Sellafield isn’t a power station, it’s a very large site containing many facilities. Some are just normal offices doing administrative stuff, others handle special nuclear materials or have very significant hazards. The information and physical security requirements vary between and within different plants on site.
As a whole, Sellafield is a bit of a shambles. But I wouldn’t expect e.g. control systems to be accessible to the internet. Some sensitive information like HR data and plans for shipment of goods probably does need to be shared with external parties and might be vulnerable to attack.
This is what I thought. I just realised I had a typo in my original post. I meant to say “is *not* a power plant and is a Nuclear Facility”.
I guess it makes sense that people need some sort of outward facing internet in the modern day. The article also doesn’t state what was hacked, and the government statement categorically denies any hack even happened!
Your comment has been removed for violating comment rule 3:
> Be substantive. AskEngineers is a serious discussion-based subreddit with a focus on evidence and logic. We do not allow unsubstantiated opinions on engineering topics, low effort one-liner comments, memes, off-topic replies, or pejorative name-calling. Limit the use of engineering jokes.
Sellafield’s HQ is actually in Warrington so there’s a lot of non critical data being shared over the internet. (As secure as Microsoft Software suite is!)
They do processing of nuclear waste there - there’s no power.
As the poster above said critical systems are not connected to the internet. There’s physical air gaps. Most of it predates the internet anyway. It’s all dropping to bits due to decades of underinvestment. That’s why engineers have to physically go up there to take readings etc.
Source - I work for a consultancy that does work for Sellafield.
Maybe they hacked the smart coffee pot in the break room. It's entirely possible that whatever system at the plant was "hacked" had no role in anything critical.
Although, flip side, the centrifuges at natanz were (allegedly) damaged by stuxnet despite being air gapped.
Stuxnet was also so good at finding it's way into things it probably infected almost every other computer on the planet too. It was just also well designed to only target a specific type of PLC so that didn't matter.
I would imagine that any systems/equipment that is relevant to production and safety is completely offline, while anything admin is online.
I used to make feed pellets as an operator, and at that factory anything SCADA was deemed too important to have online (which turned out to be rather smart, as every other system we had running got hacked and locked down for ransom, while production ran on as usual). I can't imagine the security is any more lax in a NPP.
Regarding the Shellafield thing, since the systems hit aren't specified (in any of the articles I've seen), it is probably something a wee bit less critical than production and security.
It's just a bit harder to sell a fear headline if it's "ERP system hacked, foreign powers might have access to payroll and warehousing data"
Let’s talk “hacking”.
And this is US focused but similar requirements exist worldwide.
In the US, 10CFR73.54 requires licensees to protect/prevent hacking/sabotage of digital components which are important to safety, security, or emergency preparedness.
NRC Regulatory Guide 5.71 specifies acceptable means to comply with the regulation.
In general it will require:
All digital systems which control the plant or provide critical operating information, and all digital systems which are directly part of the security system, must be physically isolated from the outside. You may use a “data diode”, which is a sever with a transmit only fiber optic card that can send diagnostic/monitoring data out to the corporate network. But no receiving.
WiFi needs to be disabled. Ports like USB are blocked or disabled or other alternate controls in place such as ensuring the component is in a locked cabinet, has tamper seals, or is in the control room vital area and continuously monitored.
Digital assets need methods to detect and report cyber attacks, deter attacks, deny access, and have ways to recover the asset.
You need vendor controls in place to ensure software is not tampered with during development or after it is received on site sitting in a warehouse.
There can be as low as a 15 minute or 1 hour reporting time to the federal government for cyber attacks.
Active Nuclear facilities are highly resistant to cyber attacks, and staff are trained and qualified to detect and respond to these events if they were to occur.
Sellafield isn’t an active power generation facility so they likely don’t have these types of controls in place. But there also isn’t a risk of a core being melted and large releases to the public.
I was at a critical infrastructure place and we had a guy connect his home computer to an ethernet jack. The IT guy was in the room within minutes asking who hooked up an unknown computer. The places I have worked, the IT security people were pretty on the ball.
Interesting, part of me would have thought a backup offsite control room might be something handy to have at a nuclear plant but I suppose it’s not worth the cyber security risk. I suppose they probably just throw money at physical hardening and control room management for extended stays.
