At the beginning of April, I got the opportunity to attend the 2018 CERIAS Symposium, a cybersecurity conference hosted at Purdue University. It was an absolutely fantastic time! Being an event for ‘academics’, naturally there were some pretty dry parts. However, there were a good deal incredibly brilliant talks and presentations.

One of which has actually been on my mind, and that I’ve been discussing at great lengths with a friend who works in the field this talk covered. The talk in question, is titled “Online Adversarial Learning of Nuclear Reactor Dynamical State”. Now that is quite the mouthful. To be perfectly honest, I just saw the phrase “Nuclear Reactor” and was interested.

## Nuclear Mumbo Jumbo

So what exactly does “Online Adversarial Learning of Nuclear Reactor Dynamical State” mean? To the best of my understanding, it means “Remote Attacker Learning Of The State Of A Nuclear Reactor”. That’s still not super simple though. Essentially, it is trying to get at the concept that a potential attacker could learn the what the measurements are of a nuclear reactor’s various parts via the internet.

If this is what it means though, I’d say the title is mildly misleading, as the presentation primarily about how to detect if an attacker is manipulating data relating to the measurements of the reactor.

## Who Knows What

Before diving in, let’s discuss what information is out there. What do the defenders know, and what can the attackers find out?

The really big problem is that a lot of these nuclear systems try to rely on security-by-obscurity (which is an inherently flawed security model). However, there isn’t ever total obscurity, as every reactor relies on the same universal laws of nuclear physics. Some specifics of their implementation are trade secrets, but the very basic concept is the same across the board. Furthermore, for some of the advanced systems, there’s often a PhD student who created something similar for their thesis.

Which in short means that aside from a few specifics, an attacker can pretty much know exactly how any reactor works.

## The Gist

For digital files, we use hashes to check file validity and integrity. Essentially, a hash is a string of characters generated by performing an operation on the 1’s and 0’s that make up a file. If the file is unmodified, the result will be the same every time. However, if it’s modified - even by one character, the hash will be completely different.

So, the basic idea thought here is to apply this concept to a nuclear reactor - find a way to hash a nuclear reactor. Why not? it can’t be that hard, right?

## The Nitty Gritty

It turns out, it’s not really that easy. Nuclear reactors are incredibly complex devices, and finding a way to perfectly detect unwanted state changes involves lots and lots and lots of math and measurements. Perhaps its best then to start by learning how we currently check that the reactor is working ok.

### — The Current Way Of Preventing Disaster

Currently, we check the if the reactor is working well by reading the data given by the various instruments in the reactor to measure their respective functions (temperature, flux, flowrate, etc).

They also use these super complex differential equations to predict what the next set of data should look like:

• Forward PKE: estimated flux evolution based on input reactivity and external source

$\Large \Bigg\{_{{{dC} \over{dt}} = {{\beta \over{\Lambda}}P - \lambda C}}^{{{dP} \over{dt}} = {\Big({{\rho - \beta} \over{\Lambda}}\Big)P + \lambda C + S;S} = {-{\rho \over{\Lambda}}; \rho < 0} }$

• Inverse IPK: estimate reactivity based on measured “inferred” fluxes

$\rho_n = {{\Lambda \over{P_n}}\Big[{{P_n - P_{n-1}} \over{T}} + \sum_{i=1}^n {{C_n - C_{n-1} \over{T}} - S}\Big]}$

The specific parameters of these equations varies based on reactor model, but the basic theory is universal. As long as the current state and the predicted state for the next cycle is within a normal range, all is well. It’s worked fairly well thus far, so what exactly is the problem?

### — Trust Issues

The problem is that data can be manipulated by an attacker. If an attacker has access to the system and understands it, they can manipulate the data to make everything appear to be within normal range, when it, in fact, is not.

This becomes especially more worrisome as the instruments used to collect the data are slowly becoming more digital rather than analogue

Of course, it is still a rather intensive process to generate fake data, as many of the instruments correlate with each other (as one goes up, the other goes down, etc). But, it is still doable if an attacker is persistent and knowledgeable.

### — The New Way

The proposed way to solve this problem is to somehow generate a unique signature for the reactor system itself, and check that against what it is expected to be. However, this is much easier said than done.

#### Close, But No Cigar

There have been many ideas proposed for accomplishing this goal, that sound really good at first, but they have pretty major shortcomings:

• Outlier/Anomaly detection
• A knowledgeable attacker can manipulate the data to look normal
• Correlation based signature
• Again, a knowledgeable attacker can estimate the correct values for data points that correlate with each-other and make the data appear normal
• Dimensionality reduction-type signatures (e.g. Principal Component Analysis, SVD, etc.)
• This one is almost great, but yet again, a knowledgeable attacker can estimate these signatures, by using similar system models that are in the public domain

#### The Solution

So, what exactly is the solution to this problem? Well there isn’t exactly one yet. We have plenty of high-level and mid-level theories for how to do it, but no perfect specific implementations. It’s an on going problem that they need cybersecurity majors to help solve.

## Why We Aren’t Doomed

It’s easy to read all this and immediately fear an imminent nuclear meltdown caused apocalypse at the flip of a hacker’s keyboard. However, even as a doomsday-prepper conspiracy theorist, I say there really isn’t much to fear here.

To start, these are some of the most physically well protected facilities on the planet. I won’t go into too much detail, but let’s just say these places are prepared to withstand a siege of an entire army.

But of course, the attacks we are talking about are digital. However, this is also an incredibly difficult attack vector. So start, any system associated with the reactor is completely air-gapped. This means it’s disconnected from the internet both physically and logically. As if that’s not enough, they have some of the most advanced cybersecurity systems in place, so even if someone uses an infected USB, it’d probably be detected and removed. However, that USB likely won’t be infected, as these facilities have extremely robust cybersecurity programs that train their employees in how to avoid infection.

So all-in-all, it would be immensely difficult for an attacker to even get their virus into the nuclear power plant - much less to actually be able to make something that not only is undetectable by their network but also that can modify the data that is being monitored to seem legit even while executing a meltdown.