembly is open and allows for insertion of a poison rod (neutron absorber) surrogate.
A new small-scale pressure vessel with a 5×5 fuel assembly and axially truncated PWR hardware was created to simulate commercial vacuum drying processes. This test assembly, known as the Dashpot Drying Apparatus, was built to focus on the drying of a single PWR dashpot and surrounding fuel. Drying operations were simulated for three tests with the DDA based on the pressure and temperature histories observed in the HBDP. All three tests were conducted with an empty guide tube. One test was performed with deionized water as the fill fluid. The other two tests used 0.2 M boric acid as the fill fluid to accurately simulate spent fuel pool conditions. These tests proved the capability of the DDA to mimic commercial drying processes on a limited scale and detect the presence of bulk and residual water. Furthermore, for all tests, pressure remained below the 0.4 kPa (3 Torr) rebound threshold for the final evacuation step in the drying procedure. Results indicate that after bulk fluid is removed from the pressure vessel, residual water is verifiably measured through confirmatory measurements of pressure and water content using a mass spectrometer. The final pressure rebound behaviors for the three tests conducted were well below the established regulatory limit of less than 0.4 kPa (3 Torr) within 30 minutes of isolation. The water content measurements across all tests showed that despite observing high water content within the DDA vessel at the beginning of the vacuum isolations, the water content drastically drops to below 1,200 ppmv after the isolations were conducted. The data and operational experience from these tests will guide the next evolution of experiments on a prototypic-length scale with multiple surrogate rods in a full 17×17 PWR assembly. The insight gained through these investigations is expected to support the technical basis for the continued safe storage of spent nuclear fuel into long term operations.
The purpose of this report is to document improvements in the simulation of commercial vacuum drying procedures at the Nuclear Energy Work Complex at Sandia National Laboratories. Validation of the extent of water removal in a dry spent nuclear fuel storage system based on drying procedures used at nuclear power plants is needed to close existing technical gaps. Operational conditions leading to incomplete drying may have potential impacts on the fuel, cladding, and other components in the system. A general lack of data suitable for model validation of commercial nuclear canister drying processes necessitates additional, well-designed investigations of drying process efficacy and water retention. Scaled tests that incorporate relevant physics and well-controlled boundary conditions are essential to provide insight and guidance to the simulation of prototypic systems undergoing drying processes.
Cybersecurity for industrial control systems is an important consideration that advance reactor designers will need to consider. How cyber risk is managed is the subject of on-going research and debate in the nuclear industry. This report seeks to identify potential cyber risks for advance reactors. Identified risks are divided into absorbed risk and licensee managed risk to clearly show how cyber risks for advance reactors can potentially be transferred. Absorbed risks are risks that originate external to the licensee but may unknowingly propagate into the plant. Insights include (1) the need for unification of safety, physical security, and cybersecurity risk assessment frameworks to ensure optimal coordination of risk, (2) a quantitative risk assessment methodology in conjunction with qualitative assessments may be useful in efficiently and sufficiently managing cyber risks, and (3) cyber risk management techniques should align with a risked informed regulatory framework for advance reactors.
Seven generation III+ and generation IV nuclear reactor types, based on twelve reactor concepts surveyed, are examined using functional decomposition to extract relevant operational technology (OT) architecture information. This information is compared to existing nuclear power plants (NPPs) OT architectures to highlight novel and emergent cyber risks associated with next generation NPPs. These insights can help inform operational technology architecture requirements that will be unique to a given reactor type. Next generation NPPs have streamlined OT architectures relative to the current generation II commercial NPP fleet. Overall, without compensatory measures that provide sufficient and efficient cybersecurity controls, next generation NPPs will have increased cyber risk. Verification and validation of cyber-physical testbeds and cyber risk assessment methodologies may be an important next step to reduce cyber risk in the OT architecture design and testing phase. Coordination with safety requirements can result in OT architecture design being an iterative process.
Nuclear Power Plants (NPPs) are a complex system of coupled physics controlled by a network of Programmable Logic Controllers (PLCs). These PLCs communicate process data across the network to coordinate control actions with each other and inform the operators of process variables and control decisions. Networking the PLCs allows more effective process control and provides the operator more information which results in more efficient plant operation. This interconnectivity creates new security issues, as operators have more access to the plant controls, so will bad actors. As plant networks become more digitized and encompass more sophisticated controllers, the network surface exposed to cyber interference grows. Understanding the dynamics of these coupled systems of physics, control logic, and network communications is critical to their protection. The research into the cybersecurity of the Operational Technologies of NPPs is developing and requires a platform that can allow high fidelity physics simulations to interact with digital networks of controllers. This will require three main components: a network simulation environment, a physics simulator, and virtual PLCs (vPLC) that represent typical industry hardware. A platform that incorporates these three components to provide the most accurate representation of actual NPP networks and controllers is developed in this paper.
