North Anna’s nuclear containment domes

How safe are Virginia’s nuclear power plants from terrorists, hackers and natural disasters? Let’s put it this way: Dominion worries about such threats 24/7 so you don’t have to.

In addition to interfering in U.S. elections, Vladimir Putin’s busy cyber-servants have been probing information technology weaknesses in U.S. industry and infrastructure. Sophisticated cyber-attacks have been ongoing since at least March 2016. Perhaps most alarming, the Department of Homeland Security asserted last week, Russian hackers gained access to critical control systems at unidentified nuclear power plants.

“We now have evidence they’re sitting on the machines, connected to industrial control infrastructure, that allow them to effectively turn the power off or effect sabotage, the New York Times quoted Eric Chien, a security technology director at digital-security firm Symantec, as saying. “They have the ability to shut the power off. All that’s missing is some missing political motivation.”

Journalist Ted Koppel highlighted the vulnerability of the U.S. electric grid to attack in his 2016 book, “Lights Out: Cyberattack, a Nation Unprepared, Surviving the Aftermath.” Novelists have imagined the horrifying societal collapse following the collapse of the electric grid. As for nuclear plants, the potential for radioactive contamination makes the threat even more terrifying. Fear-inducing scenarios involve terrorist takeovers, the theft of spent radioactive fuel, and jetliners slamming 9/11 style into nuclear reactors. 

The issue of security was top of mind for me when I toured Dominion Energy Virginia’s North Anna Power Station last month. I had the opportunity to pose the kind of questions that members of the public might ask.

I’m not qualified to render judgment on the effectiveness of Dominion’s security efforts, but I can say one thing: Security at the nuclear facility is something the company thinks about around the clock. Utility officials have spent enormous time and effort anticipating and preparing for any scenario you can imagine. Earthquake? Check. Hurricane? Check. Cyber-attack? Check. Armed terrorist attack? Check. Hijacked airplane flying into the nuclear containment dome? Check.

Based on what I learned, I’m not worried about natural disasters or terrorist attacks. The threat of cyber-sabotage continues to unsettle me, but the danger is to the transmission and distribution grid, not to nuclear power plants. Dominion officials assured me — and for a simple reason that I shall explain in due course, I believe them — that their nuclear power plant controls are not vulnerable to a cyber-threat.

If there had never been a Chernobyl or Fukushima, I might not even be asking these questions. As it is, those calamities did occur. We learned that, as thorough as they try to be, nuclear engineers don’t foresee every conceivable contingency. With nation states from Russia and China to Iran and North Korea seeking to penetrate and compromise our infrastructure, we need to keep up our guard. At the same time, we should avoid creating unnecessary alarm. So far, I’ve seen nothing that makes me lose any sleep.

Earthquakes, hurricanes, and aircraft strikes

On August 23 at 1:51:04 p.m., the control room of the North Anna Power Station began to shake, as if it were sitting on a giant vibrating phone, recalls Lee Baron, who worked in the control room then and now runs the company’s simulation center. Lights on the control board began blinking. Alarms emitted shrill beeping noises. Tiles fell from the ceiling. Outside the facility, some electric transformers cracked. 

The earthquake, the worst trembler to shake the East Coast in at least a century, exceeded what the power station had been designed for, says Baron, but the facility “shrugged it off.” Following Electric Power Research Institute guidelines, the operators powered down the plant without incident. After minor repairs and two months of intensive inspections, the nuclear station was up and running again.

Media attention focused on the fact that the North Anna station was located on an ancient geologic fault line. The fact that the epicenter of the earthquake was just a few miles away under the town of Mineral led many to conflate the two. But, the two fault lines were unrelated, says Richard Zuercher, manager-nuclear fleet communications for Dominion.

Indeed, as College of William & Mary geologist Chuck Bailey concluded in a 2012 review of maps, photos, and reports, the fault underlying the North Anna Power Station had last been active about 200 million years ago. On the other hand, as the Mineral earthquake demonstrated, the geologic plate upon which the East Coast rests was more active than previously supposed.

Unlike some earthquakes that have a highly localized impact that creates heavy damage, Zuercher says, the Mineral shaker, which registered 5.8 on the Richter scale, diffused its energy and caused light damage over a vast area. The quake was felt as far away as Atlanta and New Brunswick. Virginia does not face a California-like threat of a massive killer quake.

