On October 28, cyber attack fears hit the Kudankulam Nuclear Power Plant (KKNPP) when Pukhraj Singh, a former official at the National Technical Research Organisation (NTRO), tweeted that a server computer (domain controller) had been accessed at the plant in Tirunelveli district, Tamil Nadu. His tweet was in response to an account that pointed out a potential attack on the plant’s systems by an online virus called 'DTRACK'. This virus, reportedly developed by a North Korean hacker group called Lazarus, can be used to remotely extract data from a system. The spyware (virus) extracts data such as keylogging, browser history, IP hosts, running processes and all files on a computer. Further, Pukhraj Singh, who is also a cyber security expert, said in his tweet that extremely 'mission-critical targets were hit.
Even as fears of cyber espionage by a foreign actor caused outrage, KKNPP denied the incident on October 29, terming it ‘baseless’. “The software in all nuclear power plants in the country is an independent one and not tied to any external network. It is false propaganda. Both power plants are running now and generating power,” KKNPP told TNM.
A day later, on October 30, the Nuclear Power Corporation of India Limited (NPCIL)— the governing body for nuclear power plants in the country— admitted that a ‘malware’ was identified in one of their systems. NPCIL said that the matter, conveyed to them by the Indian Computer Emergency Response Team (CERT-In) on September 4, was immediately investigated. However, the carefully crafted statement did not categorically say whether the identification of malware was at the Kudankulam plant as had been pointed out by security researchers the previous day.
Thus, the past week saw two government agencies saying two different things and there is still no answer from the NPCIL or the Department of Atomic Energy to the original question of whether a system in the nuclear plant in Tamil Nadu was exposed to a cyber attack. With concerns rising about nuclear security at the southern tip of the country and no answers forthcoming, experts have called for a re-look at the existing policies, both in terms of India’s nuclear regime as well as its cyber security infrastructure.
Speaking to TNM, G Sundar Rajan of Poovulagin Nanbargal, an environmental group in the state, cautions that it is risky to continue running nuclear plants in densely populated areas, when the cause of an untoward incident is no longer just human error or a natural disaster.
He says, “Luckily for us, the malware was detected in an administrative system and not control system. But even in that case, the system is strategically important. That is where information on maintenance routines, nuclear waste, storage, personnel manning the plant, etc is stored. Those who have hacked the system have likely accessed all this data, exposing our vulnerabilities. In 2017, nuclear watch dogs had warned that the Indian nuclear reactors were vulnerable to cyber attacks. Even after this, if our cyber security systems are not failure-proof, it is very risky to run this plant in a densely populated area.”
Echoing the need for up-to-date systems for a highly consequential national security apparatus, Shibani Mehta, defence and foreign affairs analyst at the Bengaluru-based Takshashila Institution questions the preparedness to thwart potential attacks.
“An attack is only as significant as the impact it creates. The incident at KKNPP itself is no reason to panic. It does, however, warrant cyber threats to nuclear plants and brings to question the preparedness to thwart such threats,” she says.
On the question of transparency, she says, “While transparency is critical to public trust, it cannot always be the operating principle, and almost never at the cost of national security. There are procedures to identify and contain threats and protect critical security infrastructure— especially when it comes to cyber and related technology. Governments must continue to strive to stay ahead of the curve and predict and prevent threats new age tech may pose.”
Sundar Rajan, on the other hand, believes that the latest incident presents another opportunity for us to radically re-think our nuclear policy. “Even after investing thousands of crores of rupees in nuclear power over 60 years, we only get 6,000 MW of power from these plants annually. That's very little. A nuclear disaster, however, will not stop at Kudankulam or Tirunelveli, it will affect all of south India. This latest incident only makes our conviction stronger that nuclear reactors and humans cannot co-exist. Only one or the other can exist.” he adds.