US Nuclear Power Enters the Digital Age 291
An anonymous reader writes "South Carolina's Oconee Nuclear Station will replace its analog monitoring and operating controls with digital systems, as part of a $2 billion plant upgrade by its owner, Duke Energy. It will become the first nuke plant in the US to use digital controls, and its upgrade may be quickly followed by others. The main driver for the move is cost savings; worries about reliability and hackers have been the reason digital systems haven't been adopted sooner."
Duke Energy Forever (Score:5, Funny)
Re:Duke Energy Forever (Score:4, Funny)
What about the Nukem part? :)
Re:Duke Energy Forever (Score:4)
Just wait for the next tsunami/earthquake combo.
Re:Duke Energy Forever (Score:5, Informative)
Just wait for the next tsunami/earthquake combo.
If a tsunami hits there, then I think we've got FAR bigger things to worry about:
http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=Oconee+Nuclear+Station&aq=&sll=33.779147,-78.706055&sspn=6.883004,16.907959&ie=UTF8&hq=Oconee+Nuclear+Station&hnear=&z=7 [google.com]
I'd bet anything big enough to reach that far inland is big enough to wipe out our entire eastern coast, from Maine to Florida.
Great timing. (Score:4, Funny)
So let me get this straight. Before, they were too worried about hackers, but now, they feel it's perfectly safe to do this?
Let me guess. They're installing Windows XP, too.
Re:Great timing. (Score:5, Funny)
Re:Great timing. (Score:5, Funny)
Re: (Score:3)
Mod the guy funny!
Great use of sarcasm there, building on XP having had also over a decade of most obnoxious and prolific malware, ranging from mail worms through trojans all the way to self-replicating root-kits not to mention most numerous and spectacular security holes in the entire software industry.
And more to the point, it is also the only publicly known system to have been successfully compromised specifically to sabotage nuclear facilities....
Oh, wait ... you were serious?!
Re: (Score:3)
Windows XP was a stable, hugely popular operating system that has had over a decade of bug and security patches. Give me XP over the latest xnix flavor any day.
The thing is, there is essentially only one flavor of windows, despite the differently packaged and priced versions. And it is essentially an OS for end-users that privileges usability over security. They only step back from obviously bad security practices after it has become a widely exploited and publicized problem. (C: shared by default over SMB? Auto-run? The holes that windows 7 put to make Vista's annoying UAC policy less annoying?).
Your latest ubuntu flavor may face similar trade-offs, but ther
Re:Great timing. (Score:5, Insightful)
This has nothing whatsoever to do with bashing Windows (although XP is a particularly funny idea in the context of nuclear facilities) but with the fact that no consumer-grade desktop OS is suitable for truly mission-critical applications. That also includes OS X as well as many popular Linux flavours.
That is because such systems are impossible to security audit, due to their sprawling complexity, which is a show-stopper in such environments (at least when total idiots are not in charge).
Anywhere where there is a demand for a high grade of reliability and rock-solid security, vastly trimmed-down subsets of an OS and GUI rendering systems that can be formally audited are used. Which usually means either BSD/Linux or some other commercial flavour of *nix like QNX, because such systems are written in a way that makes them easier to analyse at this level.
So you can leave your mindless "our team good! their team bad!" fanboi nonsense at the door.
Re: (Score:3)
Re: (Score:3)
With all due respect, I strongly doubt that the US Government are installing consumer grade OSes on nuclear plant machinery.
I doubt they're installing Windows in general on it. QNX or similar is more likely.
Re: (Score:2)
Just because it's digital doesn't mean it has to be attached to the internet.
This should work out well.. (Score:4, Interesting)
Chinese Military Admits Existence of Cyberwarfare Unit
Wait..
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
South Carolina's Oconee Nuclear Station will replace its analog monitoring and operating controls with digital systems
Chinese Military Admits Existence of Cyberwarfare Unit
Wait..
No need to wait, they are already there [businessweek.com] since a long time ago. Save what you can... in this case, some costs. After all, a blender is $30 at Walmart and this is great for the nation (hint: second phrase of TFA).
Ooo! I can solve that one! (Score:5, Insightful)
...hackers have been the reason digital systems haven't been adopted sooner.
Here's an idea, let's not connect it to the Internet.
