Cyberattacks against industrial control systems have increased over the last decade, making it more critical than ever for system owners to have the tools necessary to understand the cyber resilience of their systems. However, existing tools are often qualitative, subject matter expertise-driven, or highly generic, making thorough, data-driven cyber resilience analysis challenging. The ADROC project proposed to develop a platform to enable efficient, repeatable, data-driven cyber resilience analysis for cyber-physical systems. The approach consists of two phases of modeling: computationally efficient math modeling and high-fidelity emulations. The first phase allows for scenarios of low concern to be quickly filtered out, conserving resources available for analysis. The second phase supports more detailed scenario analysis, which is more predictive of real-world systems. Data extracted from experiments is used to calculate cyber resilience metrics. ADROC then ranks scenarios based on these metrics, enabling prioritization of system resources to improve cyber resilience.
The purpose of this report is to document updates on the apparatus to simulate commercial vacuum drying procedures at the Nuclear Energy Work Complex at Sandia National Laboratories. Validation of the extent of water removal in a dry spent nuclear fuel storage system based on drying procedures used at nuclear power plants is needed to close existing technical gaps. Operational conditions leading to incomplete drying may have potential impacts on the fuel, cladding, and other components in the system during subsequent storage and disposal. A general lack of data suitable for model validation of commercial nuclear canister drying processes necessitates well-designed investigations of drying process efficacy and water retention. Scaled tests that incorporate relevant physics and well-controlled boundary conditions are essential to provide insight and guidance to the simulation of prototypic systems undergoing drying processes. This report documents a new test apparatus, the Advanced Drying Cycle Simulator (ADCS). This apparatus was built to simulate commercial drying procedures and quantify the amount of residual water remaining in a pressurized water reactor (PWR) fuel assembly after drying. The ADCS was constructed with a prototypic 17×17 PWR fuel skeleton and waterproof heater rods to simulate decay heat. These waterproof heaters are the next generation design to heater rods developed and tested at Sandia National Laboratories in FY20. This report describes the ADCS vessel build that was completed late in FY22, including the receipt of the prototypic length waterproof heater rods and construction of the fuel basket and the pressure vessel components. In addition, installations of thermocouples, emissivity coupons, pressure and vacuum lines, pressure transducers, and electrical connections were completed. Preliminary power functionality testing was conducted to demonstrate the capabilities of the ADCS. In FY23, a test plan for the ADCS will be developed to implement a drying procedure based on measurements from the process used for the High Burnup Demonstration Project. While applying power to the simulated fuel rods, this procedure is expected to consist of filling the ADCS vessel with water, draining the water with applied pressure and multiple helium blowdowns, evacuating additional water with a vacuum drying sequence at successively lower pressures, and backfilling the vessel with helium. Additional investigations are expected to feature failed fuel rod simulators with engineered cladding defects and guide tubes with obstructed dashpots to challenge the drying system with multiple water retention sites.
The harmonized automatic relay mitigation of nefarious intentional events (HARMONIE) special protection scheme (SPS) was developed to provide adaptive, cyber-physical response to unpredictable disturbances in the electric grid. The HARMONIE-SPS methodology includes a machine learning classification framework that analyzes real time cyber-physical data and determines if the system is in normal conditions, cyber disturbance, physical disturbance, or cyber-physical disturbance. This classification then informs response, if needed and/or suitable, and included cyber-physical corrective actions. Beyond standard power system mitigations, a few novel approaches were developed that included a consensus algorithm-based relay voting scheme, an automated power system triggering condition and corrective action pairing algorithm, and a cyber traffic routing optimization algorithm. Both the classification and response techniques were tested within a newly integrated emulation environment composed of a real-time digital simulator (RTDS) and SCEPTRE™. This report details the HARMONIE-SPS methodology, highlighting both the classification and response techniques, and the subsequent testing results from the emulation environment.
The purpose of this report is to document updates to the simulation of commercial vacuum drying procedures at the Nuclear Energy Work Complex at Sandia National Laboratories. Validation of the extent of water removal in a dry spent nuclear fuel storage system based on drying procedures used at nuclear power plants is needed to close existing technical gaps. Operational conditions leading to incomplete drying may have potential impacts on the fuel, cladding, and other components in the system. A general lack of data suitable for model validation of commercial nuclear canister drying processes necessitates additional, well-designed investigations of drying process efficacy and water retention. Scaled tests that incorporate relevant physics and well-controlled boundary conditions are essential to provide insight and guidance to the simulation of prototypic systems undergoing drying processes. This report documents testing updates for the Dashpot Drying Apparatus (DDA), an apparatus constructed at a reduced scale with multiple Pressurized Water Reactor (PWR) fuel rod surrogates and a single guide tube dashpot. This apparatus is fashioned from a truncated 5×5 section of a prototypic 17×17 PWR fuel skeleton and includes the lowest segment of a single guide tube, often referred to as the dashpot region. The guide tube in this assembly is open and allows for insertion of a poison rod (neutron absorber) surrogate.