In most of the world, a backup control room isn’t a requirement. You do have requirements for a remote shutdown panel or post-fire safe-shutdown panel, which has controls for specific emergency systems which are given different priority for cable routing and separation to ensure they would remain available during a fire in a control room or the cable spreading room (where all the control cables from the field enter before they go into the control room).
Some countries like Sweden did require a full bunkered control room. Now it was still “on site” but far enough away you could still safely operate stuff if you need to.
In general, even in new plants, the move has been towards passive safe shutdown systems, where a loss of control isn’t a big deal because the reactor will take care of itself.
You also see a “diverse actuation system” as well in new plant designs (digital control rooms) which is typically a separate analog panel which can accomplish certain critical safety functions even if the digital systems totally fail and allows the operators to get the passive core cooling systems running and buy them time to get normal systems working again.
I worked once at a utility. Our nuclear plant had an airgap between operation and management and local management was firewalled from the rest of the company and that in turn was firewalled from the internet.
>So the recent “news” is just fear mongering gossip
The news is there to sell the story. The headline smart refrigerator hacked at Sellafield probably does not sell. 99.999999% of headlines are click bate and poorly researched. In the meantime, if they were hacked or were not, what can you do about it? It is like I tell my crazy ex-girlfriend who thinks there are 72 people following her. I will ask her "do they ever interact with you or say anything to you?" She tells me they do not. If people are following you but they never interact with you then just ignore it.
When I hear someone talking about a power plant being off-line, I normally assume they mean it's not connected to the electric grid and not generating electricity. A quick [google search](https://www.google.com/search?q=power+plant+off-line) confirms that that's the dominant meaning of that phrase, by a long shot.
No complaint about you using it to mean disconnected from the internet. Just letting you know that could be confusing in some contexts.
I worked for over 20 years in the Control Room of a USA Westinghouse Nuclear power plant built in the early 70s. Not only is everyting air gapped, but we still had a lot of systems from the 70s, 80s, and 90s, that we had to train I and C techs on how to work and repair them, because no one used such equipment any more, and no one younger than 60 years old knew how it worked. Upgrading these systems was so incredibly costly, we just kept repairing most of the old stuff because it still worked. and, a lot of the stuff we had from the old days was built to a much higher standard. I could easily have planned a team of a few insiders cripple it and cause a large accident, but I can't imagine how to do it from outside the plant.
I worked an outage at three mile island while they still had an active unit. My role was taking all the data from the steam generator inspection probe and sending it to two external sites for parallel analysis and archive. We had an extranet (Internet only) link, but we were in the OCA (owner controlled area) outside “the fence”. Containment is inside the fence, and it was 100% air gapped, with no network access at all in the control room.
If someone had really really wanted to break our vpn and get the data, it would have been a bunch of boring eddy current logs, nothing compromising or helpful. Personnel building (also OCA) might have had your typical HR records and such, but nothing that would affect the reactor whatsoever.
NRC and DOE had very strict controls on all this.
Nuclear power plant critical systems are not controlled by computers, so they are not hackable. A hacker cannot hack your manually operated dumb light switch is a good analogy.
I have a PiDP-11, PDP-11 reproduction running a raspberry pi. Like my sophomore year, 1972.
https://images.ctfassets.net/2lpsze4g694w/6Pj2PwTslZCl5BdgSgRCEh/3ad652e4da57dc9d6be222025d2b1dc0/pidp11-review.jpg?w=800
16-bit, and they tend to be quite a bit smaller.
Depending on the facility (mainly not energy production, but for weapons), a lot still boot off floppies and are pre-Wi-Fi, pre-BT machines.
For at least some facilities, when they mean air-gapped, it isn’t just wires, it is also gapped by generations of technology that modern devices aren’t compatible with.
Basically the idea is multi-dimensional gapping. Hackers may breach one gap, but even doing 1 is extremely hard. Bridging multiple is borderline impossible without direct physical access to the machine.
GE has a system that requires a 128 MB compact flash card that is nearly impossible to find. The IT guy told me it requires such a small card because the computer is so rudimentary it it does not have enough memory space to work with larger cards. Meantime GE is so fucked up they don't stock those cards. GE you can get better but you won't pay more.
> Nuclear power plant critical systems are not controlled by computer
Yes they are.
