The war that began with Russia's full-scale invasion of Ukraine has led to a series of unprecedented nuclear-related situations. During the first 48 hours, Chernobyl—a symbol of the deep-seated fear of nuclear disaster, especially within Europe—was taken by Russian troops.
This was accompanied by reports of radiation spikes, various plots involving dirty bombs and nuclear materials, and Russian soldiers allegedly killed by acute radiation syndrome. In the end, all of it was proven to be as fictitious as the reported radiation levels.
We should view these mutual accusations between Ukraine and Russia as part of the information war, which likely didn’t come as a complete surprise to those in the know. For instance, in an insightful piece Politico published documenting the 'first-ever oral history of how top U.S. and Western officials saw the warning signs of a European land war,' John Kirby stated the following:
Without time to recover from the shock caused by the events in the Chernobyl Exclusion Zone, just a few days later, Russia attacked and eventually occupied Europe’s largest nuclear power plant: Zaporizhzhia.
Four weeks later, Russian forces withdrew from Chernobyl, but they did not withdraw from Zaporizhzhia NPP, which remains occupied to this day. With a new administration taking over the U.S. government, likely to have a significant influence on the conditions and terms for ending this armed conflict—if it ends at all—now seems like the right moment to address a gap in the existing coverage of the Zaporizhzhia NPP occupation: its cyber dimension.
Ukraine: From Non-Proliferation to the Modernization of Its Nuclear Power Plants
After the Soviet Union's collapse in 1991, Ukraine agreed to give up its nuclear weapons under the Budapest Memorandum (1994), in exchange for security assurances from Russia, the U.S., and the UK. Some might argue that this move has not aged well, given the current situation.
In contrast to non-proliferation efforts, Ukraine continued to rely on nuclear energy for its electricity generation. Before the invasion, approximately 55% of Ukraine's electricity was generated by 15 reactors spread across four nuclear power plants: Khmelnitsky, Rivne, South Ukraine, and Zaporizhzhia.
Since 2001, Ukraine has implemented a highly impressive strategy to modernize its nuclear fleet, transitioning from foreign technologies (USA, France, or Russia) to digital Instrumentation and Control systems designed and built by Ukrainian companies, such as Impulse or Radiy.
To sum up the scenario, before the invasion, Ukraine was operating Russian-designed reactors, such as the VVER-1000 and VVER-440, while simultaneously implementing Ukrainian-designed technologies to enhance safety and operational efficiency. At this point, it’s probably easy to see where I’m headed
Zaporizhzhia: The First Nuclear Power Plant Occupied During Wartime.
Until 2022, there had been no precedent for a fully operational nuclear power plant being seized by foreign occupying forces. This legal limbo left the IAEA in a complex situation to monitor the safety of the plant, receiving different attacks, in certain cases literally, from the involved parties.
Meanwhile Russia gradually replaced the original workforce at the plant, evacuating Ukrainian workers and substituting them with Rosatom staff. In this context, besides the mutual accusations of kinetic attacks against the plant, Ukraine and Russia are fighting another battle: the safety narrative. Essentially, Ukraine claims that the Russians are unable to safely operate the Zaporizhzhia nuclear power plant (ZNPP), while Russia attempts to prove it can.
Russia has never abandoned its plans to restart the ZNPP, obviously for the benefit of the Russian power grid. Recently, Rosatom executives raised the topic once again. However, this will not happen unless the military hostilities around the plan cease. At least, that’s the implication from the Kaliningrad negotiations between the IAEA and Rosatom.
For now, let’s consider the ZNPP simply as a piece of land, with no operational activity. There are two obvious scenarios: either Russia withdraws from the ZNPP and the plant is returned to its legitimate owners, or Russia remains.
In both cases, the ultimate goal of the ‘winner’ will be to restart the ZNPP, and this is where the ‘cyber’ aspect of the occupation begins to emerge.
An Overview of the Digital Instrumentation and Control Systems at the Zaporizhzhia Nuclear Power Plant.
