This article is written by Himanshu Mahamuni, of Government Law College, Mumbai. This article analyzes the concept of cyberattacks on nuclear plants and the Indian approach to secure its nuclear plants compared to global practices.

This article has been published by Rachit Garg.  

Introduction

The pride of being a nuclear-powered nation brings a high risk of devastating destruction through cyber attacks. The maintenance of nuclear plants with adequate security is even more crucial after its enrichment. Symantec, a software company, in a 2018 report stated that India is amongst the five nations in the world to face cyber threats and targeted attacks. The technical capacity to address these cyber-attacks has become limited against the more sophisticated attacks. An attack at a facility can have serious effects such as undermining the security and operations at the facility and compromising nuclear command and control on the system. Traditional practices majorly depend on physical protection, but in the era of digitalization, cyber security has become equally or even more important. India has an extensive and growing nuclear program. There are currently eight nuclear-capable operational reactors in India, with the Kudankulam nuclear plant being the biggest of all. It is the fifth-largest source of energy in the country. India has already faced a cyber attack on its biggest nuclear plant at Kudankulam. The cyber security challenge is a growing multi-faceted approach in India and it is yet to be mechanized. In view of changing security because of the dynamic manner of attacks, the sensitive nature of information needs to be protected by the technologically advanced infrastructure

In this article, we will discuss the impact of a cyber attack on a nuclear plant with the history of attacks in the past, including the Kudankulam breach. The article mainly focuses on the cyber security India has adopted and compares it with global methodologies compared with successfully developed approaches. The study discusses the way forward and the needed adaptations by India.

Impact of a cyberattack on a nuclear plant

The threats to a nuclear plant range from hardware and software vulnerabilities of operating systems (OS) to faulty defences and network vulnerabilities. The security must focus on actor-specific threats i.e. detecting the source of the threat, that can be insiders and non-state actors such as terrorist organizations, hackers, etc. Incorporation of cyber security infrastructure is essential to prevent and detect any threat before damage which can have the following impact: 

• The impact depends on the level of access gain harnessed by the adversaries. Access to the command and control infrastructure may result in disarming the weapons or initiate an unauthorized launch of weapons.
• Insider threat can be alarming at the same level as that of an external threat. Sharing critical information by exploiting software vulnerabilities and infecting with viruses can be much easier with an inside aid. The threats are required to be dealt with at both the technological and personnel level. 
• Potential harm can result from the most common method of infiltration of malware or viruses into the systems of nuclear plants. Infiltration in the embedded codes of nuclear weapons can be used to neutralize the weapon for use in critical situations of conflicts.
• A cyber attack may act as a disruption to undermine the communication between the operator and the nuclear operating system. Such disruptions may lead to prevention in the flow of information, obtaining confidential information, disruption in dual-use communication, prevention of usage of communication channels in crisis situations.
• The attack on the plant can have an overhauling negative impact on the allies and trusted nations because of distrust in the safety issues. The attack on the nuclear plant may expose the vulnerabilities of not only the victim country but other components of allied countries installed in the plant. The economic, operational, and reputational costs of the attack can be unrecoverable.

History of cyber attacks on nuclear plants

There have been various cyber attacks on nuclear power plants inflicting serious damages.   In 2014, The Monju Nuclear Power Plant in Japan was introduced with malware that stole 20 company-sensitive emails, employee data sheets, and training logs. The same year, Korea Hydro and Nuclear Power offices in South Korea were hacked resulting in the release of technical information. In 2016, a German nuclear power plant, the Gundremmingen plant,  was infected with two viruses that were monitoring systems. 

The most fierce and damage inflicting attack was done on the Iran nuclear facilities in Bushehr nuclear power plant, Natanz in 2010. The attack was executed by the Stuxnet worm suspected to be designed and executed by the US and Israel. The Stuxnet is an internet worm that can infect the system through external devices such as USB sticks. It allows the user to get into the computer network connected by the Internet. The Stuxnet worm targets a particular model of Programmable Logic Controller (PLC) made by Siemens and does not infect the Windows computers. The plant computers were not connected to the internet or external networks because of their air-gapped, closed computer network. The separation of the Natanz network from other networks did not prevent the malware attack. The attack had long-term economic repercussions for Iran in its nuclear program. The attack directly affected the centrifuges of the plant by slowing and increasing its speed and wearing it out faster and suffering damage beyond repair. As a result, the attack slowed down the uranium-enrichment process for Iran and increased international tensions by raising security concerns. 

In 2019, India too faced a cyber attack at its Kudankulam Nuclear Power Plant (KNPP) which is India’s biggest nuclear power plant equipped with two Russian designed and supplied Water-Water Energy Reactors.