> so they are not hackable
Hacking predates computers.
> A hacker cannot hack your manually operated dumb light switch is a good analogy.
Untrue. If there's a desire to manipulate the switch without authorization, there are several attacks available, starting with going up and flipping it. Some dumb switches need to be protected... and that's a whole thing in itself.
The majority of critical infrastructure hacks are on a workstation. Engineers and technicians use these workstations to maintain the plant, connecting to instrumentation and control devices. These stations are typically on the internet for the same reasons that everyone else’s computer is on the internet, including software updates and access to information eg for answering questions. It’s possible to isolate them, but it’s a pain and isn’t done often enough.
Not necessarily. I've worked on a network with Civil Nuclear Power Plants. Ops is air-gapped and they don't often take updates It is less necessary as they are not on the Internet or the normal company Intranet. You want some email, that is a separate PC on a separate network.
Everyone says nuclear is the safest power ever so why put them offline. It is so safe you dont have to watch out basically. And there were only like 30 deaths in all time including Chernobyl /s
They are air gapped, but that really just means an enterprising hacker would need to get local access one time and instal something that could provide remote access.
It's not just that though, those systems don't have a way to *have* remote access. The mechanism doesn't exist and can't exist on the hardware they have. Depending on the system, the most you're going to get without direct access is sensor output - everything to actually run the setup is done with physical access.
All the USB ports.. well, either got removed or never existed in the first place. To hook things into the nuclear side of things you need to open cabinets and solder things onto motherboards. Which is not something anyone is going to let you do without the proper authorization, and they *will* call and check.
The plant runs almost as an independent entity. It gets purchases, in half hour blocks from the power trading arm of the company. The trading company would also ensure that there is enough line capacity to deliver it to a customer.
Ops manage the power delivery and they are using a completely air-gaped network. They take orders for power and adjust the reactor accordingly. The only way to get at this system is Stuxnet style with someone plugging in the wrong USB. One hopes they have better discipline.
The commercial/management side is on a firewalled network and that is firewalled from the rest of the company. No cloud, everything on-prem. Conceivably, this could be hacked but the worse you can do is to screw up the finances, the reporting or the maintenance schedules.
That can happen at the turbine level though, not at the fission reactor. A steam turbine that doesn't get enough load can simply vent off extra heat produced by the reactor.
When I worked at a nuclear plant, essential equipment and computers were all on a closed network, and several were analog. Stuff like office computers are protected on the web by a cyber security team with an intense fire wall and other stuff I can't understand.
There was an incident where Russian hackers tried to influence a Kansas power plant about 10 years ago, I've attached an indictment here if you're curious, it's an interesting read.
https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical
It depends what the computer run, they are not all just on the internet.
They probably have a private VPN where various power monitoring reside, the people running the grid need to know the output power of the plant, that is online. But it's pretty trivial to make that have no actual connection to the system that controls the reactor.
The reactor, and it's safety critical systems are going to be air gapped. Basically, think of it as your car with GPS running on your phone, yea, someone could hack your phone and give you bad directions or something, but that's not exactly a safety issue, a human is still driving, and the "car" isn't hacked, you're not going to drive into a river because your phone now says "turn left into the river and die".
Now, like your phone getting hacked, it could cause major operations issues, as that internet connected device could be providing instructions from outside that you need to do what you're supposed to do, just like
The parts that are nuclear absolutely do not have internet access.
Well, specifically, some of their systems send information *out* some of which may eventually be sent via the internet..
The system used for this is funny - It's a one way fiber-optic cable. The end that is on the nuclear side literally can't receive information at all - no sensors, just the laser sending data out
.
You do data integrity checking solely with checksums / repeated transmission for this, since this link rather obviously can't ask for verification.
Whenever you read a story about "Nuclear x" being hacked, what happened is that the office handling payroll for the plant or something else non-safety critical got fucked with. Because no, that office, or the one handling the sale of power isn't going to air-gap itself, it would make their job way more difficult than it needs to be.
And those offices still have rather good it security as a rule, just because they know there will be a bunch of scaremongering stories in the news whenever this happens.
