A model-based cyber-security framework has been developed to address the new challenges of cyber threats due to the increasing implementation of digital components in the instrumentation and control (I&C) system of modern nuclear power plants. The framework is developed to detect intrusions to pressurized water reactor (PWR) systems that could result in unnecessary reactor shutdown events due to out-of-range water levels of steam generators.
The generation of potential attack scenarios demonstrated a process for identifying the most susceptible attack pathways and components in the I&C system. It starts with identifying two key I&C divisions of the modern AP1000 design related to the reactor trip functions, protection and safety monitoring system, and plant control system. The attack tree analysis is performed on the steam generator (SG) water level control system using the SAPHIRE 8.0.9 code. To quantify the system susceptibility to cyber-attack events, causing reactor trips, we propose sensitivity metrics to identify the low-order sets of components that may be compromised and the degree of perturbations needed for each component. The multi-path event tree (MPET) structures are developed to efficiently and intuitively display a large number of dominant or risk-significant attack scenarios instead of the traditional event trees representing minimal cut sets.
A reduced order model (ROM) has been developed to efficiently represent the SG dynamics and facilitate the detection of potential cyber-attacks. The dynamic ROM is built on the energy balance equation for a single vertical boiling channel approximating a U-tube steam generator. The ROM provides an essential relationship connecting the reactor power, water level, and feedwater flow rate. An application programming interface (API) for the I&C systems serving as the interface between the RELAP5 system code and the ROM has been developed.
A Kalman filtering based detection method has been proposed, providing optimal tracking of SG water level combining the uncertain simulation results with the observation data subject to statistical fluctuations. An observed plant state with significant deviation from the optimal system projection could then indicate potential intrusions into the system. Finally, a mitigation strategy considering the controller feedback is proposed to avoid the reactor trip due to attack on SG water level sensors. The worst-case attack within this issue space is defined, and the maximum delay time allowed for the mitigation is obtained.PHDNuclear Engineering & Radiological SciencesUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/162955/1/gjunjie_1.pd