Hurricanes and tornadoes are another theoretical threat. The concern is that wind might pick up a cars or telephone poles and hurl them like projectiles. The nuclear reactors, a third of which are underground, are protected by massive containment domes made of compressed concrete lined by steel plate and reinforced by steel rebar.

The 4 1/2-feet-thick dome wall “is built to take a licking,” says B.E. Standley, the Dominion executive in charge of nuclear power plant safety. “It can survive anything short of an asteroid strike or zombie apocalypse.” 

One test of another nuclear facility suggested that its dome could stand up to a hit by an F4 Phantom jet, Standley says. The building was never designed to survive a 9/11 impact of a jetliner fully loaded with aviation fuel, but computer modeling suggests that it would survive. “It would create a colossal mess, but it wouldn’t penetrate the structure. It would knock out the plant, but the [radioactive] core would be protected.”

Even in a worst-case scenario, North Anna is prepped for a quick recovery. Apart from the two nuclear units stands another domed structure designed to withstand hurricane-force winds. Inside, the company keeps all manner of equipment required to restore electric power, lighting, and water flow to the nuclear units: monstrous spools of cabling, fire fighting equipment, air compressors, front-end loaders, generators, back-up diesel tanks, spills kits, and water pumps. Dominion teams could respond immediately to any disaster.

Armed terrorists

Another potential worry is an armed takeover of the nuclear station by terrorists. Dominion officials had only a little information to share about this topic, and I’m no military expert, but I feel safe in saying that it would take an all-out assault by a well-trained force to take control of the power plant. 

The North Anna Power Station is protected by an outer perimeter of sensors to detect intruders and barbed-wire fences to slow them down. The front entrance is fortified by concrete barriers and guards armed with semi-automatic weapons. Pop-up steel barriers in the road would obstruct heavy trucks or other vehicles. There are bullet-resistance enclosures for surveillance. Even the communications tower is hardened. And that’s just the perimeter.

Access to the nuclear power units is well protected, too. The containment domes are 4 1/2-feet-thick reinforced concrete, remember: impenetrable to all but the heaviest military ordinance. To gain access to the nuclear units, attackers would have to penetrate the main entrance. There they would encounter more fortifications and armed guards.

I can’t vouch for the combat-readiness of the guards. But of the power station’s 950 full-time employees, more than 100 are security officers. To keep sharp, they periodically practice at a firing range on the premises, and Standley says they conduct drills.

Although Dominion didn’t discuss it, I have to believe that the facility has direct communications with local police and military bases in Hampton Roads, or perhaps elsewhere. Contingency plans assuredly call for a rapid military response in the event of a terrorist attack.

What if terrorists don’t try to take over the generating units but go for the waste fuel instead? Spread old fuel assemblies around an American city, and it will glow with radioactivity for years. But such a feat is far easier said than done.

Spent fuel storage assemblies are encased in stainless steel canisters and concrete. They are ready to transport off-site to a permanent, long-term storage facility in Yucca Mountain, Nevada (if and when the federal government can ever get its act together). But these bad boys weigh 15 tons each. Terrorists would have to bring with them some very big trucks and a very big crane to load them. Loading multiple assemblies would take time. And the terrorists would have to run a convoy down windy country roads for miles before reaching a population center. I’m speculating outrageously here, but they wouldn’t get far before Navy Seals from Virginia Beach were all over them.

The cyber threat

The threat of cyber-sabotage, to my mind, remains the most credible danger to Dominion’s nuclear power plants. Unfortunately, it is the topic about which Dominion says the least. The company has no interest in letting escape any detail that might assist the Russkies… or anyone else.

Speaking generally, electric utility information systems are not a pretty sight. Power plants incorporate multiple generations of control systems from multiple equipment providers using proprietary software. As this software gets out of date and vendors stop supporting it, it can be highly vulnerable to hacking — even if the utility is diligent about downloading fixes and patches, which may not always be the case.

One software consultant I spoke to said that electric utility information systems (not referring specifically to North Anna) typically are cobbled together and very difficult to keep secure. Moreover, utility IT systems plug into a grid shared by rural co-ops, municipal utilities, and independent power producers. The quality of IT security across all these players is highly uneven. If a hacker can’t penetrate Dominion directly, perhaps it can infiltrate through a peripheral player on the grid with unsophisticated IT managers, and sneak in through the back door.