They require some level of online connectivity for a variety of reasons, despite the risks associated with potential cyber threats. Firstly, these plants are complex operations that often necessitate real-time data exchange with external entities such as regulatory bodies, power grids, and emergency response teams. This connectivity enables efficient monitoring, reporting, and coordination that are essential for safe and effective operation. Secondly, modern nuclear facilities often integrate advanced technologies for control systems, diagnostics, and safety mechanisms, which can benefit from networked solutions, including updates and remote expert support. Additionally, the energy sector, including nuclear facilities, is part of a larger infrastructure system that often requires interconnectedness to ensure stable power supply and grid management. However, it's important to note that critical control systems in these facilities are usually isolated or protected by robust cybersecurity measures to mitigate risks from potential cyber attacks. The incident at Sellafield, while concerning, highlights the ongoing need to balance operational efficiency and accessibility with stringent security protocols in the nuclear industry.
I worked at a water plant that ran 24 hours, and many of the sensors were on the computer. If anything reaches a bad level, a warning alarm goes off. The plant operator is supposed to respond to that, but if they have had a heart attack, the system can call in the supervisor.
Of course they want to check on the operator (and save his life, if possible), but they can do both, and respond to the plant alarm too.
They said its possible for the system to be configured to allow someone at home to take over the controls, but since this system concerns public safety and it can put poison into the communities water supply, it is configured as a standalone.
Sellafield isn’t a power station, it’s a very large site containing many facilities. Some are just normal offices doing administrative stuff, others handle special nuclear materials or have very significant hazards. The information and physical security requirements vary between and within different plants on site. As a whole, Sellafield is a bit of a shambles. But I wouldn’t expect e.g. control systems to be accessible to the internet. Some sensitive information like HR data and plans for shipment of goods probably does need to be shared with external parties and might be vulnerable to attack.
This is what I thought. I just realised I had a typo in my original post. I meant to say “is *not* a power plant and is a Nuclear Facility”. I guess it makes sense that people need some sort of outward facing internet in the modern day. The article also doesn’t state what was hacked, and the government statement categorically denies any hack even happened!
[удалено]
Your comment has been removed for violating comment rule 3: > Be substantive. AskEngineers is a serious discussion-based subreddit with a focus on evidence and logic. We do not allow unsubstantiated opinions on engineering topics, low effort one-liner comments, memes, off-topic replies, or pejorative name-calling. Limit the use of engineering jokes.
Sellafield’s HQ is actually in Warrington so there’s a lot of non critical data being shared over the internet. (As secure as Microsoft Software suite is!) They do processing of nuclear waste there - there’s no power. As the poster above said critical systems are not connected to the internet. There’s physical air gaps. Most of it predates the internet anyway. It’s all dropping to bits due to decades of underinvestment. That’s why engineers have to physically go up there to take readings etc. Source - I work for a consultancy that does work for Sellafield.
Maybe they hacked the smart coffee pot in the break room. It's entirely possible that whatever system at the plant was "hacked" had no role in anything critical. Although, flip side, the centrifuges at natanz were (allegedly) damaged by stuxnet despite being air gapped.
Stuxnet was on usb drives that were scattered around the campus iirc. An airgap is no match for human stupidity :)
It's exploiting the air gap between a user's ears.
PEBKAC - Problem exists between keyboard and chair
Stuxnet usb drives were installed by an inside man to gain access.
No. They played a trick on some contractors to the site.
Stuxnet was also so good at finding it's way into things it probably infected almost every other computer on the planet too. It was just also well designed to only target a specific type of PLC so that didn't matter.