Nuclear reactors and digital safety I&C systems are complex topics, so in this publication, I’ll assume the reader has some prior knowledge of them, as providing a detailed explanation would be impractical. However, if that’s not the case and you’re truly interested, I published a 138-page research paper titled 'A Practical Analysis of Cyber-Physical Attacks Against Nuclear Reactors' four months ago. It’s freely available and covers both the physics and cyber behind nuclear power plants. Many of the concepts referenced in this post are comprehensively explained in that paper.
The plant consists of six VVER-1000 (V-320) reactors, each with a capacity of about 1,000 MW. The VVER-1000 (aka WWER-1000) is a type of pressurized water reactor (PWR) developed by Russia. This family of reactors is Russia’s flagship of nuclear fission reactors, and its name originates from “Water-Water Energetic Reactor” (Vodo–Vodyanoi Energetichesky Reactor), as it uses light water for both moderator and coolant. Therefore, without delving into discussions about safety culture, it seems clear from a technical perspective that Russia is assumed to have a full understanding of the technology and how to operate this type of plant.
However, as I previously mentioned, Ukraine decided to implement a modernization strategy where the digital Instrumentation and Control (I&C) systems deployed in its nuclear power plants would be designed and built by Ukrainian companies.
These companies, Radiy and Impulse, chose different approaches for their respective I&C safety platforms.
1. Radiy’s RadICS is a FPGA-based platform, which was approved by the U.S. NRC, so it can be deployed in U.S. nuclear facilities. This I&C platform has been used to implement nuclear safety systems, such as the Reactor Protection System, both in Ukraine and other European countries.
2. SRPA Impulse’s safety (and non-safety) I&C platform is a microprocessor-based (intel atom) platform primarily used in Ukrainian nuclear power plants, including ZNPP.
When it comes to cyberattacks, there are significant differences between FPGA-based and microprocessor-based I&C systems. The latter allows reprogrammable logic, which can typically be updated remotely, potentially enabling malware-based attacks (e.g., Trisis-like implants). In contrast, the logic in FPGA-based systems is generally considered immutable once deployed, although settings such as setpoints can still be remotely configured. However, in both cases, additional security mechanisms (e.g., permissive signals or interlocks) are in place to prevent both inadvertent and malicious changes, often requiring the manual activation of a mechanical component like a key switch.
Typically, companies that design and implement digital I&C systems use a common base design, depending on the type of reactor, which is then customized to meet the specific requirements of the plant. The following image illustrates the base design used by Impulse for its I&C platform, which has been almost entirely implemented at the ZNPP.
I’ve highlighted five different blocks to provide some details.
1. Nuclear Island
Here we find the Nuclear Steam Supply System. This consists of the nuclear reactor, most of its support, operation, control and safety systems, as well as all those components necessary to produce the steam that flows towards the turbine.
Remember that in a PWR, light water is heated by the heat generated from fission reactions in the nuclear fuel, and this heat is used to boil additional water in the steam generators. The high-quality steam generated is used to drive a turbine, located in the “Conventional Island”, that will generate the electricity that is injected into the grid.
2. Conventional Island
This part would be similar to any other Rankine-based thermal power plant, although it may also contain systems and components that contribute to the safety of the reactor.
This steam generated in the nuclear island then flows through the Main Steam Isolation Valves (‘shutdown valves’ in the picture), which we can consider the limit between the nuclear and conventional islands, towards the turbine.
Please note that there is a physical separation between Conventional (Turbine) and Nuclear (Reactor) islands, they are located in different buildings and the Nuclear Island includes the reactor containment. So, when something goes wrong inside the Conventional island it is assumed that it will not have a direct impact on the safety of the reactor. Therefore, the security and safety requirements for the turbine control systems are significantly different (more relaxed) compared to the digital safety I&C systems (Reactor Protection Systems / Engineered Safety Features Actuation System) of the reactor. However, this does not mean they are completely independent of each other. In fact, this difference in the security requirements can be leveraged during a cyber-physical attack.
For example, if the reactor is tripped, the turbine cannot continue operating because its steam demand would no longer be met, causing a load imbalance. Similarly, if the turbine is tripped, the reactor cannot maintain the same power level, as the steam buildup would lead to a dangerous pressure increase in the secondary circuit. As a result, the reactor will automatically shut down, and the steam will be vented to the atmosphere and/or diverted to the condenser. This is what occurred recently at the UK's Heysham 2 NPP.
