Feeling anxious about the pandemic? Here’s one more thing to worry about…:
[…] According to media reports that began to come out in October 2019, a US-based cyber security company had, on 4 September 2019, informed the Nuclear Power Corporation of India (NPCIL), the operator of all Indian nuclear plants, that an unauthorised actor had breached domain controllers at the Kudankulam nuclear power plant (KKNPP). The initial reaction from the plant officials was a complete denial of any malware infection in their systems since such a cyberattack was “not possible.” A press release from the KKNP Training Superintendent and Information Officer stated, “KKNPP and other Indian nuclear power plants control systems are stand alone and not connected to outside cyber network and Internet.” But, a day later, the NPCIL admitted that there had indeed been a security breach that had been informed to them by the Computer Emergency Response Team-India (CERT-In). The breach was eventually traced to an infected personal computer that was used for administrative purposes, but was also connected to the Internet. Fortunately, as was reported, the PC was isolated from the critical internal network.
Indeed, the Computer and Information Security Advisory Group of the Department of Atomic Energy (CISAG-DAE), which is responsible for the cyber security of nuclear power plants, has long argued that the practice of air gapping, or physically isolating critical computers or networks from unsecure networks such as the Internet, is an effective way of securing critical infrastructure. However, several cyber experts have pointed out vulnerabilities in this process that may be created by use of removable media, approved access points for maintenance activities, third-party updates, or even by charging personal phones via reactor control room, etc. For all its benefits, air gapping obviously does not guarantee adequate security and cannot be a reason for complacency.
Much speculation has taken place after the KKNPP incident about who might have been behind the attack. Several theories abound, and some are backed by analysis undertaken by cyber professionals. Most have concluded that the motive of the attack was theft of information and not sabotage of plant operations. While plant control and instrumentation systems were not compromised in any way, the attack did highlight the challenge of definitive attribution in case of cyberattacks. This can be exploited by both state and non-state perpetrators of such attacks. Another benefit accrues from the ambiguity about the purpose of the attack. Even when ostensibly unsuccessful, an incidence of this nature nevertheless sends nuclear operators scrambling for patches for perceived vulnerabilities, and thus causes accretion of costs and dissipation of energies.