October 31 ‒ It has been over 48 hours since Pukhraj Singh, a former officer in the National Technical Research Organisation (NTRO), India's key federal agency that deals with cybersecurity and other intelligence challenges, sounded an alert about a 'domain-controller level access' at the Kudankulam Nuclear Power Plant (KKNPP) located at the country's southernmost tip.1
Singh based his claim on a report made public by cyber-security website VirusTotal.2 He also claims that he had notified the National Cyber Security Coordinator (NCSC) almost two months ago, on September 3rd, about witnessing a massive cyber attack breaching India's crucial infrastructure.3 This attack apparently included other targets, at least one of which was more frightening than the KKNPP, according to Singh.4
Besides getting publicized widely in the media, Pukhraj Singh's attempt to highlight the development was lauded and retweeted by renowned national and international security experts5, including Google's Security Researcher Silas Cutler.6 The opposition MP Shashi Tharoor also raised the issue and demanded that the government put out a public explanation.7
Meanwhile, online media dug out a few more facts about the episode.8 The security firm, Kaspersky had stated in September that it had detected a spy-tool named DTrack infiltrating India's financial institutions and research centers. DTrack can be used as a malicious 'Remote Administration Tool (RAT)', Kaspersky said.
Official flip-flop, wordplay and unanswered questions
The immediate response from the Indian authorities was one of outright denial. KKNPP's operator, the government-run Nuclear Power Corporation of India Limited (NPCIL), issued a press statement on October 29 terming the revelation 'false'. The NPCIL claimed that since KKNPP control systems are stand-alone, meaning they are not connected to the network, they are not vulnerable to any such breach.9 In doing so, the NPCIL skirted two crucial issues – first, stand-alone systems are not immune to intrusions – as was seen in Iran's Bushehr reactor; and second, the NPCIL statement did not rule out the presence of malware in its IT-based 'domain control systems' that are outside the core Power Plant Control Systems and which are still crucial for running the reactors.10
Understandably, this denial did not quell the widespread apprehensions, speculations and questions which were being voiced by citizens on social media. Soon, the Indian Express quoted 'senior government officials' as having admitted that a recent audit, whose report is yet to be published, had in fact, found a cyber breach.11
As the cacophony grew louder, the NPCIL put yet another statement on its website, hyperlinked plainly as 'press release' on its home page, perhaps to purposefully downplay the episode, while admitting to the infiltration by the malware.12 This press statement raises more questions than it answers. It states for instance, that while a personal computer of a 'user' who was connected to the IT-enabled administrative network had been infiltrated, the critical internet network of the plant itself remained isolated. Cybersecurity company, VirusTotal has dumped the data scraped by it in this case on its Twitter handle where the user has been identified as 'KKNPP administrator'.13
While the NPCIL's late admission raises crucial issues about administrative probity and laxity, the more alarming aspect is the admission that "identification of malware in NPCIL system is correct". This might imply, given the NPCIL's habitual wordplay, that not just the KKNPP, but the administrative and domain control systems of all nuclear plants and other facilities run by the NPCIL across India might have suffered from or have been vulnerable to this cyber-attack. An analysis in Asia Times claims that the DTrack found in this episode is highly sophisticated and was customized for the KKNPP.14 However, after the NPCIL's press statement, it cannot be ruled out that the nation-wide administrative network of India's nuclear facilities might have been compromised.
The NPCIL's claim that the breach is confined to the administrative network and the control and safety network remains untouched is hard to digest. Last year, the Nuclear Threat Initiative's (NTI) report underscored that cybersecurity risks to powerplants have multiplied since the Stuxnet episode in 2010.15 Stuxnet's biggest target was India although the Iranian case attracted more international attention for geopolitical reasons.16 At the time, Forbes Magazine had carried a story suggesting that Stuxnet had killed India's communication satellite.17
More recently, a Chatham House report delved deeper into cybersecurity challenges for nuclear plants and highlighted "low levels of cyber incident disclosure, creating a false sense of security" as a crucial challenge for the nuclear sector.18
The Indian authorities' flip-flop does not inspire any confidence in this context. The NPCIL has been notorious for its opacity19 and cover-ups20. Within four days of the Fukushima accident in 2011, the NPCIL's top-brass organized a press conference in Mumbai and claimed that "there was no nuclear accident" at Fukushima, even as the accident in Japan took a turn for the worse and the Japanese government had remained tight-lipped.21
Kudankulam: Threats beyond Dtrack
While some commentators seem justifiably concerned about the DTrack being ransom-ware as in Sony's case earlier and being a reason for the unprecedented and frequent shut-downs of the KKNPP ever since it was commissioned in 2013, amid massive grassroots protests, the network-related vulnerabilities of the Russian-imported nuclear plant might run deeper.22
All that NPCIL has clarified so far, is that in the current episode, the compromised windows PC, known for its vulnerabilities and Microsoft's voluntary collaborations with US security agencies, was not connected to the KKNPP's internal network system. However, even for the reactor-level information network, the Kudankulam plant uses imported Operating Software (OS) that opens up ways for infiltration and even deliberate manipulation by external forces.