The purpose of this report is to document improvements in the simulation of commercial vacuum drying procedures at the Nuclear Energy Work Complex at Sandia National Laboratories. Validation of the extent of water removal in a dry spent nuclear fuel storage system based on drying procedures used at nuclear power plants is needed to close existing technical gaps. Operational conditions leading to incomplete drying may have potential impacts on the fuel, cladding, and other components in the system. A general lack of data suitable for model validation of commercial nuclear canister drying processes necessitates additional, well-designed investigations of drying process efficacy and water retention. Scaled tests that incorporate relevant physics and well-controlled boundary conditions are essential to provide insight and guidance to the simulation of prototypic systems undergoing drying processes.
Cybersecurity for industrial control systems is an important consideration that advance reactor designers will need to consider. How cyber risk is managed is the subject of on-going research and debate in the nuclear industry. This report seeks to identify potential cyber risks for advance reactors. Identified risks are divided into absorbed risk and licensee managed risk to clearly show how cyber risks for advance reactors can potentially be transferred. Absorbed risks are risks that originate external to the licensee but may unknowingly propagate into the plant. Insights include (1) the need for unification of safety, physical security, and cybersecurity risk assessment frameworks to ensure optimal coordination of risk, (2) a quantitative risk assessment methodology in conjunction with qualitative assessments may be useful in efficiently and sufficiently managing cyber risks, and (3) cyber risk management techniques should align with a risked informed regulatory framework for advance reactors.
Seven generation III+ and generation IV nuclear reactor types, based on twelve reactor concepts surveyed, are examined using functional decomposition to extract relevant operational technology (OT) architecture information. This information is compared to existing nuclear power plants (NPPs) OT architectures to highlight novel and emergent cyber risks associated with next generation NPPs. These insights can help inform operational technology architecture requirements that will be unique to a given reactor type. Next generation NPPs have streamlined OT architectures relative to the current generation II commercial NPP fleet. Overall, without compensatory measures that provide sufficient and efficient cybersecurity controls, next generation NPPs will have increased cyber risk. Verification and validation of cyber-physical testbeds and cyber risk assessment methodologies may be an important next step to reduce cyber risk in the OT architecture design and testing phase. Coordination with safety requirements can result in OT architecture design being an iterative process.
Nuclear Power Plants (NPPs) are a complex system of coupled physics controlled by a network of Programmable Logic Controllers (PLCs). These PLCs communicate process data across the network to coordinate control actions with each other and inform the operators of process variables and control decisions. Networking the PLCs allows more effective process control and provides the operator more information which results in more efficient plant operation. This interconnectivity creates new security issues, as operators have more access to the plant controls, so will bad actors. As plant networks become more digitized and encompass more sophisticated controllers, the network surface exposed to cyber interference grows. Understanding the dynamics of these coupled systems of physics, control logic, and network communications is critical to their protection. The research into the cybersecurity of the Operational Technologies of NPPs is developing and requires a platform that can allow high fidelity physics simulations to interact with digital networks of controllers. This will require three main components: a network simulation environment, a physics simulator, and virtual PLCs (vPLC) that represent typical industry hardware. A platform that incorporates these three components to provide the most accurate representation of actual NPP networks and controllers is developed in this paper.