Arrayed against Russian, Iranian and North Korean state-backed hackers are a group of alphabet soup groups such as PJM, EPRI (the Electric Power Research Institute), and NERC (the North American Electric Reliability Council), not to mention the utilities themselves, all of which are now in a state of high alert.

PJM has hired contractors to conduct penetration testing — probing networks for vulnerabilities — and conducting mock phishing campaigns. When the testing started, one in five recipients clicked the bad links. Over a year or education, the clickthrough rate fell to 4%. But it has been hard to drive that rate any lower.

EPRI says its Cyber Security Technical Assessment Methodology provides an “bottom up” method for assessing and mitigating cyber security vulnerabilities in equipment used in modern power plants. Meanwhile, the North American Electric Reliability Corporation (NERC), has developed Critical Infrastructure Protection cyber security reliability standards. And the Federal Energy Regulatory Commission (FERC) is focusing on the cyber-security impact of making so-called “smart grid” investments.

Despite all that effort, it appears that Putin’s hackers still are finding ways to break through.

Perhaps the best defense for North Anna is the age of its plant and its continued reliance upon old, analog controls.

“The operational side of our nuclear facilities is nearly all analog and not subject to the hacking threat,” says Zuercher. “While there are some digital controls, there is complete separation between business networks and plant control systems such that they cannot be accessed remotely.”

That explanation makes sense to me. As long as Dominion resists the temptation to upgrade to digital, it appears, Virginians apparently have little to fear.

Share this article


(comments below)


(comments below)


13 responses to “Nuclear Fortress”

  1. Steve Haner Avatar
    Steve Haner

    “As long as Dominion resists the temptation to upgrade to digital, it appears, Virginians apparently have little to fear.”

    I’m sorry – but a year ago, the 2017 session, the utility came to the General Assembly to tweak the statutory language to make it clear that it could upgrade these plants for license extensions and pass the costs along in a rate adjustment clause (RAC). It was all about how the plants would be going digital and suddenly would need deeper protection from cyber threats. So are those plans now abandoned? No way the analog controls can stay if the licenses are extended by the NRC.

    That cost of the upgrades and the re-license process is going to be substantial, which is why I didn’t believe for one second this year’s promises that rates in Virginia will remain the lowest in the history of the world….or whatever it was they claimed.

    All human systems are subject to failure and error, but in general I agree, the company has incredible incentive to maintain safety at the plants and is serious about doing so, just as was the case at the other major nuclear company in Virginia, the shipyard. As was explained to me early in my tenure there, by none other than the president, the entire capital value of the entire Northrop Grumman corporate empire depended on the safe handling of those tasks.

    1. Interesting to hear that the nuclear plants will be going digital under a license extension. Then security will rest upon the ability of Dominion to insulate its nuclear power plant controls from the rest of its IT system.

      Presumably, digital controls would offer some advantages. I’d like to know what they are, and how they compare to the risk of penetration by hackers.

  2. LarrytheG Avatar

    The aversion to digital is Luddite. Digital can and is secure if you have
    professionals directly responsible – and accountable for cyber security.

    If you think digital is unsafe – then you need to worry far more than just about nuke plants..

    It’s an excuse ….

    Finally – anyone who thinks nuke plants are “safe” in the 21st century world of autonomous weaponized drones is in serious denial.

    We’re so bound up on the “right to bear arms” – that we have forgotten what “arms”.. REALLY means and it’s about way more than an AR-15 with a high -capacity magazine. Put that AR on a drone – at night – and see how many security guards are still standing after an attack..which will then leave the plant itself open to more attacks.

    These plants are dinosaurs ….. yes.. Dominion and other utilities that own them SAY they are “secure” but the reality of 21st century weaponry – legally in the hands of crazies …. needs to be recognized.

  3. I guess this is one of the opening salvos in the PR campaign to re-license Dominion’s nuclear plants which will get underway in 2019.

    That process is expected to cost over $3 billion to extend the licenses for Surry and North Anna for a final 20 years. I suspect the actual costs will be much higher but you won’t hear that until the money is spent. Because they are the most capital intensive units, nuclear plants yield the most profit from the rate base of any other type of generation.

