Did the Crowdstrike fiasco cause Romania's NPP Cernavod?-1 reactor to shut down?

Most probably this is just one of those unfortunate coincidences but due to timing, I think it's worth taking a look at the facts.

Malware research legend, Costin Raiu , posted this on his X account, so it immediately got my attention.

The technical information about the incident is scarce. Essentially, all the articles are providing the same information based on a press release published by Nuclearelectrica, the state-owned nuclear energy company. The interesting part is that, apparently, a malfunction in the classic part of the plant automatically led to the reactor shutdown:

Unit 1 of the Cernavod? nuclear power plant was automatically disconnected from the National Energy System in the evening of July 19, 2024 due to a malfunction in the classic part of the plant.

So, what is the classic part? Basically, Nuclear Power Plants are similar to other power plants except for the 'nuclear island', where the Nuclear Steam Supply System (reactor core, pressurizer, steam generators, etc..) is located. Once the steam is flowing towards the turbine, we could be talking about any other power plant. So if we had to define a limit between the 'nuclear part' and the 'classic part', that could be the Main Steam Isolation Valves (MSIV) located in the steam generators loops.

I came up with the following schema to visualize the idea.

Cernavod? NPP is based on a CANDU 6 design, the only one in Europe. At the moment of the incident, Units 1 and 2 were fully operating but Unit 2 wasn't impacted. Does this mean something? Well, I'd say that's inconclusive.

Unit 1 is older than Unit 2, although they share the same reference design (1997), but Unit 2 incorporated all the improvements developed in the CANDU world after the Unit 1 was commissioned. As a result, there are certain differences between both units, in terms of design, safety and reliability.

We also need to bear in mind that NPP are designed to prevent Crowdstrike-like events, a worst-case scenario known as a 'Common Mode Failure', which would render different parts of the plant unusable due to a single point of failure. Therefore, NPPs use redundancy and diversity as part of their defense-in-depth strategies. We can also see similar approaches in other safety-critical systems such as avionics.

The articles mention that the Unit 1 was 'automatically' disconnected and reactor stopped at 17:35 (GMT+3). This is relevant for a couple of reasons:

1. It reveals that it was not a manual scram. It may seem obvious, but that's actually pretty important. It means that somehow, a malfunction in the 'classic' part of the NPP managed to generate a trip signal for the reactor, which was properly handled by the Reactor Protection System (RPS) resulting in a controlled shutdown. There could be many reasons for this to happen, I can't really narrow down the scope of the transients without further information, but it had to be significant (e.g.,a potential load rejection scenario due to a problem with the turbine). As a result, we should assume that the shutdown was not a decision taken by the operators based on an ongoing situation (e.g., computers crashing). For instance, this is precisely what happened back in 2007 in the USA, at Browns Ferry NPP, when a faulty device generated a significant amount of ethernet traffic, which ended up with the operators deciding to initiate a manual, and controlled, shutdown.
2. According to how the Crowdstrike disruption event unfolded, the time at which the reactor was tripped seems a little bit late compared to other disturbances.

On the other hand, the Unit 1 had been just reconnected to the grid just 20 days before the incident, after spending a month 'offline' due to maintenance works. So it may seem a little bit weird to have a shutdown that early right after a maintenance outage.

Based on the information currently available, I'd say that probably the Crowdstrike fiasco is not behind this nuclear incident. However, there are certain coincidences that make you raise an eyebrow, so we'll need to wait for further details to totally discard it as the root cause.