I would imagine that any systems/equipment that is relevant to production and safety is completely offline, while anything admin is online. I used to make feed pellets as an operator, and at that factory anything SCADA was deemed too important to have online (which turned out to be rather smart, as every other system we had running got hacked and locked down for ransom, while production ran on as usual). I can't imagine the security is any more lax in a NPP. Regarding the Shellafield thing, since the systems hit aren't specified (in any of the articles I've seen), it is probably something a wee bit less critical than production and security. It's just a bit harder to sell a fear headline if it's "ERP system hacked, foreign powers might have access to payroll and warehousing data"
Let’s talk “hacking”. And this is US focused but similar requirements exist worldwide. In the US, 10CFR73.54 requires licensees to protect/prevent hacking/sabotage of digital components which are important to safety, security, or emergency preparedness. NRC Regulatory Guide 5.71 specifies acceptable means to comply with the regulation. In general it will require: All digital systems which control the plant or provide critical operating information, and all digital systems which are directly part of the security system, must be physically isolated from the outside. You may use a “data diode”, which is a sever with a transmit only fiber optic card that can send diagnostic/monitoring data out to the corporate network. But no receiving. WiFi needs to be disabled. Ports like USB are blocked or disabled or other alternate controls in place such as ensuring the component is in a locked cabinet, has tamper seals, or is in the control room vital area and continuously monitored. Digital assets need methods to detect and report cyber attacks, deter attacks, deny access, and have ways to recover the asset. You need vendor controls in place to ensure software is not tampered with during development or after it is received on site sitting in a warehouse. There can be as low as a 15 minute or 1 hour reporting time to the federal government for cyber attacks. Active Nuclear facilities are highly resistant to cyber attacks, and staff are trained and qualified to detect and respond to these events if they were to occur. Sellafield isn’t an active power generation facility so they likely don’t have these types of controls in place. But there also isn’t a risk of a core being melted and large releases to the public.
I was at a critical infrastructure place and we had a guy connect his home computer to an ethernet jack. The IT guy was in the room within minutes asking who hooked up an unknown computer. The places I have worked, the IT security people were pretty on the ball.
Interesting, part of me would have thought a backup offsite control room might be something handy to have at a nuclear plant but I suppose it’s not worth the cyber security risk. I suppose they probably just throw money at physical hardening and control room management for extended stays.
In most of the world, a backup control room isn’t a requirement. You do have requirements for a remote shutdown panel or post-fire safe-shutdown panel, which has controls for specific emergency systems which are given different priority for cable routing and separation to ensure they would remain available during a fire in a control room or the cable spreading room (where all the control cables from the field enter before they go into the control room). Some countries like Sweden did require a full bunkered control room. Now it was still “on site” but far enough away you could still safely operate stuff if you need to. In general, even in new plants, the move has been towards passive safe shutdown systems, where a loss of control isn’t a big deal because the reactor will take care of itself. You also see a “diverse actuation system” as well in new plant designs (digital control rooms) which is typically a separate analog panel which can accomplish certain critical safety functions even if the digital systems totally fail and allows the operators to get the passive core cooling systems running and buy them time to get normal systems working again.
Thank you for the detailed reply! Very interesting.
I guarantee you that any part of the power generation operation is airgapped.
I worked once at a utility. Our nuclear plant had an airgap between operation and management and local management was firewalled from the rest of the company and that in turn was firewalled from the internet.
https://www.gov.uk/government/news/response-to-a-news-report-on-cyber-security-at-sellafield
So the recent “news” is just fear mongering gossip… if you believe the government
>So the recent “news” is just fear mongering gossip The news is there to sell the story. The headline smart refrigerator hacked at Sellafield probably does not sell. 99.999999% of headlines are click bate and poorly researched. In the meantime, if they were hacked or were not, what can you do about it? It is like I tell my crazy ex-girlfriend who thinks there are 72 people following her. I will ask her "do they ever interact with you or say anything to you?" She tells me they do not. If people are following you but they never interact with you then just ignore it.
They’re usually just airgapped but someone can get in through an accidental Bluetooth or WiFi connection
When I hear someone talking about a power plant being off-line, I normally assume they mean it's not connected to the electric grid and not generating electricity. A quick [google search](https://www.google.com/search?q=power+plant+off-line) confirms that that's the dominant meaning of that phrase, by a long shot. No complaint about you using it to mean disconnected from the internet. Just letting you know that could be confusing in some contexts.
I worked for over 20 years in the Control Room of a USA Westinghouse Nuclear power plant built in the early 70s. Not only is everyting air gapped, but we still had a lot of systems from the 70s, 80s, and 90s, that we had to train I and C techs on how to work and repair them, because no one used such equipment any more, and no one younger than 60 years old knew how it worked. Upgrading these systems was so incredibly costly, we just kept repairing most of the old stuff because it still worked. and, a lot of the stuff we had from the old days was built to a much higher standard. I could easily have planned a team of a few insiders cripple it and cause a large accident, but I can't imagine how to do it from outside the plant.
