While the “Internet of things” may not live up to the hype, the world is going digital. It seems like an inexorable trend away from analog at gigabit speed. In some odd way the move to digital is like a self-fulfilling prophecy as we hard-code the potential for a disaster into our future.
There are, of course, several good reasons for this accelerating trend in the control systems domain. Most often we hear statements like ‘digital is cheaper, more convenient (because of remote operation), and more flexible (because of its programmability)’ or ‘we simply can’t find the analog systems or expertise anymore’. During a recent session at the Nuclear Regulatory Commission’s (NRC’s) Regulatory Information Conference (RIC) this sentiment was expressed adamantly by Mr. Tony Pietrangelo, Senior Vice President and Chief Nuclear Officer, Nuclear Energy Institute (NEI) when he said the lack of movement to digital was “shameful”.
While he may well have been expressing the conventional wisdom, it is time for a full and open debate on the issue. The question of whether to go digital or stay analog should not presuppose an answer, but rather a rigorous assessment as to the full set of options and the associated risks to the process being controlled as well as to society at large. If we limited the discussion to the nuclear industry, it can be stated robustly that the many existing nuclear power plants still relying on “outdated” analog reactor protection systems have one big advantage: they are immune against cyber attacks.
Let’s take President Obama at his word that the cyber security of the critical infrastructure is a national security issue. It would seem to follow that if that were true and the hacking of digital safety systems at nuclear power plants was unacceptable, then analog control of safety systems ought to be a viable option on the table. If there was indeed a national security problem that could be solved radically with an analog safety system, there would be a market demand and the market would respond. For example, when the NRC’s guidance suggested that a data diode or unidirectional gateway was an acceptable way to segment the plant network with deterministic results, the market responded with solutions and most plants are implementing this type of technology.
The Back to the Future premise is not a call to abandon all things digital nor is it a suggestion that one size fits all. The optimum solution is likely a hybrid architecture where the benefits of digital systems are enjoyed while the determinism of analog is relied upon as the last line of cyber defense that cannot be crossed.
Every digital solution has a vulnerability. Some of the vulnerabilities are discovered during the design while others are discovered after deployment. You can apply myriad security controls to mitigate the risk, but you can never say the risk is eliminated. You can claim that the risk is really really small or you may use a complex risk calculation and generate a number that indicates the probability is infinitesimal. However, if there was indeed an option for the most critical of critical infrastructure that would eliminate the probability of a cyber attack, then it should be objectively evaluated as an option and not just dismissed out of hand.
Perry Pederson