3. Reactor Protection System / Engineered Safety Features Actuation System
These critical safety systems serve as the main line of defense for the reactor, protecting against anticipated operational occurrences that could escalate into a severe accident. These are complex systems, comprising many different subsystems, sensors and actuators. If the malicious actors can override the implemented logic for the ESFAS, there will be a chance to create the specific conditions to cause a severe accident in the reactor.
The image below shows the impulse’s design of a single channel (there are 4 redundant channels). We can find two different trains (A and B), which in turn implements the required diversity (to avoid the worst-case scenario of a Common Cause Failure) by using two different microprocessor-based industrial controllers: MSKU-3 and MSKU-4.
As in other controllers used in the nuclear industry, the MSKU is comprised by different modules:
- KMp - The ‘brain’ of the MSKU. This module contains the main logic. Its microprocessor (intel atom) loads the custom real-time system and application software from flash memory.
- MSO - Digital and analog I/O.
- MSv - Communications module, which implements an optical ethernet interface to isolate potential electrical faults.
- MKO - A 'Watchdog' module to monitor the operability and status of equipment within the cabinet
Another crucial element is ISAPR, Impulse’s engineering tool. It can be used to modify settings, develop new application software, and analyze and maintain these controllers. Such engineering tools are typically installed on a Service Workstation, located in a designated area of the Main Control Room or in an adjacent room for technicians.
4. Main Control Room
The MCR is the central location for monitoring, controlling, and operating the entire plant. Impulse's Process Information System is referred to as IVS.
Conclusions
The occupation of the ZNPP has provided Russia with the opportunity to access a Ukrainian-designed digital I&C system, not only deployed at the occupied plant but also in other Ukrainian nuclear power plants still under Ukraine’s control.
If restarting the ZNPP has always been on the table for Russia, it’s plausible that the hardware, software, and network configurations of these I&C systems have been—or are being—carefully studied by Russian nuclear engineers in order to master a key Ukrainian technology for ensuring the safety and efficiency of the plant.
From a cyber perspective, it’s equally plausible that other types of Russian engineers—such as reverse engineers—have had the opportunity to study these systems as well. As we’ve seen, the RPS/ESFAS have redundant channels, so it would be entirely feasible to take one channel offline to dump flash memories from the MSKU controllers without compromising plant safety.
Additionally, other software crucial for developing offensive operations, such as the ISAPR engineering tool, IVS, or NOCS, could have been easily collected from various workstations throughout the plant.
In light of this situation, we have two possible scenarios:
1. Russia keeps ZNPP
Unless hostilities cease, it is unlikely that ZNPP can be restarted. In the current context, the low-intensity but periodic drone attacks on the plant might be part of a strategy by Ukraine to prevent Russia from operating a fully functional plant.
However, if the war ends and ZNPP remains indefinitely occupied by Russia, Ukraine could opt to use non-kinetic, retaliatory cyberattacks to prevent—or at least complicate—Russia’s efforts to restart or operate the plant. Ukraine could leverage its deep understanding of the Ukrainian-designed digital I&C systems deployed at Zaporizhzhia to execute such operations effectively.
Russia, on the other hand, could leverage vulnerabilities and intelligence gathered from analyzing ZNPP's digital I&C systems to carry out destructive/disruptive attacks against other Ukrainian NPPs, similar to those previously launched.
If you're curious about what a cyber-physical attack against a PWR might look like, the 'SLOCA via Pressurizer’s PSRVs' approach I elaborated on in the paper also appears feasible for a VVER-1000/V-320
2. Ukraine recovers ZNPP
If the armed conflict ends and Ukraine regains control of ZNPP, there will likely be a tremendous effort to conduct a forensic analysis of the I&C systems to ensure Russia did not leave behind backdoors or malicious payloads. This assumes that the decision is made not to deploy entirely new I&C systems, which might be the best option.
In any case, Ukraine should assume that its core I&C technology might be compromised and adjust the defense of its NPPs accordingly.