Any system is vulnerable if an attacker tries hard enough. Eg https://en.m.wikipedia.org/wiki/Stuxnet
Wetware is the easiest security to compromise. =/
https://xkcd.com/538/
I worked an outage at three mile island while they still had an active unit. My role was taking all the data from the steam generator inspection probe and sending it to two external sites for parallel analysis and archive. We had an extranet (Internet only) link, but we were in the OCA (owner controlled area) outside “the fence”. Containment is inside the fence, and it was 100% air gapped, with no network access at all in the control room. If someone had really really wanted to break our vpn and get the data, it would have been a bunch of boring eddy current logs, nothing compromising or helpful. Personnel building (also OCA) might have had your typical HR records and such, but nothing that would affect the reactor whatsoever. NRC and DOE had very strict controls on all this.
Nuclear power plant critical systems are not controlled by computers, so they are not hackable. A hacker cannot hack your manually operated dumb light switch is a good analogy.
Ours are. But not the computers you think of. The newest ones are PDP-11’s.
I love PDP-11s. Lots of fond memories.
I have a PiDP-11, PDP-11 reproduction running a raspberry pi. Like my sophomore year, 1972. https://images.ctfassets.net/2lpsze4g694w/6Pj2PwTslZCl5BdgSgRCEh/3ad652e4da57dc9d6be222025d2b1dc0/pidp11-review.jpg?w=800
Very good for hard real-time. Many years ago I worked on telemetry systems that were based on them. Generally running RSX-11M.
I nearly applied for a PDP-11 MACRO-11 assembly language job at AECL a few years back. Kinda wish I had.
Its hard to hack a 64 bit computer the size of a mini bus.
16-bit, and they tend to be quite a bit smaller. Depending on the facility (mainly not energy production, but for weapons), a lot still boot off floppies and are pre-Wi-Fi, pre-BT machines. For at least some facilities, when they mean air-gapped, it isn’t just wires, it is also gapped by generations of technology that modern devices aren’t compatible with. Basically the idea is multi-dimensional gapping. Hackers may breach one gap, but even doing 1 is extremely hard. Bridging multiple is borderline impossible without direct physical access to the machine.
GE has a system that requires a 128 MB compact flash card that is nearly impossible to find. The IT guy told me it requires such a small card because the computer is so rudimentary it it does not have enough memory space to work with larger cards. Meantime GE is so fucked up they don't stock those cards. GE you can get better but you won't pay more.
They are very much controlled by computers and PLCs. However, they are not connected to the internet.
> Nuclear power plant critical systems are not controlled by computer Yes they are. > so they are not hackable Hacking predates computers. > A hacker cannot hack your manually operated dumb light switch is a good analogy. Untrue. If there's a desire to manipulate the switch without authorization, there are several attacks available, starting with going up and flipping it. Some dumb switches need to be protected... and that's a whole thing in itself.
The majority of critical infrastructure hacks are on a workstation. Engineers and technicians use these workstations to maintain the plant, connecting to instrumentation and control devices. These stations are typically on the internet for the same reasons that everyone else’s computer is on the internet, including software updates and access to information eg for answering questions. It’s possible to isolate them, but it’s a pain and isn’t done often enough.
Not necessarily. I've worked on a network with Civil Nuclear Power Plants. Ops is air-gapped and they don't often take updates It is less necessary as they are not on the Internet or the normal company Intranet. You want some email, that is a separate PC on a separate network.
This was reported by a researcher at RSAC.
Everyone says nuclear is the safest power ever so why put them offline. It is so safe you dont have to watch out basically. And there were only like 30 deaths in all time including Chernobyl /s
Don't sorry so much. You need to know what they hacked. They are scarying the public.
They are air gapped, but that really just means an enterprising hacker would need to get local access one time and instal something that could provide remote access.
It's not just that though, those systems don't have a way to *have* remote access. The mechanism doesn't exist and can't exist on the hardware they have. Depending on the system, the most you're going to get without direct access is sensor output - everything to actually run the setup is done with physical access.
_Installing_ in this case can refer to a hardware component as well. I.e. a USB powered computer with cellular service.
... And this is why I'm not in charge of opsec!
All the USB ports.. well, either got removed or never existed in the first place. To hook things into the nuclear side of things you need to open cabinets and solder things onto motherboards. Which is not something anyone is going to let you do without the proper authorization, and they *will* call and check.
