How safe are Virginia’s nuclear power plants from terrorists, hackers and natural disasters? Let’s put it this way: Dominion worries about such threats 24/7 so you don’t have to.
In addition to interfering in U.S. elections, Vladimir Putin’s busy cyber-servants have been probing information technology weaknesses in U.S. industry and infrastructure. Sophisticated cyber-attacks have been ongoing since at least March 2016. Perhaps most alarming, the Department of Homeland Security asserted last week, Russian hackers gained access to critical control systems at unidentified nuclear power plants.
“We now have evidence they’re sitting on the machines, connected to industrial control infrastructure, that allow them to effectively turn the power off or effect sabotage, the New York Times quoted Eric Chien, a security technology director at digital-security firm Symantec, as saying. “They have the ability to shut the power off. All that’s missing is some missing political motivation.”
Journalist Ted Koppel highlighted the vulnerability of the U.S. electric grid to attack in his 2016 book, “Lights Out: Cyberattack, a Nation Unprepared, Surviving the Aftermath.” Novelists have imagined the horrifying societal collapse following the collapse of the electric grid. As for nuclear plants, the potential for radioactive contamination makes the threat even more terrifying. Fear-inducing scenarios involve terrorist takeovers, the theft of spent radioactive fuel, and jetliners slamming 9/11 style into nuclear reactors.
The issue of security was top of mind for me when I toured Dominion Energy Virginia’s North Anna Power Station last month. I had the opportunity to pose the kind of questions that members of the public might ask.
I’m not qualified to render judgment on the effectiveness of Dominion’s security efforts, but I can say one thing: Security at the nuclear facility is something the company thinks about around the clock. Utility officials have spent enormous time and effort anticipating and preparing for any scenario you can imagine. Earthquake? Check. Hurricane? Check. Cyber-attack? Check. Armed terrorist attack? Check. Hijacked airplane flying into the nuclear containment dome? Check.
Based on what I learned, I’m not worried about natural disasters or terrorist attacks. The threat of cyber-sabotage continues to unsettle me, but the danger is to the transmission and distribution grid, not to nuclear power plants. Dominion officials assured me — and for a simple reason that I shall explain in due course, I believe them — that their nuclear power plant controls are not vulnerable to a cyber-threat.
If there had never been a Chernobyl or Fukushima, I might not even be asking these questions. As it is, those calamities did occur. We learned that, as thorough as they try to be, nuclear engineers don’t foresee every conceivable contingency. With nation states from Russia and China to Iran and North Korea seeking to penetrate and compromise our infrastructure, we need to keep up our guard. At the same time, we should avoid creating unnecessary alarm. So far, I’ve seen nothing that makes me lose any sleep.
Earthquakes, hurricanes, and aircraft strikes
On August 23 at 1:51:04 p.m., the control room of the North Anna Power Station began to shake, as if it were sitting on a giant vibrating phone, recalls Lee Baron, who worked in the control room then and now runs the company’s simulation center. Lights on the control board began blinking. Alarms emitted shrill beeping noises. Tiles fell from the ceiling. Outside the facility, some electric transformers cracked.
The earthquake, the worst trembler to shake the East Coast in at least a century, exceeded what the power station had been designed for, says Baron, but the facility “shrugged it off.” Following Electric Power Research Institute guidelines, the operators powered down the plant without incident. After minor repairs and two months of intensive inspections, the nuclear station was up and running again.
Media attention focused on the fact that the North Anna station was located on an ancient geologic fault line. The fact that the epicenter of the earthquake was just a few miles away under the town of Mineral led many to conflate the two. But, the two fault lines were unrelated, says Richard Zuercher, manager-nuclear fleet communications for Dominion.
Indeed, as College of William & Mary geologist Chuck Bailey concluded in a 2012 review of maps, photos, and reports, the fault underlying the North Anna Power Station had last been active about 200 million years ago. On the other hand, as the Mineral earthquake demonstrated, the geologic plate upon which the East Coast rests was more active than previously supposed.
Unlike some earthquakes that have a highly localized impact that creates heavy damage, Zuercher says, the Mineral shaker, which registered 5.8 on the Richter scale, diffused its energy and caused light damage over a vast area. The quake was felt as far away as Atlanta and New Brunswick. Virginia does not face a California-like threat of a massive killer quake.
Hurricanes and tornadoes are another theoretical threat. The concern is that wind might pick up a cars or telephone poles and hurl them like projectiles. The nuclear reactors, a third of which are underground, are protected by massive containment domes made of compressed concrete lined by steel plate and reinforced by steel rebar.
The 4 1/2-feet-thick dome wall “is built to take a licking,” says B.E. Standley, the Dominion executive in charge of nuclear power plant safety. “It can survive anything short of an asteroid strike or zombie apocalypse.”
One test of another nuclear facility suggested that its dome could stand up to a hit by an F4 Phantom jet, Standley says. The building was never designed to survive a 9/11 impact of a jetliner fully loaded with aviation fuel, but computer modeling suggests that it would survive. “It would create a colossal mess, but it wouldn’t penetrate the structure. It would knock out the plant, but the [radioactive] core would be protected.”