Re: (Score:2)
But what about when Homer wants to work from home in episode 135?
Re: (Score:3)
Re:Ooo! I can solve that one! (Score:5, Insightful)
Re: (Score:3)
If the attacker has physical access to the hardware, security is already out the window at that point.
A USB-based attack would require the perpetrator to have as much access as the individuals using the current analog systems do now.
Re:Ooo! I can solve that one! (Score:4, Insightful)
so not just no internet access, you also need defined protocols for any media used
Re: (Score:3)
Re: (Score:2)
Re: (Score:3, Interesting)
Not really, it's been shown again and again that if you just drop off enough infected usb keys at an employee parking lot, during a morning or during lunch, that those employees will pick them up and naturally look up what's on those usb keys as soon as they get back in their office.
Re: (Score:2)
Re: (Score:2)
Then don't attach USB ports either.
Re:Ooo! I can solve that one! (Score:4, Interesting)
The original was now much more than a glorified backdoor. It would install itself but did not contain any directly malicious payload. It would try to connect back to attacker, then the attacker could send and execute any payload they wanted.
It is likely the first payloads where used to identify priorities the attacked system (downloading source code etc). Then a malicious attack payload was specifically created to do the most harm and sent.
It was a glorified backdoor because it could propagate by itself and had the components to detect and connect to, upload and hide code to PLCs.
If it was installed by USB on a PC that was not connected to the internet then it would not have caused any direct harm since it wouldn't have been able to connect to the attacker.
Anyway, of course you can design a variant of Stuxnet that can try to damage any PLC without prior knowledge (contain a malicious payload), but i doubt it would be very effective. Without knowing what a PLC does / is supposed to do, the damage by simply changing values would likely be minimal and be immediately recognized.
Re: (Score:2)
Which means there was a lot wrong with their overall security.
It's perfectly safe to connect a USB key full of malicious software to a computer - as long as you do not run any software from that key! And you can only have software running from the USB key if 1) the OS allows this to begin with, and 2) the user (or OS - autostart or so) runs the software.
It is only reasonable to assume that a properly secured OS does not allow autorun functionality, and maybe even does not allow software to be run directl
Re: (Score:3)
Initially, yes. But it used the LAN to replicate.
"Stuxnet would first try to spread to other computers on the LAN through a zero-day vulnerability"
http://cert.sharif.edu/en/StuxnetGeneral.aspx [sharif.edu]
Re: (Score:2)
That's getting more and more difficult by the day.
There are other ways to get viruses onto a network.
They are ways to get viruses onto secure networks that are, shall we say, unique.
Re: (Score:2)
and if it's not connected to a network it becomes a very labour intensive task to push out updates to the systems to prevent against the viruses.
Even if there is a whole internal network, that isn't connected to the internet all the modern computer security holes remain, and you either have to keep them all standalone - and update them all manually, or network them internally, update them all internally (as in, download updates by hand, transfer them to the appropriate internal network), you still need to
Re: (Score:2)
I think the real question is, why should nuclear power plant monitoring and control systems require a full-on desktop/server OS to run? Shouldn't they run things a little closer to the metal than that to reduce the number of pathways where things can go wrong, anyway?
Re: (Score:2)
Because of cost.
Plain and simple.
Re: (Score:3)
Assuming of course that the HMI will run with a stripped down OS.
One of the major control system vendors in the world running thousands of plants recently required .NET 3.5 to even start...
Re: (Score:2)
So make it dedicated hardware (Score:3)
Like in the old days when you had a cash register. All it did was be a cash register day in and day out without any problems. Currently most cash registers are cheap computers running complicated operating systems. The number of failure points is staggering.
You want digital controls? That's fine. Design some hardware to manage those controls and then STOP. You won't have to worry about drive failures, locking down USB ports, operating system updates, people doing things they shouldn't....
Re:Ooo! I can solve that one! (Score:4, Informative)
Maybe it is with windows with all that Microsoft Genuine advantage bullshit, but pushing out updates to Linux and OS X systems that are not connected to the Internet is pretty easy, i should know, i admined a huge network of them. Linux is probably the easiest. I just created a kickstart with the absolute minimum # of packages, used that as my base, and then put a copy of that system on the Internet to automatically download updates. All I have to do is periodically airgap the files(DVD works fine) over to the update server I set up on the LAN. All the machines just connect to that server and download their updates. Pretty damn simple. And if you are really hardcore, you can configure your machines to only download signed packages from trusted vendors(this is the default in RHEL for example). I spend maybe 15 minutes a week airgapping the things over... Now if you use that festering pile of insecure shit called Windows then you may have a point.