While the automated control systems in Kudankulam have been supplied by the Rosatom affiliate Automated Control Systems (RASU)23, this subsidiary of Rosatom is just a system integrator ‒ it sources software and systems from other corporations such as Areva, Mitsubishi and Seimens.24 Areva, the French nuclear giant, has been supplying major Instrumentation and Communication Systems (ICS) to the Russian nuclear industry for a long time.
For the Novovorenzh II reactor in central Russia, which is based on Kudankulam-type VVER design, Rosatom sources Instrumentation and Control Systems from Areva.25 This suggests that TELEPERM XS, the digital reactor protector system developed by Areva NS is used in the new generation VVERs. Similarly, the German company Siemens has also supplied its SPPA digital systems for VVER type nuclear plants in several countries of the world.26
While there might not be anything inherently scandalous in the Indian nuclear operator using foreign-supplied crucial digital systems, the case of Kudankulam and NPCIL begs a series of questions that begin thus: Why is the NPCIL so secretive about the imported digital systems being used in Kudankulam? Making public such information is almost a norm globally, and is meant to instill confidence among citizens.
During the intense people's protests in the run-up to the commissioning of the Kudankulam plants between 2011 to 2013, the local citizens' organization, Peoples' Movement Against Nuclear Energy (PMANE) had filed repeated Right To Information (RTI) queries asking for the safety assessment report and other important documents pertaining to plant safety, and had reiterated its demands when the government initiated a dialogue with citizens which later turned out to be nothing more than an exercise in public relations as well as an attempt to buy more time prior to the regional elections before unleashing brutal violence against the peacefully protesting communities.
Both the NPCIL itself and the official delegation deputed for the purported 'dialogue' had refused to meet this basic demand. India's then Chief Information Commissioner, Sailesh Gandhi, even wrote an open letter to the Prime Minister calling the protesters' demands a fundamental democratic right and expressing dismay over the government's unyielding attitude.27
In the KKNPP, either the Russian corporation Rosatom is using Areva's or Siemen's ICT systems or has installed an independent system purely built by itself. The reactors in Kudankulam have been supplied to India on a turn-key basis so it can be assumed that India has not used an indigenous ICT system. Whatever might be the case, the Instrumentation and Control Systems are crucial parts of a nuclear reactor's functioning and any trouble in them can potentially lead to major accidents and even meltdowns. Failures or weaknesses of ICTs can definitely compound any other problems in the power plant and situations can spiral out of control.
It is important to recall that Kudankulam is among the several reactors for which sub-standard equipment was supplied between 2007 and 2010, owing to a major corruption scandal that had blighted the Russian nuclear industry involving a supplier named Zio-Podolsk.28 This crucial issue was raised by the protesters, independent experts as well as the retired head of India's nuclear regulatory board, Dr. A Gopalakrishnan.29 Although these concerns were brushed aside by the government then, the companies supplying digital systems for the KKNPP must have taken it into account and may have insisted that they did not want to get embroiled in a future crisis, especially since the Indian Nuclear Liability Act has an exceptional clause holding suppliers liable in case of an accident.
If, in this scenario, the NPCIL has an arrangement with foreign ICT suppliers, which is less-than-formal and discreet and is therefore shrouded in secrecy, it might also lead to issues such as reliability of regular updating of the digital systems in the KKNPP's crucial plant control systems. Cybersecurity is a dynamic challenge and India must ensure that its systems are reliable, upgradable and that, suppliers remain accountable.
On the contrary, the Modi government has been attempting to dilute the Nuclear Liability Act as both the domestic and international nuclear vendors and suppliers have been insisting on a playing field free of liability.30 Additionally, the Modi government has introduced amendments to the Right to Information Act that will allow the NPCIL to be more opaque.31 India's nuclear establishment had been militating against the RTI Act ever since it came into existence.32
Thus, the NPCIL's opacity has far more serious implications than imagined in the current mainstream discourse. DiaNuke.org revealed, back in 2013, the connection between Kudankulam and Stuxnet, and the much deeper cyber vulnerabilities and safety challenges that it implies: "At Kudankulam NPP the same turbines of type К-1000-60/3000, made by Power Machines, are used as they are in Iran's reactor at Busher, the alleged target of the virus. Siemens owns 26% of Power Machines. Software made by Siemens is used to steer these turbines, Stuxnet expert Langner presumes."33
To put things in perspective, the Stuxnet infiltration in the Iranian reactor at Bushehr was widely believed to have happened via the Russian nuclear vendor Atomsroyexpert's systems.34
The NPCIL must come clear on the larger issue of suppliers and systems involved in the KKNPP. Transparency is a pre-requisite when the safety of millions of Indian citizens is at stake. Also, the foreign control of crucial infrastructure is an important aspect that simply cannot be ignored.
Reprinted from DiaNuke.org, 31 Oct 2019: www.dianuke.org/cyber-vulnerability-of-kudankulam-nuclear-plant-risks-mo...