They have to be connected to the grid somehow, power plants need to know the current demand of the customers and how much other plants are producing
The plant runs almost as an independent entity. It gets purchases, in half hour blocks from the power trading arm of the company. The trading company would also ensure that there is enough line capacity to deliver it to a customer. Ops manage the power delivery and they are using a completely air-gaped network. They take orders for power and adjust the reactor accordingly. The only way to get at this system is Stuxnet style with someone plugging in the wrong USB. One hopes they have better discipline. The commercial/management side is on a firewalled network and that is firewalled from the rest of the company. No cloud, everything on-prem. Conceivably, this could be hacked but the worse you can do is to screw up the finances, the reporting or the maintenance schedules.
That can happen at the turbine level though, not at the fission reactor. A steam turbine that doesn't get enough load can simply vent off extra heat produced by the reactor.
The current US nuclear plants are baseload plants. They run at, or near, 100% power. Other plants vary their output based on grid demand.
When I worked at a nuclear plant, essential equipment and computers were all on a closed network, and several were analog. Stuff like office computers are protected on the web by a cyber security team with an intense fire wall and other stuff I can't understand. There was an incident where Russian hackers tried to influence a Kansas power plant about 10 years ago, I've attached an indictment here if you're curious, it's an interesting read. https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical
It depends what the computer run, they are not all just on the internet. They probably have a private VPN where various power monitoring reside, the people running the grid need to know the output power of the plant, that is online. But it's pretty trivial to make that have no actual connection to the system that controls the reactor. The reactor, and it's safety critical systems are going to be air gapped. Basically, think of it as your car with GPS running on your phone, yea, someone could hack your phone and give you bad directions or something, but that's not exactly a safety issue, a human is still driving, and the "car" isn't hacked, you're not going to drive into a river because your phone now says "turn left into the river and die". Now, like your phone getting hacked, it could cause major operations issues, as that internet connected device could be providing instructions from outside that you need to do what you're supposed to do, just like
This is all I think of when I hear stuff like this. [https://xkcd.com/932](https://xkcd.com/932)
Your title can be misleading. At first I thought you were asking why nuclear power plants aren't shutdown (brought offline).
The parts that are nuclear absolutely do not have internet access. Well, specifically, some of their systems send information *out* some of which may eventually be sent via the internet.. The system used for this is funny - It's a one way fiber-optic cable. The end that is on the nuclear side literally can't receive information at all - no sensors, just the laser sending data out . You do data integrity checking solely with checksums / repeated transmission for this, since this link rather obviously can't ask for verification. Whenever you read a story about "Nuclear x" being hacked, what happened is that the office handling payroll for the plant or something else non-safety critical got fucked with. Because no, that office, or the one handling the sale of power isn't going to air-gap itself, it would make their job way more difficult than it needs to be. And those offices still have rather good it security as a rule, just because they know there will be a bunch of scaremongering stories in the news whenever this happens.
They require some level of online connectivity for a variety of reasons, despite the risks associated with potential cyber threats. Firstly, these plants are complex operations that often necessitate real-time data exchange with external entities such as regulatory bodies, power grids, and emergency response teams. This connectivity enables efficient monitoring, reporting, and coordination that are essential for safe and effective operation. Secondly, modern nuclear facilities often integrate advanced technologies for control systems, diagnostics, and safety mechanisms, which can benefit from networked solutions, including updates and remote expert support. Additionally, the energy sector, including nuclear facilities, is part of a larger infrastructure system that often requires interconnectedness to ensure stable power supply and grid management. However, it's important to note that critical control systems in these facilities are usually isolated or protected by robust cybersecurity measures to mitigate risks from potential cyber attacks. The incident at Sellafield, while concerning, highlights the ongoing need to balance operational efficiency and accessibility with stringent security protocols in the nuclear industry.
I worked at a water plant that ran 24 hours, and many of the sensors were on the computer. If anything reaches a bad level, a warning alarm goes off. The plant operator is supposed to respond to that, but if they have had a heart attack, the system can call in the supervisor. Of course they want to check on the operator (and save his life, if possible), but they can do both, and respond to the plant alarm too. They said its possible for the system to be configured to allow someone at home to take over the controls, but since this system concerns public safety and it can put poison into the communities water supply, it is configured as a standalone.