Kudankulam nuclear plant cyber attack

The administrative network of the nuclear plant was breached by the attack. The attack did not penetrate any critical damage. The attack was first notified by Pushkraj Singh, an independent Indian cyber security professional. The plant officials initially denied any claims of such an attack. The officials claimed that it can’t be hacked because of the totally isolated network of KKNPP and can’t be accessed by any outside network. This physical isolation of the network is known as Air Gap. But the parent company Nuclear Power Corporation of India Limited (NPCIL) acknowledged a security breach within 24 hours. The NPCIL statement revealed that KNPP was attacked by malware which was noticed by the Indian Computer Emergency Response Team (CERT-In). On investigation of the matter by the Department of Atomic Energy (DAE), it was revealed that a personal computer of a user connected to an internet-connected network for administrative purposes was infected by the malware. 

Expert analysis

According to a Russian cyber security company, Kaspersky, the malware attack was conducted by Pyongyang hackers, Lazarus. The identification of the Lazarus group has not been identified officially, as some of the previous activities of the group are associated with North Korea. 

Alphabet-owned virus scanning website, VirusTotal, reported that a large amount of KNPP data was stolen in the attack. The website recognized it to be part of the DTrack Malware family. This breach may result in more severe subsequent attacks on the critical system more effectively.

A South Korean-based cyber security analyst non-profit intelligence organization, Issue Makers Labs, has suggested that the attack originated from Lazarus by its intrusion toolkit DTrack. The intention of the attack is intended to be either disrupting atomic plants or stealing atomic technologies. The investigation also found that the malware code used the Korean language and the code was already known due to similar use in cyberattacks on South Korean banks and broadcasters in 2013 and on Seoul’s Ministry of National Defense in 2016.

Air Gap network

The networks in the air gap are not supposed to communicate to unsecured external networks. Air gaps do provide a high level of security but they don’t failsafe. Targeted attacks by a determined, well-resourced adversary can easily penetrate security such as this one. External removable media such as USB drives can easily compromise and infect an air-gapped system. The air-gap networks have been reported having failed in the Davis-Besse nuclear power plant in Ohio in 2003. The system was penetrable by various factors such as charging personal phones via the reactor control room, USB slots and installing remote access tools for contractors. The biggest nuclear plant breach, Stuxnet, was evident that the air gap network is of no use to protect the vulnerabilities. The air-gap protection as it failed in the case of Iran and then that of India only prevents attacks on critical computer systems from the non targeted cyber threats but not from determined, well-resourced attacks.  It is because of the practice mentioned in the report by Fissile Materials Working Group that the organization must transfer data into and out of the operational network for the security to work.

Implications of the attack

It is, without doubt, agreeable that India’s nuclear plants are based on outdated cyber defence such as air-gap. The initial denial by the plant officials suggests a sense of complacency and overconfidence in the existing system. The attack did not cause critical damage but if a huge amount of data is stolen from the attack there is a possibility of another subsequent attack with critical impact. The failure to detect and respond to the attack on the nation’s biggest nuclear power plant is an issue of concern of the capability of the system to protect it from cyber-attacks. 

India’s nuclear cyber security policy

The  National Cybersecurity Policy, 2013 released by the Ministry of Electronics and Information Technology (MeitY) articulated the first of its kind framework for cyber national policy. The policy lists out a set of guidelines and objectives. The policy was framed in the wake of the Snowden Leak, which leaked classified information of surveillance programs on numerous nations, including India, by the National Security Agency (NSA) of the US. This leak happened due to low cyber security safeguards. The government announced the setting up of a Defence Cyber Agency at the onset of the policy. The agency is expected to battle cyber warfare and cyber infiltration in India’s nuclear arena. The National Technical Research Organization (NTRO) is trusted to formulate cyber intelligence and cyber counterintelligence. Since its birth, the policy has never been updated for more efficiency. 

A national-level nodal agency, Computer Emergency Response Team (CERT-In) was created in 2004 for cyber security emergency response and crisis management. CERT-In is involved in creating a robust cyber security system in India through international collaborations. The National Critical Information Infrastructure Protection Centre (NCIIPC) is a national nodal agency bought under Section 70A of the Information Technology Act, 2000. The centre facilitates protection to the critical information infrastructure from unauthorized access, modification, use, disclosure, disruption, incapacitation or distraction. It is also responsible to raise information security awareness among all the stakeholders. The CERT-In and NCIIPC work in close coordination to identify cyber security threats in nuclear installations.

The collaboration needs to be administered and reformed by the policy. However, the policy lacks to correlate the cyber and nuclear security and does not provide a promising safeguard to the plant’s infrastructure. The possible challenges and standards procedures required are missing in the current policy to build strong cyber security in the nuclear areas. The 2019 attack is evident that the present setup is not enough to detect and avert the attack. The Data Security Council of India has submitted a framework towards India’s new National Cyber Security Strategy, 2020. This new policy understands and has acknowledged the nuclear plant and space agency as critical infrastructure. The policy works for the security of national, state as well as small and medium businesses. It invests in research, innovation, and technological development. It has also introduced concepts that were missing in previous policies such as cyber insurance, cyber diplomacy. It aims to build internet infrastructure in India by present development standards. It advocates for cybercrime investigation by the creation of a special law enforcement cadre and promotes various exchanges for comprehensive growth. The new strategy is hoped to protect the nuclear infrastructure and evolve as an all-around solution for cyber threats. 