Re: (Score:2)
and if it's not connected to a network it becomes a very labour intensive task to push out updates to the systems to prevent against the viruses.
But don't most viruses and worms come from the internet and from removable storage devices?
If you took a computer and:
1.installed an OS that allows file permissions,
2.made the system drive read only for regular users (except the files that they have to change, for example, the profile directory and whatever files the software they use changes),
3.disconnected floppy and DVD drives,
4.disabled all unused ports,
5.made the users sign an agreement not to connect any storage devices without obtaining permission,
I
Re: (Score:2)
Here's an idea, let's not connect it to the Internet.
How else will they be able to outsource the monitoring to India?
Re: (Score:2)
Here's an idea, let's not connect it to the Internet.
How else will they be able to outsource the monitoring to India?
That adds a whole new dimension to help desks.
Re: (Score:2)
...hackers have been the reason digital systems haven't been adopted sooner.
Here's an idea, let's not connect it to the Internet.
Like the Iranian uranium enriching centrifuges were connected to the Internet?
Or... what? Are they going to relocate microcontroller plants in US... or, for the reasons of costs, will be just produced in... a nation which has a 30-strong Blue Army commando [slashdot.org] (strictly for defense, of course. It's not likely they'll ever plant backdoors in hardware, isn't it?)? Something in TFA hints the second. Let me see if I can find it... here, just at the beginning:
In a nation where a digital blender can be bought for about $30 at Walmart,
I wonder where that $30 blender was made? In Toyota pla [usatoday.com]
Hackers? (Score:5, Insightful)
Isolate the system, for Christ's sake. There's no reason that a system like this should have any connection to the Internet, any external access at all (except maybe read access for monitoring at home by the chief engineers or something), or -- and this is the part that people don't seem to get -- no freaking 802.11 access.
I find it amazing that, working in the medical field, every hospital I walk into is at least partially dependent on wireless networks. (Hint: Send desync commands continually with an iPod -- network down.) But not only that, but they go through all these hijinks to make life suck for legitimate users, and miss obvious things like direct network access through Ethernet ports. I walked into a room a few weeks ago, and a kid had plugged his laptop into the hospital Ethernet and it was (I later verified) BEHIND the firewall. Another hospital used WEP encryption for its "official" network, and my laptop broke it in about ten minutes in a call room.
You have all sorts of people working in administrative roles in these institutions that think security is defined as:
1. Disable the Windows "run" command to piss me off.
2. Don't allow me to click on the clock to see a calendar.
3. Block web sites randomly for "security" reasons. (Hint: I'm a doctor. If I'm going to a web site I either have some legitimate reason to, or I'm goofing off because I have some critical patient that I'm stuck in the hospital with.)
4. Throw up wireless networks with some idiotic click through screen before it will route anything, thus breaking every automated device on the market.
Probably any of us on Slashdot could do a better job than some of these idiots.
Re:Hackers? (Score:5, Insightful)
Isolate the system, for Christ's sake
No, go further. Isolate all parts of the system. Only have well-defined 1-1 communication where you need it. I.e. no network where everything talks.
Re:Hackers? (Score:4, Interesting)
Re: (Score:2)
Hell they shouldn't have any access at all. They should be in a ventilated, locked box, with no USB ports, no ethernet or wifi ports, and etc, etc, etc. But you know what? Sometime I give up. Stupidity really does win at the end of the day.
Re: (Score:2)
A webcam of the gauges, of sorts, at most. No direct outside connection at all.
Really? (Score:2)
I guess I was an idiot to assume things had already been digital for some time now...
So what are they using right now then, a few vacuum tubes and clocksprings? Or do they have those newfangled "crystal" rectifiers and point contact transistors. (yeah, I know cave-tech and digital aren't mutually exclusive, give me a break ;) ).