A previous investigation produced data sets that can be used to benchmark the codes and best practices presently used to determine cladding temperatures and induced cooling air flows in modern horizontal dry storage systems. The horizontal dry cask simulator (HDCS) was designed to generate this benchmark data and add to the existing knowledge base. The objective of the previous HDCS investigation was to capture the dominant physics of a commercial dry storage system in a well-characterized test apparatus for a wide range of operational parameters. The close coupling between the thermal response of the canister system and the resulting induced cooling air flow rate was of particular importance. The previous investigation explored these parameters using helium backfill at 100 kPa and 800 kPa pressure as well as air backfill with a series of simulated decay heats. The helium tests simulated a horizontal dry cask storage system at normal storage conditions with either atmospheric or elevated backfill pressure, while the air tests simulated horizontal storage canisters following a complete loss of helium backfill, in which case the helium would be replaced by air. The present HDCS investigation adds to the previous investigation by exploring steady-state conditions at various stages of the loss of helium backfill from a horizontal dry cask storage system. This is achieved by using helium/air blends as a backfill in the HDCS and running a series of tests using various simulated decay heats to explore the effects of relative helium/air molar concentration on the thermal response of a simulated horizontal dry cask storage system. A total of twenty tests were conducted where the HDCS achieved steady state for various assembly powers, representative of decay heat. The power levels tested were 0.50, 1.00, 2.50, and 5.00 kW. All tests were run at 100 kPa vessel pressure. The backfill gases used in these tests are given in this report as a function of mole fraction of helium (He), balanced by air: 1.0, 0.9, 0.5, 0.1, and 0.0 He. Steady-state conditions (where the steady-state start condition is defined as where the change in temperature with respect to time for the majority of HDCS components is less than or equal to 0.3 K/h) were achieved for all test cases.
Digital Instrumentation and Control Systems (ICSs) have replaced analog control systems in nuclear power plants raising cybersecurity concerns. To study and understand the cybersecurity risks of nuclear power plants both high fidelity models of the plant physics and controllers must be created, and a framework to test and evaluate cyber security events must be established. A testing and evaluation framework of cybersecurity events consists of a method of interfering with control systems, a simulation of the plant network, and a network packet capture and recording tool. Sandia National Labs (SNL) in collaboration with the University of New Mexico’s Institute for Space and Nuclear Power Studies (UNM-ISNPS) is developing such a cybersecurity testing framework.
International Conference on Nuclear Engineering, Proceedings, ICONE
Fasano, Raymond E.; Lamb, Christopher; El Genk, Mohamed; Schriener, Timothy; Hahn, Andrew
A programmable logic controller (PLC) emulation methodology can dramatically reduce the cost of high-fidelity operational technology (OT) network emulation without compromising specific functionality. A PLC emulation methodology is developed as part of an ongoing effort at the University of New Mexico's Institute for Space and Nuclear Power Studies (UNM-ISNPS) in collaboration with Sandia National Laboratories (SNL) to develop an emulyticTM platform to support cybersecurity analyses of the instrumentation and control (I&C) systems of pressurized water reactors (PWRs). This methodology identifies and characterizes key physical and digital signatures of interest. The obtained and displayed digital signatures include the network response, traffic, and software version, while the selected physical signatures include the actuation response time and sampling time. An extensive validation analysis is performed to characterize the signatures of the real, hardware-based PLC and the emulated PLC. These signatures are then compared to quantify differences and identify optimum settings for the emulation fidelity.
Aging plants, efficiency goals, and safety needs are driving increased digitalization in nuclear power plants (NPP). Security has always been a key design consideration for NPP architectures, but increased digitalization and the emergence of malware such as Stuxnet, CRASHOVERRIDE, and TRITON that specifically target industrial control systems have heightened concerns about the susceptibility of NPPs to cyber attacks. The cyber security community has come to realize the impossibility of guaranteeing the security of these plants with 100% certainty, so demand for including resilience in NPP architectures is increasing. Whereas cyber security design features often focus on preventing access by cyber threats and ensuring confidentiality, integrity, and availability (CIA) of control systems, cyber resilience design features complement security features by limiting damage, enabling continued operations, and facilitating a rapid recovery from the attack in the event control systems are compromised. This paper introduces the REsilience VeRification UNit (RevRun) toolset, a software platform that was prototyped to support cyber resilience analysis of NPP architectures. Researchers at Sandia National Laboratories have recently developed models of NPP control and SCADA systems using the SCEPTRE platform. SCEPTRE integrates simulation, virtual hardware, software, and actual hardware to model the operation of cyber-physical systems. RevRun can be used to extract data from SCEPTRE experiments and to process that data to produce quantitative resilience metrics of the NPP architecture modeled in SCEPTRE. This paper details how RevRun calculates these metrics in a customizable, repeatable, and automated fashion that limits the burden placed upon the analyst. This paper describes RevRun's application and use in the context of a hypothetical attack on an NPP control system. The use case specifies the control system and a series of attacks and explores the resilience of the system to the attacks. The use case further shows how to configure RevRun to run experiments, how resilience metrics are calculated, and how the resilience metrics and RevRun tool can be used to conduct the related resilience analysis.