CYBERSECURITY IN THE PUR-1 NUCLEAR REACTOR
thesisposted on 27.07.2021, 12:09 authored by Styliani PantopoulouStyliani Pantopoulou
Nuclear systems heavily depend on Instrumentation and Control (I&C) entities for their protection, monitoring and control processes, all of which play an important role for their safety and security. The obsolescence of analog I&C systems, along with the increased costs for their maintenance, has rendered the adoption of digital control systems inevitable. Digitization offers numerous advantages to systems, ranging from precision in measurements to reduction in equipment and costs. However, it also comes with a number of challenges, most of which are related to increased failure risk, either from human or control systems error, and vulnerability to attacks, which can be a major threat to non-proliferation. These characteristics point to the category of Cyber Physical Systems (CPSs), namely collections of computational components that receive physical inputs from sensors, and are connected to feedback loops in order to adapt to new circumstances. The ever growing use of CPSs may increase the risk for cyber attacks, that threaten a system’s integrity and security. Plenty of research has been conducted on this topic. The focus of this work is to implement an architecture that can protect the system under review, namely Purdue University Reactor Number One (PUR-1), from these types of attacks. The reactor is physically modelled, through the use of point kinetics equations and reactivity calculations. Controllers existing in the plant are modelled and tuned for the purpose of controlling the reactor’s power. Mitigation of the cyber attacks is later examined through fault tolerance. One of the main ways to achieve fault tolerance in systems of this type is through redundant components, the so-called replicas. Replicas are later used in a process of voting, in order to detect failures. According to the Byzantine Fault Tolerance (BFT) protocol, which is the most popular protocol for this purpose, a maximum number of t faults can be tolerated by the system, when there are in total 3t+1 replicas in the system architecture. Redundancy, however, is not capable to keep a system safe by itself under all circumstances. For this purpose, software diversity is explored. According to this, software in the controllers gets diversified into distinct variants. Different software variants execute instructions, and other variants are expected to execute other actions. In the case where some tampered inputs crash (or deactivate) one of the variants, other variants take control and the system is tolerant against failures. Lastly, CPS inertia is exploited along with rollback recovery methods for the rebooting of the system after a failure. The actual algorithm for the system studied in this work uses three redundant controllers and performs as follows; the error term from the subtraction of the output from the setpoint is fed as input to the first two controllers, as well as to the delay queue connected to the third controller. The outputs of the first two controllers are compared, and then there are two cases of operation. In the case of a good message in the input, the variants in the controllers do not crash, thus the signal from the top two controllers reaches the plant. In the case of a bad message, at least one of the two controllers crashes, because at least one of the code variants fails due to the diversity. This automatically triggers the comparator, which sends a signal so that the output of the isolated controller is used and propagates towards the plant. After implementing a Graphical User Interface (GUI), which acts as a simulator and visualizes the system’s state, it is shown that PUR-1 is able to overcome bad messages regarding scram or control rod positions, when the protection architecture is activated. More specifically, when a bad message for scram is sent, the reactor manages to not drop its power level and continues to adjust the rod positions in order to achieve a specific power setpoint. Moreover, in the case of a bad message for the control rod positions, which means that the system is running open loop and thus is uncontrolled, the reactor manages to recover the rod positions and power level after some seconds. Conversely, when the protection system is deactivated, it is shown that bad messages regarding scram or rod positions are able to affect the reactor's state. In the case of the scram bad message, the reactor power drops immediately, while in the case of the rod position bad message, the power level changes uncontrollably.