Just because there is no computer running the show, doesn't mean it isn't digital. I'm sure there must be some digital bits involved, no? Or is it just big fucking analog panel meter
Re: (Score:2)
...enlighten me.
Can it be any more obvious??
FTFA:
"The goal of going digital is to save money."
Re: (Score:3)
I found a pretty neat site [englishrussia.com] that has a lot of cool pictures of what appears to be a modern Russian plant.
In this picture [englishrussia.com] we see the control panel and yeah, it looks like it is big fucking analog panel meters and red buttons. But there's a display [englishrussia.com] that is obviously some sort of digital status..not sure if it's electrical or some valve array thing, but as OP said there is already apparently some digital already.
Re: (Score:3)
Redundancy.
We have much the same on most oil rigs in the north sea.
While the whole HMI system is computerized there is also a "Critical Action Panel" that contains hardwired safety functions.
For example, you can trigger an "Abandon Platform Shutdown" from a single push button should the need arise. This button is independent from the computerized control system.
For something as important as a nuclear plant I would sure hope they have hardwired redundancy for the important functions.
Re: (Score:2)
Re:Really? (Score:5, Informative)
Re: (Score:2)
Interesting. I understand it is possible to do it more or less manually, I just had assumed pieces here and there had been slowly modernized over the years.
Then again with the level of bureaucracy involved, it probably takes the lifetime of a plant to get new parts approved anyway.
Re: (Score:2)
It is hugely expensive to modify plants.
It is much cheaper to actually build a new plant...
If only companies were allowed to build new plants on the condition that they shut down the old nasty ones... meh
Re:Really? (Score:4, Insightful)
you could definitely save some serious cash...
Yes, and the article made that perfectly clear:
"Those utilities need to keep those plants running. To have unplanned outages as a result of an analog system isn't doing what we need it to do — that's a financial risk..."
It has nothing to do with such frivolous things like safety
Re: (Score:2)
(Wikipedia)
First unit came online in 1973, so they probably started building in 1968, using plans that were finalized by very conservative senior engineers in 1963 at the latest. These guys at this time would have regarded PLC's as bleeding
Re: (Score:2)
Process control suppliers such as Foxboro spent decades building analog loop controllers. Yes, they are used in big panels full of big analog gauges with actual knobs to set the setpoints and gains etc.
I had the joy of working in a cement factory in 1982. It had a control room packed with analog Foxboro stuff. There was also a PDP-8 computer, but it didn't do anything to run the plant; it was used to compute batch ingredi
Re: (Score:2)
From TFA:
The goal of going digital is to save money. Most systems in a nuclear power plant are monitors with four sensors. If two of them have out-of-whack readings, engineers often have to "trip" the plant, or shut it down, until the problem is resolved. ...
Unlike a human engineer, who can only take in one measurement at a time from one instrument, the digital system takes in thousands of readings at any moment. The computer can instantly figure out if a sensor is broken and ignore it.
So, I guess the system there is that every sensor is connected to a gauge and/or an alarm relay. There are four sensors for each parameter that is monitored, so if one of them goes bad you can know that it's the sensor (since the other three provide normal values). Because a nuclear power plant uses a lot of sensors, they go bad all the time and if two sensors for the same parameter go bad, the plant has to be shut down (since it could also mean that the parameter is abnormal and the other two sens
This is actually scary (Score:3)
Re:This is actually scary (Score:4, Interesting)
Sometimes analog... (Score:2)
I'm sure this will work out just fine. [wikipedia.org]
As digital a geek as I am, I actually downgraded my pool. The garbage "computers" [inyopools.com] I''ve had foisted upon me by pool guys are absolute crap. So I pulled all the expensive valve actuators [inyopools.com] and run it by turning valves, and backwashing manually.
I love tech and all the things I do and can do with it. But sometimes, simpler and analog works.
Social engineering (Score:2)
a while ago (Score:2)
You know, when I wrote software for a nuclear reactor in 1977, it was definitely on a digital computer, albeit a PDP11 in FORTRAN.
For just a bit more money, build a completely new (Score:2)
next-gen plant that'll run for 50 years, cost less and be safer
Re: (Score:2)
(if current experience holds, they'll then be refurbished once more and ultimately run for 150-200)
Re: (Score:2)
If that's so and they can really build them as cheaply as they claim, bring 'em on!
