Nuclear cloud computing growth to challenge cyber security tools

The rising use of common platforms for power plant analytics will require in-depth review of technology options and regular security audits to minimize cyber security risks, experts at real-time software infrastructure firm OSIsoft told Nuclear Energy Insider.

From renewable energy generators through to oil and gas explorers, operators are implementing real-time data monitoring and predictive maintenance strategies to gain competitive advantage as new technologies pressure energy prices.

The Nuclear Energy Institute’s initiative Delivering the Nuclear Promise calls for an industry-wide, 30% cut to operating costs by January 2018 and digitizing Operations and Maintenance (O&M) to improve plant performance is set to underpin operator strategies.

Exelon Generation, the largest nuclear operator in the U.S., has teamed up with GE Hitachi to develop Predix Cloud, an Internet of Things (IoT) digital solution that manages and analyzes vast volumes of data streamed from multiple sensors monitoring multiple assets located around the plant. The technology is already being used to provide predictive assessments of key power plant components such as turbines, in order to improve decision-making and reduce costs.

Applying advanced analytics to the predictive maintenance of assets could save industrial companies such as water and power suppliers up to 12% on scheduled repairs and reduce overall maintenance costs by up to 30%, according to the Industrial Internet Insights Report 2015, published by Accenture and GE.

The scale, speed and frequency of data generated by the IoT requires a new level of processing power, prompting a shift towards the scalable digital storage and computing capabilities offered by cloud-based platforms.

Security challenge

Increasing digitization of processes is driving efficiency gains across the nuclear industry but increased connectivity and data sharing raises new challenges for cyber security.

According to Steven Sarnecki, Vice President of Federal and Public Sector at OSIsoft LLC, the architecture and design of IoT and cloud services are pivotal to security. Pushing the boundaries of efficiency also expands the vulnerability to threats, as the need for compatibility drives uniformity in IT design.

“We can no longer say that the uniqueness of a control system is, in itself, a secure system. Now systems are based on common platforms. You can’t hide behind isolation. Everyone now is using the same sensor and that’s the biggest threat,” Sarnecki told Nuclear Energy Insider.

Critical control systems in older plants were isolated due to their antiquity but more integrated modern operational systems will require operators to review how the control platform is secured and examine the weakest links in the digital solution architecture and processes, Sarnecki said.

Although cloud computing is markedly efficient, it could prove a false economy in savings on infrastructure costs if the risk of an attack is increased. Nuclear operators need to be clear about their objectives in deploying cloud computing, and be sure of the security of the cloud service relative to other users, Sarnecki said.

Data protection

OSIsoft’s IoT data management solution, Pi System, gathers, analyzes and shares large volumes of real-time and high fidelity data on various metrics including production process flows, vibration, heat, pressure, temperature and asset use from sensors and equipment.

Higher numbers of sensors increases the number of data and decision points offering potential efficiency gains. However, each sensor adds to the exposure to cyber security threats if the network and connectivity are not properly managed, Sarnecki noted.

In 2006 the Nuclear Regulatory Commission (NRC) selected OSIsoft to modernise its existing Emergency Response Data System (ERDS) with the Pi System and the company now provides centralised monitoring for all U.S. operational nuclear power plants.

According to OSIsoft, the Pi System enhances situational awareness for critical decision-making by improving the coordination of responses to emergencies such as cyber attacks. It also uses trend data analysis to find the root cause.

OSIsoft ensured the Pi System was secure by meticulously re-writing software codes and only using trusted cyber security collaborators, Christopher Crosby, Principal, Global Nuclear and Renewable Energy at OSIsoft, told Nuclear Energy Insider.

Critical control networks in all U.S. nuclear power plants are protected by data diodes or unidirectional gateways, which air gap by only permitting one-way outward flow of data leaving no inward channel for potentially harmful externally-generated data to move back into the facility.

The Pi System provides data streams from operational sensors in real-time to engineers and operators using mirror architecture. Live data is relayed one-way to a replica Pi System, which is not digitally connected to operations, allowing monitoring and analysis without the risk of breach.

Data traffic is also monitored for aberrations to expected patterns that could indicate someone or something is interfering with the flow, flagging up a potential breach.

Since attacks are often diagnosed long after they occur, real-time awareness allows more immediate damage limitation actions to be taken, Sarnecki said.

Systemic review

The global IoT market is expected to grow from $655.8 billion in 2014 to $1.7 trillion in 2020, a compound annual growth rate (CAGR) of 16.9%, according to a report by the International Data Corporation (IDC) published in 2015.

Modules and sensors, connectivity products, and IT services are expected to account for over two-thirds of the IoT market in 2020, with modules and sensors representing 31.8% of the total, IDC said.

According to NRC spokesman David McIntyre, current cyber security regulations for nuclear plant operators are robust and broad enough to keep systems secure given the latest technology innovations.

The NRC published in 2009 specific cyber security rules for "Protection of Digital Computer and Communication Systems and Network," incorporating lessons learned from cyber security orders imposed after the September 2001 terrorist attacks. All plant operators had to implement an approved cyber security plan which is reviewed as part of the NRC's inspection program.

If the adoption of a new IT system such as cloud computing requires the operator to change its cyber security plan, it must submit a request to the NRC for approval, McIntyre said.

In order to ensure continuing system security, operators and system providers must periodically audit system safeguards, Sarnecki said.

Even if more vulnerable assets are harboured in safer locations, data migration over the internet inherently exposes cyber security vulnerabilities and these must be addressed, he said.

As data analytics becomes a key driver of cost optimization in nuclear power plants, operators must continue to prioritize system security when implementing the latest digitization technology.

By Karen Thomas