Engineering researchers at Oregon State University are collaborating on a new project to help protect the nation’s nuclear power plants from a possible cyberattack.

The three-year project, funded with a $500,000 grant from the Nuclear Regulatory Commission, will develop tools and frameworks for assessing the cybersecurity of nuclear plant control systems, enabling nuclear specialists to predict, via computer simulation, the impact of a potential cyberattack on a nuclear plant.

“The unlikely, but plausible, event of a cyberattack on a nuclear facility could be disastrous,” said Camille Palmer, associate professor of nuclear science and engineering, who is principal investigator on the project. “It is imperative that the nuclear industry understand and have a methodology to quantify this risk, so as to best protect critical assets at the plant and ensure safety.”

Palmer, whose professional interests emphasize international nuclear security and nonproliferation, is joined on the project by two cybersecurity experts as co-PIs. Rakesh Bobba, associate professor of electrical and computer engineering, specializes in the design of secure and trustworthy networked and distributed computer systems, with an emphasis in cyber-physical critical infrastructures. Yeongjin Jang, assistant professor of computer science, focuses on computer systems security, especially for identifying and analyzing emerging attacks.

In recent years, cyberattacks involving malicious software — such as the Stuxnet worm thought to have crippled Iranian nuclear facilities in 2009 — have demonstrated the ability to target industrial control systems, even where facilities are protected by multiple layers of security and are on an isolated network. Those control systems are similar in nature to those used in nuclear facilities.

“With the increasing adoption of digital instrumentation, control and communication systems, it is vital to understand the interdependencies between the cyber infrastructure in nuclear control systems and the underlying physical plant operations,” Bobba said. “Critically, we need to establish a risk-based methodology to assess the impact of vulnerabilities and cyberattacks on such control systems.” 

The Oregon State research will employ what is known as dynamic probabilistic risk assessment — an established methodology for simulating a physical scenario that develops over time – in this case a cyber-attack. To this end, the team will analyze the dependencies between the cyber and physical systems, as well as identify potential attack paths. The research will link cybersecurity threat models with RELAP5-3D, a nuclear power plant simulator developed at Idaho National Laboratory for reactor safety analysis. 

This grant is the first externally funded collaboration at Oregon State spanning the two engineering disciplines in the emerging field of nuclear cybersecurity. Palmer says the collaborative aspect of the work is particularly appealing to her.

“The NRC is working to quantify a risk-informed approach to regulating the nuclear industry to prevent and protect against cyberattacks,” Palmer said. “This project integrates expertise across the College of Engineering to link cybersecurity threat models with state-of-the-art simulation tools. The research will provide risk-informed security metrics through understanding of cyber risks and vulnerabilities associated with nuclear plant instrumentation and control.”