    Nuclear units were designed to last 40 years. These extensions will authorize an operating life of up to 80 years. Radiation degrades even the strongest materials. This will be uncharted territory for the Nuclear Regulatory Commission.

    If Dominion says its Millstone plant in Connecticut is not profitable without a subsidy (based on industry data this plant is the most profitable in the U.S.), how can these plants be expected to pay their way except through huge ratepayer subsidies in Virginia.

    Because the billions spent will provide just 20 years of generation, these units are much more expensive than any other alternative. Just as an example, in seven years the RGGI states saved 9 million megawatt-hours of electricity using energy efficiency. This saved customers $2.3 billion on their utility bills. An investment in these nuclear units will increase bills in Virginia by a good deal. This is a huge RAC in the making.

    There is a good deal of spent fuel cooling in pools awaiting longer term processing. This is what is still releasing radiation at Fukushima.

    The analog controls are nearly 60 years old. Even the old B-52s continually received electronics upgrades. You don’t want to risk the safe operation of a nuclear plant on balky old control systems. The grid is much more vulnerable to the physical loss of large substation transformers. The nuclear plant would have to shut down if there is no place for its electricity to go.

    1. “I guess this is one of the opening salvos in the PR campaign to re-license Dominion’s nuclear plants which will get underway in 2019.”

      No, Tom, this is not an opening salvo in a P.R. campaign. I approached Dominion asking for a tour. I was motivated by the knowledge that Dominion wants to re-license the Surry and North Anna nuclear units. Indeed, re-licensing was my primary interest. But this was entirely on my initiative.

      I wrote the article about safety because the angle seemed especially timely given the news about Russian cyber-hackers last week.

      1. Jim,

        I did not intend to question your motives for the article.

        I am weary of protecting the notion of a properly regulated utility from those who believe them to be inherently evil, as well as from the actions of the parent company that wants to undermine legitimate regulatory authority in order to make the utility into a profit machine with limited oversight.

        As far as I know, Surry will become the oldest operating nuclear facility in the U.S. with a 20-year license extension. This is a serious issue for the NRC as well as a major investment decision for the citizens of Virginia and their authorized representative, the SCC.

        By the way, Dominion now says it expects to spend at least $4 billion to gain the final 20-year license extension for Surry and North Anna. Let the buyer beware regarding cost estimates for nuclear facilities.

        This is a major decision and not one to be made based on press releases and backroom deals at the state legislature.

        I guess I am “old school”, but I believe that if a project is a good one, it will stand up to rigorous analysis. I am accustomed to dealing with detailed reports from qualified engineers not flawed reports that do not identify their assumptions or methods of analysis (such as with the pipeline).

        We are avoiding any real discussion of options for our energy future. Long-term decisions are made with influence from special interests of various stripes. Perhaps it is because they can, because our populace is staring zombie-like behind the screens of their TVs, game consoles, computers and smartphones.

        If we don’t wake up, many of the decisions about how we will live in the 21st century will be made by those who profit the most.

        Your blog is an important forum for the exchange of ideas. We must remain open minded and be willing to hear from others with different opinions. But those opinions must have a foundation in facts to be convincing. This is especially important in an age where “facts” are under attack.

        As a culture, we have more in common with one another than our media would suggest. Without civil dialogue, we will retreat to our polarities and leave the field to the influence peddlers.

  4. LarrytheG Avatar

    Unfortunately for all of us , including Dominion, they have the power to continue to maintain an obsolete business model basically based on a 20th century ever increasing “demand” for electricity.

    They are pursuing , across the board – all the things necessary to preserve that business model which is clearly failing and the costs will be shifted to ratepayers as Dominion continues to “sell electricity” as if demand was still increasing.

    I also blame the SCC and the GA. The SCC for failing to recognize the transformation and evolving their regulation model accordingly and I blame the GA for crony capitalism on steroids – and to all of us – harm.

    and yes… these blog post sound like LAME PR… to me.. DO we seriously believe that Dominion thinks it’s “safer” to continue to use
    analog equipment that is more than 6 decades old when the rest of the world – including all manner of weaponry and civilian infrastructure has evolved to digital?