Meanwhile, on the other side of the pond, ... (Score:4, Insightful)
... the german Government just decided yesterday to finally abandon and decommission all nuclear power by 2021. That's in 10 years. We'll be having a little extended backup reserve of 3 nuclear power plants, but their countdown has begun already.
With regular nuclear power, we are now talking about a technology that Germans considers unmanageable, safety wise. You might want to ponder that for a minute.
I for my part am glad that our current conservative government has finally gotten a clue (25 years after Chernobyl, none-the-less), also due to recent problems with our 'eternal' nuclear dump sites.
Nuclear, as of current state of technology, is a bad idea. There is no fucking way that *anybody* can take over responsibility for 50 000 years worth of deadly toxic waste. Anyone who thought that needs a clobbering.
Re:Meanwhile, on the other side of the pond, ... (Score:5, Insightful)
I for my part am glad that our current conservative government has finally gotten a clue (25 years after Chernobyl, none-the-less),
so you're glad that your government decided to dump the electricity generation technology that has the fewest deaths per Joule, better than the next nearest by a factor of 10?
Going for deaths over bad publicity is your idea of getting a clue?
Re: (Score:3)
I am glad some of those older plants get closed, but even more glad that further research isn't going to stop, and that quite a few other countries still see a future for nuclear power. It'd be better if we had something safer and cleaner to meet our energy needs, but that's a long way off, a
Re: (Score:3, Insightful)
Maybe, you need to compare the alternatives though. IF the German government have a realistic idea of how to compensate for the loss of 30% of their energy production, by all means go ahead. Otherwise, Germany will need to import and compensate for the loss by laying more cables to Sweden, Poland and France.
Sweden can only sell energy during the summer, and then 30 % will be from nuclear, France will sell energy but something like 80-90% will be from nuclear and Poland will happily deliver coal based power.
Re: (Score:2)
So, how will Germany generate the power that the nuclear power plants provide now?
Re: (Score:2)
The idea was to replace it with renewables... however, the hippies thought that technology would develop faster than it did. So, when the plants would actually be shutdown, renewables where not up to the task.
The current government where pragmatic and cancelled the closure dates and also updated the law so new reactors could be installed under the condition that they replaced an old one that was decommissioned.
And by the way, renewables are still not up to the task.
umm we already do this... (Score:5, Informative)
Hacers not the main problem with all digital I& (Score:5, Interesting)
The biggest problem with digital I&C is the “software common cause failure issue"
Imagine modern nuclear plant with multiple-channel redundancy in instrument and control systems, if one instrument fails, there are others. Same applies to whole cooling systems, if one cooling system fails, there are other completely independent systems that continue to work. Typically redundant systems use instruments from different manufacturers or instruments that are implemented with different technology.
This is not possible for digital systems because they are too costly to implement multiple times. What this means is that redundant digital control systems use same software. If one system fails because of software error, others may follow. This has already happened in German nuclear plant that had new digital system installed. Only the old analog system that was still operational saved the reactor.
This is why Finnish radiation and nuclear safety authority required changes in Areva's plans for the most modern nuclear reactor being build, Olkiluoto 3. They added analog safety requirements. Reactor must be able to shout down even when digital I&C has total failure. Relying for all digital systems compromises redundancy.
More info:
http://www.neimagazine.com/story.asp?storyCode=2053091 [neimagazine.com]
http://www.amazon.com/Digital-Instrumentation-Control-Systems-Nuclear/dp/0309057329 [amazon.com]
Reliability? What a load of garbage. (Score:2)
The "digital" portions of most instrumentation sit on top of the analogue loop. They were designed to give you the exact same thing you had + diagnostics and early fault prediction. Instruments which could not only give you 4-20mA but tell you that if you don't attend to them then within the week there's a good chance you'll get 3 or 25mA out of them and your control system spits out NaN.
Reliability wasn't getting in the way of the upgrade, $2bn was. There's not an industrial plant in the world that wouldn'
I don't get it... (Score:3, Funny)
Watch the first season of Battlestar Galactica and you have a design model for the cost of a netflix subscription.
Re:What could possibly go wrong? (Score:5, Funny)
Re:What could possibly go wrong? (Score:5, Funny)
And do you know what we would call the catastrophic failure event in which Duke Energy might irradiate a large swath of land? Hint: it includes the word Nukem!
