Nuclear power plants are one of the most efficient ways to produce energy. At the same time, they can be dangerous because of the potential devastation from a meltdown or explosion. Either scenario would result in a release of radiation onto the surrounding area that could make it unlivable for decades to come. Because of this, it is crucial to protect nuclear facilities from physical damage, as well as from any attacks that come from cyberspace.
In 2019, a nuclear power plant in India — the Kudankulam Nuclear Power Plant (KKNPP) — experienced a cyberattack that was worrying due to the plant’s lack of awareness about its weaknesses. Initially, the KKNPP denied that an attack had occurred, stating that the network was not connected to any other outside networks. However, after some time, the Nuclear Power Corporation of India Limited (NPCIL) admitted that the power plant was breached via a computer that was plugged into an interface at the plant, going against what the KKNPP had previously disclosed. While there were no serious repercussions of the KKNPP hack, this should have been a wake-up call about how devastating an strike on critical infrastructure could be — and just how susceptible it is.
India’s outdated cyber protocols for nuclear power plants
Preventing cyberattacks and deterring threat actors requires a high level of cyber-vigilance. This is doubly true for critical infrastructure, such as nuclear power plants. In the case of the KKNPP, the NPCIL did not believe a cyberattack was possible because it used an air-gap approach to cybersecurity. Of course, as most cybersecurity experts will tell you, protection via air gaps is, and has always been, a fallacy.
An air-gap strategy is when a systems network is closed, meaning there is “no way” to access that network remotely. According to The Washington Post, the NPCIL stated that “the totally isolated network of KKNPP could not be accessed by any outside network from any part of the globe. Hence there was no question of it being hacked.” However, in some ways, this makes those systems more vulnerable than ever. If a threat actor manages to get into a system past the air gap and there is no second line of defense, then the whole system is at risk.
According to the same Washington Post article, the air-gap method can be effective against untrained hackers, but it becomes significantly less effective once targeted attacks come into play. There have been past cases, such as Stuxnet, where a targeted attack occurred on an air-gapped facility.
With the KKNPP, a threat actor was able to get into the plant’s mainframe via an infected work computer carrying malware. While the origin of the attack is unknown, there was a large amount of data taken from the plant’s administrative network. This put the KKNPP at a higher risk of serious damage if another attack were to occur because the threat actors would know where the critical systems of the power plant were located.
One cybersecurity firm, Morgan Lewis, said that the malware in use was Dtrack, which “is capable of logging keystrokes, scanning connected networks and monitoring active processes on infected computers.” Elements of Dtrack have been found in other malware deployed by a North Korean hacking group dubbed “Lazarus Threat Group,” which made North Korea a possible perpetrator of this attack
This is interesting given the strong relationship between India and North Korea. While this could have led to a military response, India’s complacent reaction indicated that they weren’t concerned with future attacks because of their “air-gap” system already in place.
India denied all claims of this being a cyberattack until a month after the incident.
According to The Hindu, a news site for India, the India Computer Emergency Response Team conducted a full scan of the plant systems, stating, “Several measures have been taken for further strengthening of Information Security in administrative networks like hardening of internet and administrative intranet connectivity, restriction on removable media, blocking of websites and IPs which have been identified with malicious activity, etc.”
The events that took place show that critical infrastructure tends to lag behind when it comes to modern cybersecurity processes. In a recent roundtable discussion conducted by Industrial Cybersecurity Pulse, Tyler Whitaker of Leading2Lean discussed inefficiencies, stating, “The real challenge with the capital inefficiencies in cybersecurity right now is related to the fact that the remediation efforts are typically manual. The documentation efforts, to put the structure around what that incident was and what the remediation steps were, is onerous from a labor perspective.”
It often boils down to a lack of comfortability in implementing new and updated cybersecurity protocols that would better protect those critical infrastructures. In this case, however, it’s possible the KNPP also did not understand the need for strong cybersecurity efforts, given the outdated and disproven efficiencies of the air-gap method.
For the sake of India, hopefully this hack was a wake-up call to take cybersecurity more seriously, especially on the level of critical infrastructure and nuclear power plants.