Cyber Wars in Modern Times, Stuxnet v.0.5
In year 1999, Middle East Technical University (METU) administration in Ankara terminated 30 years of nuclear education.
By year 1999, METU graduates had already completed more than 2000 M.Sc. and Ph.D. Theses on the subject, all piled up at the METU Library. METU turned to more environmental and renewable energy education. Subsequently METU administration publicly announced that it has no intention to reopen the nuclear science engineering department.
Nuclear power plant design, engineering, manufacturing, installation and operation are sub-disciplines of mechanical engineering. Working principle of a nuclear power plant highly resembles to that of a thermal power plant. Instead of a fossil fuel, nuclear fuel is used to generate heat and electricity in a nuclear power plant. The core of nuclear fuel aside, a nuclear power plant’s design is identical to a thermal power plant. Therefore we, mechanical engineers, can not distance ourselves from nuclear technology.
It was made public by NewYork Times in June 2012 article that, by joint work of the U.S. and Israeli computer scientists, a new secret and special computer virus named “Stuxnet v.0.5” was produced in 2007. In year 2009, with the permission of the President of the United States, the virus was infiltrated into Iran’s Nuclear Power Plant control center by using an USB memory stick. In Busheir, where Iranian Natanz nuclear power plants are located, Siemens SCADA control center computers were infected. Most of the nuclear centrifuges were out of work. All computers in the power plant, plus all home PCs of the employees went into the trash. It is reported that this event delayed the plant start-up process of the construction more than 2 (two) years.
In the meantime, the virus was isolated by Iranian computer engineers. Stuxnet’s software architecture have been analyzed and then with or without intentionally it has been released to the global environment via internet for reprisal.
In early 2013, the U.S. Department of Homeland Security has announced that, 2 (two) unnamed nuclear power plants in the USA were plagued with new clone virus. Plants were said to have stayed out of operation for almost 3 weeks due to virus attack into their computer control centers.
We estimate that the cost of loss of electricity generation is to be millions of U.S. Dollars at prevailing US electricity prices.
Stuxnet Virus v0.5 and the new clone virus produced from it (Flame) have become a very dangerous sort of an industrial war weapon. They can be considered as new weapons of industrial mass destruction (WIMD) so to speak, if that is not an exaggeration. In the near future, these viruses may not only stop the operation of a nuclear control system, but may also be able to initiate involuntary operation of a plant.
In case of a fatal accident, some functions may not be performed, or performed without full control, such as opening or closing valves. Security systems may not work, may work improperly, or in an unintended way. Power plants, water distribution systems are most vulnerable systems for such cyber attacks.
In the end, new “Three-Mile Island,” “Chernobyl” or “Fukushima” men-made disasters may be recreated. What-if, such attacks are directed at the Akkuyu Nuclear Power Plant control room computers, and how do we control the necessary cyber security precautions, to repulse the cyber attack? Would we have a defense weakness/ vulnerability in the middle of nuclear calamity? It seems like as a science-fiction disaster, but it’s a cold/ merciless reality.
Normal market based bidding methods to acquire nuclear power plant in Turkey could not be finalized in the past. In the end, political power decided to pass a legislation in year 2010, by placing a direct order to our Northern Neighbor for a nuclear power plant. It was a political decision without public scrutiny, and without any market competition.
Northern Neighbor has directly received the contract for Akkuyu nuclear power plant project. The first ball-park project budget was declared as 20 billion U.S. Dollars with the completion date of 2020. Revenue would be generated through electric sales to the local market, at treasury guaranteed figures determined upfront. However, most recently project overall cost has been increased, and the commercial operation date seems to be shifted forward.
In the contractor group, we know that there exists no Turkish shareholder. Waste control and central computer controls and plant safety are not clearly laid out for the public. We locals have no share, no direct construction participation, and we do not have a control over the technology, and its safety control mechanism. Moreover there is almost no technology transfer. We need nuclear power technology. However, we need to ask what extent if the contracted nuclear capacity, technology, its location, and the method is right? It is a political investment project, therefore it can be financed under the terms of a political project financing. Political financing has limitations. Political credit ends in time. Big investment projects also need commercial loan. For political projects, it is difficult- even impossible, to find commercial loans.
There are also questions on basic design of the project, for instance,
How do you design the cooling system of this power plant by using the available very hot (+30 +/- 2 C) nearby sea water? Is there any contradiction with thermodynamic principles?
How will you control the nuclear waste? How will the nuclear waste be transported, moved, stored or dumped, and to where?
“May God bless and save us all”, in case of any nuclear accident or disaster, how shall we save the local people? Is there any “emergency evacuation plan”? What is it? Where is it?
Every year we send our (100) selected young students for nuclear education to our Northern Neighbor’s nuclear educational facilities. They will receive education/ training on nuclear physics and nuclear power plant operation, but not as nuclear design engineers, scientists, rather as trained operators of nuclear power plants. How shall we assign responsibility of the operation of the new nuclear power plant to our inexperienced new graduates?
Again with the same out of market direct contracting procedures in the past, we previously have contracted industrial installations to our Northern Neighbor. Earlier, Orhaneli 210 MWe coal fired thermal power plant in Bursa, Seydisehir Aluminum Plants, Iskenderun Iron and Steel factory were built in our environment, but they did not work properly, and could not be operated uninterrupted in the long term.
They were designed for the very cold climate of the Northern Neighbor, hence they could not be adjusted to our hot environment . They degraded fast in operation without having market compatibility or continuity.
European Network and Information Security Agency (ENISA) enforces security measures against such cyber attacks within the union. Agency is formed after deliberate cyber attacks to banking and financing centers of new member state Estonia in year 2007.
In France, almost 80% of the electricity is generated from nuclear plants. All the plants are of French design, built by French engineering, manufacturing, scientific, cyber security capability. Their entire engineering and design staff are French nationals, engineers, scientists. Although their waste management, their plant control system, and waste disposal systems have problems. They solve their problems by themselves.
Please do check if there is any nuclear power plant on the cost of Mediterranean sea. There was one French design in Barselona Spain, now mostly out of operation. There is a new contract signed by Russians with Egypt to construct identical Akkuyu NPP at 30 billion US Dollar budget on Alexandria Med Coast within 10 year time span.
In our case, we are completely alien to the project. We are all outsiders since ours is totally foreign to us. We still believe that METU could be the center of excellence for educating more scientists and engineers, not only for nuclear technology but also on cyber security. Your Comments are always welcome.
This article is first released in EurasiaReview web site.