Protection methodology

New emerging technologies, when used judiciously, significantly increase the surveillance and monitoring capabilities of nuclear plants. The adoption of modern technology improves productivity and safety. The use of tools for modeling and simulation (mod/sim) is an example of a nuclear security system. The mod/sim tools can be used to understand the method that can be adopted by the adversaries to breach the nuclear plant defences. These tools are useful to protect the physical infrastructure of the facility. A country can improve its cybersecurity of nuclear infrastructure by entering into bilateral agreements or organizations like IAEA or international groups.

Bilateral agreements

The nuclear-capable countries must have a cooperation agreement between them. Cooperation is essential to establish communication channels to exchange information about cyber incidents that may raise national security concerns. One such example of agreement is the US-Russia nuclear cooperation agreement, the New START treaty. It is an arms reduction treaty envisioned to focus on minimum use of nuclear warheads. The joint statement released by both countries addresses the national and international challenges of political, military, terrorist, and criminal threats. The treaty was entered in 2011 and in force till 2026. The treaty limits the use of nuclear warheads and allows inspection of the facilities.

Incorporation of such agreements keeps check on each other’s security and drives the country to enhance its security. Communication of data exchange and information is essential to keep transparency and verify if any vulnerable system is exposed to the threat. 

International Atomic Energy Agency (IAEA)

The international group, International Atomic Energy Agency (IAEA) is one of the security organizations that helps to strengthen the nuclear facility’s cybersecurity. It is signed by 173 member nations, including India.

IAEA releases new guides written by experts for implementing computer security measures in nuclear facilities. The support embraces digital technology without compromising on the regime. It improves the capacity to protect, detect and respond to cyber threats. The guidance supports the development and implementation of an integrated national strategy, regulatory approach, and adherent computer security. 

The most sophisticated legal instrument adopted by IAEA in the area of nuclear security is the Convention on the Physical Protection of Nuclear Material (CPPNM). It has been signed and ratified by 161 members, including India. The signatories have legal obligations to protect the nuclear material used for peaceful purposes during international transport; the criminalization of certain offences involving nuclear material; and international cooperation. It calls for international cooperation and assistance for criminal proceedings and physical protection of the system and information sharing in case of sabotage. 

The Nuclear Security Summit

The Nuclear Security Summit was initially commenced by US President Barack Obama in 2010. The number of participants increased from 47 in the first summit to 53 states in the last summit. India has been part of the summits since its inception.

The fourth summit held in 2016 in Washington DC was a prominent summit that presented five action plans namely, UN; IAEA; INTERPOL; GICNT; Global partnership action plans. India’s national progress report in the summit reported on the prominent nuclear security issues. The cybersecurity issue was addressed by India as the growing challenge of threats to computers, networks, and information available in the system as a national priority. Sophisticated products like Secure Network Access System (SNAS) along with onsite cyber security architecture were deployed for protection of the cyberinfrastructure in the country as a result of the system.

Successful cyber-security policies

Japan 

Basic Act on Cyber security (Act No. 104) of November 12, 2014.

Japan’s cybersecurity aims at protection from cyber-attacks and disruption of the social system. The policy ensures free, fair, and secure cyberspace by enhanced monitoring and response capabilities of foreign cyber-attacks; tight examination and verification of external goods and services. The Critical Information Infrastructure (CII) is protected by information sharing between public and private sectors by partnerships. The information-sharing arrangement is strengthened for the protection of nuclear material.

United States

United States Cyber Command

US’s cybersecurity plans to operate domestic and international partner collaboration to defend and advance the national interest. The cyber command measures are to improve supply chain management, risk management, information technology activities, strengthen the security of sensitive government information, and improve transportation cyber security. The nuclear programs are made efficient and integrated by the modernization of its integrated communication.

United Kingdom

National Cyber Security Centre

The UK views cyber security by its practical guidance, responding to cyber incidents with the collaboration of industry experts, and reducing risk by securing private and public networks. Cybersecurity is viewed as a tier-1 threat by the country, with close coordination with the National Crime Agency. To ensure essential services, the individuals and agencies involved in owning and operating critical national infrastructure work closely. The Centre builds resilience to detect, mitigate and contain cyber-attacks to protect civilians. 