Re: (Score:2)
In it they describe their simple goal, right there in black and white, as plainly as they possibly can...
Taken from the context, but I think still relevant and true:
In a nation where a digital blender can be bought for about $30 at Walmart, the ...
... goal of going digital is to save money.
Re: (Score:2)
Re: (Score:2)
Yes, neutrinos are more common near nuke plants. At least that is what theory tells us. If you find a cheap way to PROVE this experimentally, you would become moderately famous among physicists. Getting extra glitches from memory would qualify...
Re: (Score:2)
Re: (Score:2)
I certainly hate to think what would happen if humanity were always too afraid to advance for fear of what could go wrong.
Re: (Score:2)
From TFA "The computer can instantly figure out if a sensor is broken and ignore it."
Re:What could possibly go wrong? (Score:4, Interesting)
And I suppose your opinion is based on something other than hear-say? Like maybe a little personal experience? Until then I suggest you avoid putting your foot in your mouth. I worked in the industry for 20 years and while I wouldn't paint them as choir boys, I know that the Corporate bean counters aren't the demons you portray them to be.
Re: (Score:2)
Do terrorists work in a analog world? Yes. Do terrorists work in a digital world? No.
So this upgrade from analog to digital will stop terrorists!
Sorry, just showing how stupid your post is. :)
Re: (Score:2)
Re: (Score:2)
this is OT of course but I wonder - are these installations insured and its waste disposal secured?
Re: (Score:3)
I don't mind having them compete on even grounds with the other means of producing power, even if nuclear fails hard as a result.
How can competition be on an even ground when there are laws limiting their liability to a miniscule amount compared to the damage that could be done?
How can it be considered fair competition it the total costs of dealing with fuel aren't included (whether you call it vaulting "treasure" or the cost of running a fuel mortuary makes no difference)
How can it be considered fair competition if there's land made unusable to society far into the future?
If it allows society to enter into having population, housing
Re: (Score:3)
If you don't think there aren't fanboys who want to see older plants replaced by newer, more efficient, safer designs, please, come to Illinois. The lobby against this has been raging for a decade.
So, I don't know the Illinois case specifically, but most of the time when I hear about arguments against plant upgrades, the people doing the argument tend to be of the theory that if you don't upgrade the plant eventually it will get shut down.... very occasionally this is confused with a power company who wants to build a totally new plant instead of upgrade an old one, but . . . in general its not nuclear power 'fanboys' in the anti-upgrade lobby....
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
I hear they're going to shovel hippies into furnaces.
Re: (Score:3)
More like 22%, barely more than from renewables. And it is pretty manageable. We've got only four of 17 nuclear reactors running for a full week already, no blackouts at all. Too funny actually, because the nuclear lobby has prophecied the end of the world starting 21.05.2011. I guess they now have to wait until 2012, just as the rest of the world ;-)
Re: (Score:3)
Too funny actually, because the nuclear lobby has prophecied the end of the world starting 21.05.2011.
Uh huh. Because the problems will all show up on the first day. I lived through the California "electricity crisis," [wikipedia.org] a failed privatization of California's electricity markets. The same sort of hubris was on display going into that. Their failures didn't start till a couple of years into the program, but were entirely predictable from a knowledge of the conditions going in. Obviously, phasing out your base load power (both nuclear and coal) without replacement is a different sort of issue than privatization
Re:What could possibly go wrong? (Score:4, Insightful)
Thanks to a reliable inner Europe electricity network. As usual "we don't do nuclear", but that the electricity then gets imported from France or some other country is easily forgotten.
Re: (Score:3)
37.8 TWh is the figure I got for wind turbines in Germany in 2009.
Not all renewables in 2010.
http://www.germanenergyblog.de/?p=3063 [germanenergyblog.de]
For context that's 6.5% of Germany energy.
Until recently 26.1% of germanys energy came from nuclear.
Now let's ignore that wind farms get built in the best locations first and assume they do even better over the next ten years with wind than they did in the last 10 years.
lets say they build just as many extra wind farms.
that still leaves them supplying only half the power they we
Re: (Score:2)
Re: (Score:2)
More like -1, -2, -3 at this point.