    Come on! Even a lame PR outfit should be able to do better than that!

    1. “Do we seriously believe that Dominion thinks it’s “safer” to continue to use analog equipment that is more than 6 decades old…”

      Who said that? Not me. Not Zuercher.

      Zuercher said that because the control systems are mostly analog, they are not subject to a hacking threat. He did not opine whether or not ancient analog systems are “safer” than any alternative. That was you inserting your interpretation of the implications of what he said.

      It’s fine for you to criticize what someone else says. But criticize what they actually say, not the way you mangle what they say.

  5. LarrytheG Avatar

    naw.. that’s not a valid complaint Jim.

    He DID opine that was less vulnerable to hacking – at the SAME TIME you were opining about the risks of cyber hacking.

    You did set the context… there was no “mangling” here but this is a pattern of walking up to a line and implying something then claiming it was not implied.

    You did link the two… you oughta own it..

    claiming that analog is less susceptible to cyber hacking – at the SAME TIME – you are opining about Cyber-hacking?

    come on… I’m going to start calling Sneaky Pete…here..

    Despite all that effort, it appears that Putin’s hackers still are finding ways to break through.

    Perhaps the best defense for North Anna is the age of its plant and its continued reliance upon old, analog controls.

  6. Analog versus digital?? Does anyone really think that 6-decade-old analog controls make NA1 and NA2 “safer”? Does anyone really think that on today’s fine-tuned grid, 2000+ megawatts of generation are sitting there operating without any modern computerized links with or control by the grid system operators sitting in Dominion’s control center in Glen Allen or PJM’s control center in Valley Forge, PA? What outrageous BS! — almost on the scale of Dominion’s scam to keep its retail overcharges to “rebuild the grid” which the regional grid system operator, PJM, says will generally be “just fine, thank you” over the planning horizon.

    Of course, any computerized utility system these days is not only digital-based, but highly automated, and tightly linked to the system operators’ computers and to the other adjacent regional grids. Cybersecurity is a big concern, not only because things happen so fast on the grid but also because they are so interconnected. Want to know more? Here’s a recent popular book on the subject:,204,203,200_.jpg
    One aspect of every utility’s vulnerability is the very interconnectedness of the grid: every computer control has to be interconnected in order to have a comprehensive, quick response to changing conditions under the control of one regional system operator. And that means the computers in each utility have to be able to talk to one another. And that means all an outside agent has to do is penetrate the weakest security link in order to “get inside” the grid. As Ted Koppel points out, the most vulnerable utility computer is not going to be one of Dominion’s control center mainframes but the little laptop that someone in a small town in Southwest Virginia uses to log in with operating data from a little municipal hydro plant that powers a remote sewage pumping station. Once the bad guys have any portal into the grid, they can do damage to all of it.

    1. “Does anyone really think that 6-decade-old analog controls make NA1 and NA2 ‘safer’?”

      Acbar, that is not what Zuercher said. He said that the operational side of Dominion’s nuclear facilities is not subject to a hacking threat. Hacking is only one dimension of “safety.” Zuercher made no comment about other dimensions.

  7. LarrytheG Avatar

    Cyber-security in many respects is no different fundamentally that physical security.

    No military base or other government facility is so secure that it cannot be penetrated if the perpetrators are committed enough and skilled enough.

    They can also get in – in plain sights as impersonators and spies….

    So you have a similiar situation with cyber – i.e. some agencies have layer after layer of firewalls and numerous other safeguards – for instance, one way is to check all system files every day to see if they have been corrupted… etc… the point being that cyber security requires just as much time and effort as physical security but some companies and industries have notoriously not taken it seriously – and that includes the electric utilities… who absolutely must UP their game in the 21st century.

    It’s axiomatic and ironic that in Dominion’s case that they are also fighting other technologies that threaten to overwhelm their preferred business model of trying to build and use obsolete technology to sell lots of electricity at a good profit for their investors – so not at all surprised that they cite “analog” as a “feature” of their defense efforts!

    ouch ouch ouch

  8. […] The 4 1/2-feet-thick dome wall “is built to take a licking,” says B.E. Standley, the Dominion executive in charge of nuclear power plant safety. “It can survive anything short of an asteroid strike or zombie apocalypse.”  Continue reading ? […]

Leave a Reply