Even in a worst-case scenario, North Anna is prepped for a quick recovery. Apart from the two nuclear units stands another domed structure designed to withstand hurricane-force winds. Inside, the company keeps all manner of equipment required to restore electric power, lighting, and water flow to the nuclear units: monstrous spools of cabling, fire fighting equipment, air compressors, front-end loaders, generators, back-up diesel tanks, spills kits, and water pumps. Dominion teams could respond immediately to any disaster.
Another potential worry is an armed takeover of the nuclear station by terrorists. Dominion officials had only a little information to share about this topic, and I’m no military expert, but I feel safe in saying that it would take an all-out assault by a well-trained force to take control of the power plant.
The North Anna Power Station is protected by an outer perimeter of sensors to detect intruders and barbed-wire fences to slow them down. The front entrance is fortified by concrete barriers and guards armed with semi-automatic weapons. Pop-up steel barriers in the road would obstruct heavy trucks or other vehicles. There are bullet-resistance enclosures for surveillance. Even the communications tower is hardened. And that’s just the perimeter.
Access to the nuclear power units is well protected, too. The containment domes are 4 1/2-feet-thick reinforced concrete, remember: impenetrable to all but the heaviest military ordinance. To gain access to the nuclear units, attackers would have to penetrate the main entrance. There they would encounter more fortifications and armed guards.
I can’t vouch for the combat-readiness of the guards. But of the power station’s 950 full-time employees, more than 100 are security officers. To keep sharp, they periodically practice at a firing range on the premises, and Standley says they conduct drills.
Although Dominion didn’t discuss it, I have to believe that the facility has direct communications with local police and military bases in Hampton Roads, or perhaps elsewhere. Contingency plans assuredly call for a rapid military response in the event of a terrorist attack.
What if terrorists don’t try to take over the generating units but go for the waste fuel instead? Spread old fuel assemblies around an American city, and it will glow with radioactivity for years. But such a feat is far easier said than done.
Spent fuel storage assemblies are encased in stainless steel canisters and concrete. They are ready to transport off-site to a permanent, long-term storage facility in Yucca Mountain, Nevada (if and when the federal government can ever get its act together). But these bad boys weigh 15 tons each. Terrorists would have to bring with them some very big trucks and a very big crane to load them. Loading multiple assemblies would take time. And the terrorists would have to run a convoy down windy country roads for miles before reaching a population center. I’m speculating outrageously here, but they wouldn’t get far before Navy Seals from Virginia Beach were all over them.
The cyber threat
The threat of cyber-sabotage, to my mind, remains the most credible danger to Dominion’s nuclear power plants. Unfortunately, it is the topic about which Dominion says the least. The company has no interest in letting escape any detail that might assist the Russkies… or anyone else.
Speaking generally, electric utility information systems are not a pretty sight. Power plants incorporate multiple generations of control systems from multiple equipment providers using proprietary software. As this software gets out of date and vendors stop supporting it, it can be highly vulnerable to hacking — even if the utility is diligent about downloading fixes and patches, which may not always be the case.
One software consultant I spoke to said that electric utility information systems (not referring specifically to North Anna) typically are cobbled together and very difficult to keep secure. Moreover, utility IT systems plug into a grid shared by rural co-ops, municipal utilities, and independent power producers. The quality of IT security across all these players is highly uneven. If a hacker can’t penetrate Dominion directly, perhaps it can infiltrate through a peripheral player on the grid with unsophisticated IT managers, and sneak in through the back door.
Arrayed against Russian, Iranian and North Korean state-backed hackers are a group of alphabet soup groups such as PJM, EPRI (the Electric Power Research Institute), and NERC (the North American Electric Reliability Council), not to mention the utilities themselves, all of which are now in a state of high alert.
PJM has hired contractors to conduct penetration testing — probing networks for vulnerabilities — and conducting mock phishing campaigns. When the testing started, one in five recipients clicked the bad links. Over a year or education, the clickthrough rate fell to 4%. But it has been hard to drive that rate any lower.
EPRI says its Cyber Security Technical Assessment Methodology provides an “bottom up” method for assessing and mitigating cyber security vulnerabilities in equipment used in modern power plants. Meanwhile, the North American Electric Reliability Corporation (NERC), has developed Critical Infrastructure Protection cyber security reliability standards. And the Federal Energy Regulatory Commission (FERC) is focusing on the cyber-security impact of making so-called “smart grid” investments.
Despite all that effort, it appears that Putin’s hackers still are finding ways to break through.
Perhaps the best defense for North Anna is the age of its plant and its continued reliance upon old, analog controls.
“The operational side of our nuclear facilities is nearly all analog and not subject to the hacking threat,” says Zuercher. “While there are some digital controls, there is complete separation between business networks and plant control systems such that they cannot be accessed remotely.”
That explanation makes sense to me. As long as Dominion resists the temptation to upgrade to digital, it appears, Virginians apparently have little to fear.