Way forward for India

India may take inspiration from experienced nations like Japan, the US, and the UK as mentioned above to strengthen the areas of protection in the cyber protection of nuclear infrastructure. The most common and essential part of improving is the communication between inter agencies such as public and private sector agencies. India should widen its involvement with the private sector domain to decrease its dependency on foreign exports and public sector agencies. The indigenously developed capacity of nuclear energy as fuel will increase capabilities for the use of civilian use. The entry of Industry experts from the field should be adopted by India in the process of cybersecurity policy. 

India must look forward to long-term collaboration with countries with robust mechanisms such as the US and Japan for the exchange of useful information to share the best practices. The multilateral dialogues shall be aimed to develop a regulatory framework for better national security. The information will improve the country’s approach to deal with the threat and counter it likewise. India should build resilient measures and contingent plans to avert the risks. The nuclear cooperation agreements signed by India can be put to use for productive collaboration with like-minded partners such as the UK and Russia to equip better nuclear infrastructure. The agreements allow the exchange of information, expertise, nuclear safety, etc. The joint exercises and workshops for better performance of workers and scientists with world leaders will be crucial to counter cyber challenges. 

The biggest obstacle to the nuclear system in cybersecurity is the proper framework. An unclear framework may lead to vulnerabilities and unawareness of interagency coordination to respond to cyber threats. The cybersecurity measures of nuclear policy must be periodically assessed to test its efficiency to equip nuclear infrastructure and counter its threats. The required amount of focus in the nuclear cybersecurity area must firstly focus on insider threats and the potential physical protections.

In a report by NTI, the group of analysts has listed four overarching priorities that should be adopted in an attempt to protect nuclear facilities from cyber attacks. The priorities are as follows:

Institutionalize cyber security

• Understanding among stakeholders about security should be embedded by creating awareness. Training of staff members for the agenda may reduce the exposure of the vulnerabilities
• The facilities must be defended by graded applications to the systems that are most likely to be targeted. The products and process quality must be increased to keep up with the designed applications.
• The digital system must be designed, operated, and maintained appropriately by determining the expected cyber threat. Development and implementation of processes and practices in cyber security can ensure safety.

Mount an active cyber defence

• An effective active defence strategy should be adopted by learning the lessons from the past attacks on critical infrastructure. The capable system must be able to detect and disrupt cyber intrusion.
• The engineers must determine the most vulnerable that needs the greatest protection by conducting risk analyses and engineering evaluations. The team shall deal in anticipating the next moves and eliminating attack opportunities.
• A highly trained technical staff with a variety of skills shall be hired and retained by the directors of the facility. The government can help in making the technicians available and developing homegrown experts.

Reduce Complexity

• The facility must strive to reduce the complexity at every possible level in controlling critical functions of the program. 
• The situation of complexity should be dealt with with the same level of precision required and documented appropriately.
• The critical functional instruments should be engineered in such a way to ensure that they are least likely to fail. 
• Transitioning to non-digital wherever possible may greatly reduce the risk of cyber attack.

Pursue transformation 

• The old systems that become obsolete should be replaced immediately with systems of increased performance and reliability.
• A new non-digital approach can be developed in cybersecurity that has improved performance characteristics.
• Modern technologies must transform into a system that accelerates high-performance, verifiable, non-digital solutions for critical safety and security functions.

Conclusion

The consequences faced on a nuclear facility by a cyberattack can be far-reaching and serious. The present cyber defence in India is no longer adequate to protect the nuclear plant. The Kudankulam cyber-attack has shown that the defences like air-gap do not ensure all-round protection and can be easily infected. The critical infrastructure of the plant shall be cyber-secure for efficient and protective productivity.

India shall work to build a strong framework that guidelines India’s nuclear cybersecurity. It can be achieved by bilateral agreements with the nations that have successfully framed protective guidelines, joining international organizations such as IAEA or the nuclear security groups to facilitate information and best practices. India can take lessons from the countries that have successfully formulated a cyber security framework such as the US, UK, and Japan. A properly assessed framework by a collaboration of like-minded nations offers an exchange of information for a proper approach. Government can consult the researched reports by experts and adopt the need of the hour for priorities such as the institutionalization of cyber security, mounting of active cyber defence,  reducing complexity, and pursuing transformation. 

Resources

• https://www.vifindia.org/sites/default/files/cyber-attack-on-kudankulam-nuclear-power-plant.pdf
• https://www.washingtonpost.com/politics/2019/11/04/an-indian-nuclear-power-plant-suffered-cyberattack-heres-what-you-need-know/
• https://www.orfonline.org/research/can-india-address-the-growing-cybersecurity-challenges-in-the-nuclear-domain/
• https
• ://www.nti.org/about/programs-projects/project/addressing-cyber-nuclear-security-threats/
• https://www.nti.org/wp-content/uploads/2016/12/NTI_CyberThreats__FINAL.pdf

---

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

https://t.me/joinchat/L9vr7LmS9pJjYTQ9

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.