Make no mistake the folks at NITSL (Nuclear IT Strategic Leadership) are focused on a new renaissance for nuclear energy in the US. Perhaps only the smart grid has more buzz going on right now.
Indeed nuclear energy generation is on the rise. Digital instrumentation, controls and information systems are enabling higher capacity factors and frequently part of reactor power up-rate projects. Funding to build a new reactor in the US has been secured. With 40% of carbon emissions attributed to power generation, nuclear energy is also benefiting from carbon footprint reduction initiatives.
Security regulations are however a concern. Physical security solutions alone represent 7-9% of operational budgets. How much more will it cost to implement and maintain cyber security programs?
In fact, the industry is now faced with dual regulation on cyber security: the NERC CIP standards to protect bulk electric system and new NRC orders that essentially mandate implementation of NIST 800-53 and 800-82 security framework.
Folks attending the NITSL workshop are well prepared for the road ahead. After all, there really is no margin for error – many in attendance remember where they were for 3 Mile Island (it’s not just the plants are aging ) and fully understand how much is at stake. Perhaps it’s these familiar faces and belief in common goals that, IMHO, makes NITSL one of the most productive industry working groups on cyber security.
NIST 800-82 describes several architectures. The most common and most secure deployment pattern for PI uses replication technology between two or more PI servers. The idea is to restrict access into the security perimeter while still providing authorized access to plant information on servers located outside the perimeter. Customers in many industries are already doing this today, with PItoPI streaming data into central servers and driving fleet management applications.
The nuclear spin, although not final, involves regulatory guidelines that are expected to prohibit communication inbound to critical networks. Implementation strategies discussed at NITSL include OSI network layer 1 enforcement devices.
The approach is an old trick commonly used in the days of RS232. Remember when we would snip the TX lead on the PI end of a Y-cable? This would enable communication eavesdropping but avoid potential glitch of serial handshake (btw…PI-UFL still provides an option for listening to serial com ports).
Of course, Ethernet really changed the world and with it TCP/IP claimed a spot as a reliable protocol fit for industrial service. There lies the rub, the 3 way TCP handshake is fundamental and simply not readily compatible with mechanisms blocking acknowledgement. Furthermore, systems may be highly integrated and depend on bidirectional data flows.
Engineering for uni-directional communication is a hot topic. Bridging plant and corporate PI Servers with such a link is definitely interesting. In addition, the NIST cyber security coordination task group for smart grid standards has already started to characterize interfaces appropriate for uni-directional enforcement. So there you have it, you might not be able to teach old dogs new tricks… but the young pup can quickly learn those good old tricks!