A previous investigation produced data sets that can be used to benchmark the codes and best practices presently used to determine cladding temperatures and induced cooling air flows in modern horizontal dry storage systems. The horizontal dry cask simulator (HDCS) was designed to generate this benchmark data and add to the existing knowledge base. The objective of the previous HDCS investigation was to capture the dominant physics of a commercial dry storage system in a well-characterized test apparatus for a wide range of operational parameters. The close coupling between the thermal response of the canister system and the resulting induced cooling air flow rate was of particular importance. The previous investigation explored these parameters using helium backfill at 100 kPa and 800 kPa pressure as well as air backfill with a series of simulated decay heats. The helium tests simulated a horizontal dry cask storage system at normal storage conditions with either atmospheric or elevated backfill pressure, while the air tests simulated horizontal storage canisters following a complete loss of helium backfill, in which case the helium would be replaced by air. The present HDCS investigation adds to the previous investigation by exploring steady-state conditions at various stages of the loss of helium backfill from a horizontal dry cask storage system. This is achieved by using helium/air blends as a backfill in the HDCS and running a series of tests using various simulated decay heats to explore the effects of relative helium/air molar concentration on the thermal response of a simulated horizontal dry cask storage system. A total of twenty tests were conducted where the HDCS achieved steady state for various assembly powers, representative of decay heat. The power levels tested were 0.50, 1.00, 2.50, and 5.00 kW. All tests were run at 100 kPa vessel pressure. The backfill gases used in these tests are given in this report as a function of mole fraction of helium (He), balanced by air: 1.0, 0.9, 0.5, 0.1, and 0.0 He. Steady-state conditions (where the steady-state start condition is defined as where the change in temperature with respect to time for the majority of HDCS components is less than or equal to 0.3 K/h) were achieved for all test cases.
Digital Instrumentation and Control Systems (ICSs) have replaced analog control systems in nuclear power plants raising cybersecurity concerns. To study and understand the cybersecurity risks of nuclear power plants both high fidelity models of the plant physics and controllers must be created, and a framework to test and evaluate cyber security events must be established. A testing and evaluation framework of cybersecurity events consists of a method of interfering with control systems, a simulation of the plant network, and a network packet capture and recording tool. Sandia National Labs (SNL) in collaboration with the University of New Mexico’s Institute for Space and Nuclear Power Studies (UNM-ISNPS) is developing such a cybersecurity testing framework.
The U.S. Department of Energy (DOE) established a need to understand the thermal-hydraulic properties of dry storage systems for commercial spent nuclear fuel (SNF) in response to a shift towards the storage of high-burnup (HBU) fuel (> 45 gigawatt days per metric ton of uranium, or GWd/MTU). This shift raises concerns regarding cladding integrity, which faces increased risk at the higher temperatures within spent fuel assemblies present within HBU fuel compared to low-burnup fuel (≤ 45 GWd/MTU). A dry cask simulator (DCS) was built at Sandia National Laboratories (SNL) in Albuquerque, New Mexico to produce validation-quality data that can be used to test the accuracy of the modeling used to predict cladding temperatures. These temperatures are critical to evaluating cladding integrity throughout the storage cycle of commercial spent nuclear fuel. A model validation exercise was previously carried out for the DCS in a vertical configuration. Lessons learned during the previous validation exercise have been applied to a new, blind study using a horizontal dry cask simulator (HDCS). Three modeling institutions – the Nuclear Regulatory Commission (NRC), Pacific Northwest National Laboratory (PNNL), and Empresa Nacional del Uranio, S.A., S.M.E. (ENUSA) – were granted access to the input parameters from the DCS Handbook, SAND2017-13058R, and results from a limited data set from the horizontal BWR dry cask simulator tests reported in the HDCS update report, SAND2019-11688R. With this information, each institution was tasked to calculate peak cladding temperatures and air mass flow rates for ten HDCS test cases. Axial as well as vertical and horizontal transverse temperature profiles were also calculated. These calculations were done using modeling codes (ANSYS/Fluent, STAR-CCM+, or COBRA-SFS), each with their own unique combination of modeling assumptions and boundary conditions. For this validation study, the ten test cases of the horizontal dry cask simulator were defined by three independent variables – fuel assembly decay heat (0.5 kW, 1 kW, 2.5 W, and 5 kW), internal backfill pressure (100 kPa and 800 kPa), and backfill gas (helium and air). The plots provided in Chapter 3 of this report show the axial, vertical, and horizontal temperature profiles obtained from the dry cask simulator experiments in the horizontal configuration and the corresponding models used to describe the thermal-hydraulic behavior of this system. The tables provided in Chapter 3 illustrate the closeness of fit of the model data to the experiment data through root mean square (RMS) calculations of the error in peak cladding temperatures (PCTs), PCT axial locations, axial temperature profiles, vertical and horizontal temperature profiles at two different axial locations, and air mass flow rates for the ten test cases, normalized by the experimental results. The model results are assigned arbitrary model numbers to retain anonymity. Due to the relatively flat axial temperature profiles, small temperature gradients resulted in large deviations of all models’ PCT axial location from the experimental PCT axial location. When the PCT axial location error is excluded in the calculation of the combined RMS of the normalized errors that considers PCT, the temperature profiles, and the air mass flow rates, the model data fits the experimental data to within 5%. When the vault information is excluded, the model data fits the experimental data to within 2.5%. An error analysis was developed further for one model, using the model and experimental uncertainties in each validation parameter to calculate validation uncertainties. The uncertainties for each parameter were used to define quantifiable validation criteria. For this analysis, the model was considered validated for a given comparison metric if the normalized error in that metric divided by the validation uncertainty was less than or equal to 1. When considering the combined RMS of the normalized errors of all metrics divided by their validation uncertainties, the model was found to have satisfied the criterion for model validation.