cyber-4398481_960_720

Space-based technologies that have civil and military uses are drawing greater interest with more countries entering into this field. Development beyond peaceful uses i.e. weaponization of outer space is a growing concern for the modern world. Around forty countries are using space to provide information support to their communication systems, for scientific and industrial purposes or to develop weapons systems like anti-satellite weapons.

Countries like the US, Russia, China, France, Iran, North Korea, and Japan are engaged in space development programs. Currently, there are around 1,957 active spacecraft, 830 of which belong to the US. Around 280 belong to China and Russia has 147. Around 302 are used for military purposes, whereas 991 are in civil and commercial use.

The scope of war has diversified from land to sea and then air, eventually moving to space. The growing arms race lead to the militarization of outer space. These developments pose serious threats to international security and the prohibition of arms race movements. It has potential long-term political, economic, and military consequences. Countries like the US and Russia are in pursuit of the weaponization of space which will be carried out in numerous phases. There are two main

After the Indian nuclear power plant, it was the Indian space agency that was attacked by suspected North Korean hackers during the Chandrayaan-2 mission. India’s Space Research Organization (ISRO) was warned of the expected cyber-attack during Chandrayaan-2 failed moon mission. It is not the first time that India’s critical infrastructure came under attack. Earlier, on October 4th 2019, the cyber-attack on the Indian nuclear power plant was confirmed by India’s National Cyber Security Council. The malware was found on the Kundankulam Nuclear Power Plant (KNPP) in Tamil Nadu. The said attack was not admitted earlier when it was reported initially in September 2019, which provided a cause for concern over a month later. This cyber-attack on the Indian nuclear power plant poses serious questions regarding nuclear security. The attackers acquired high-level access and it is reported that sensitive targets, ‘mission-critical targets’, were hit.

In nuclear security, computer-based-systems provide nuclear safety and security, material accountancy, system controls, and sensitive information management systems. The cyber threat in nuclear security intends to target such computer-based systems with the intent of theft of information, modifying or destroying a specified target through unauthorized access. Computer security exercised within a nuclear security regime seeks to minimize risks of cyber-attacks that could contribute to nuclear security events. Cyber-attacks may put at risk the Confidentiality, Integrity and/or Availability (also known as CIA triad) of the information within computer-based systems. Cyber-attacks, therefore, jeopardize the ability of the systems to perform assigned functions. One of the main concerns are the Sensitive Digital Assets (SDAs), which are used to store, process, and control or transmit sensitive information. The compromise of an SDA could result in an adverse impact on nuclear security functions.

Nuclear security remains a national responsibility, but all states have an obligation under international arrangements to ensure that their nuclear security is not compromised. In this regard, the Convention on Physical Protection of Nuclear Material (CPPNM) makes it obligatory to ensure all nuclear facilities and material remains under stringent security at par with the best international practices. According to the CPPNM, states should establish mechanisms for the protection of the confidentiality of information, the unauthorized access to which could lead to the compromise of the physical protection of nuclear material and other related facilities. It also requires that the computer-based systems used for physical protection, nuclear security, and safety, nuclear material accountancy and control should be protected against compromise which should be consistent with threat assessment.

In 2016, the International Atomic Energy Agency (IAEA) member states highlighted the priorities and recognized the threat of cyber-attacks against nuclear facilities as a serious concern and showed commitment to work towards strengthening of information security and computer security. Computer-based-system vulnerabilities could be identified as technological, physical protection, and administrative process. Even if an organization takes measures to protect its system from any attack, sometimes the prevalent computer vulnerabilities can lead to cyber-attacks, setting digital assets at risk. To protect information and other supporting elements, it must be considered to protect Sensitive Digital Assets (SDAs) which store, process, control, or transmit sensitive information. The main aim of computer security is to protect the system from a cyber-attack which could result in any severe consequence, like degraded capability to prevent, detect, and respond to nuclear security events, or loss of sensitive information.

A computer-based-system when attacked by a virus or other malware with no specific focus against the system or organization is called a non-targeted attack. In such type of attacks, a compromised system is accessed by an unauthorized external connection which can compromise emails and other valuable data. Whereas, in a direct or targeted attack, a specific target is chosen which could be an organization, a system or even a specific person. In a direct attack, if the adversary is unable to achieve its objective in early attempts, it can target past employees of the organization as well. Persistent attacks are sustained and may involve an early compromise followed by a lengthy period of information collection. This kind of attack can compromise the record of individuals with key positions and keep track of the flow of the information as the attacker may even maintain a persistent presence in the system for months.

In the case of Indian cyber-attack, the virus known as Dtrack was identified, a version of which was also used to infiltrate Indian Automated Teller Machines (ATMs) to steal customers’ information. The developers were identified as the North Korean group, Lazarus. This seems a direct and targeted attack on such critical Indian infrastructure, happening thrice in two months. The breach of security and loss of information was evident in all these attacks. Linking the cyber-attack on the nuclear power plant to the security of the largest nuclear power plant in India poses grave concerns and raises serious questions regarding India’s implementation of the rules and regulations, which are binding for all member states as per the CPPNM.

India presents itself as a responsible nuclear weapons state which has exercised measures to prevent such incidents and has built its case for the Nuclear Suppliers Group (NSG) membership by claiming its unmatchable record on nonproliferation, nuclear security and safety. This cyber-attack has exposed India’s inherent susceptibilities and its culture of complacency. To cover up its follies, India initially claimed that the most recent cyber-attack was on the administrative side and not the operations side, but these exposed India’s vulnerabilities. In the field of nuclear security, a future attack could be on the reactor operations, which could potentially lead to nuclear reactor failure or a melt-down, has serious consequences for the region. Irrespective of where the attack happened, any such successful attempt in a nuclear facility is a serious issue.

The writer is the Researcher at the Centre for Aerospace and Security Studies (CASS) and her area of specialization is Nuclear and Strategic Affairs. She can be reached at [email protected]


Share this article

Facebook
Twitter
LinkedIn

Recent Publications

Browse through the list of recent publications.

Two Faces of the Atom: India’s Nuclear Exceptionalism

ew examples capture the inconsistencies of the nuclear world order more starkly than the events of 2 March 2026: as Prime Ministers’ Mark Carney and Narendra Modi signed a landmark 1.9 billion USD uranium supply deal for India’s civil nuclear sector, Iran was subjected to the third day of indiscriminate airstrikes by the US and Israel under the banner of nuclear non-proliferation, despite Iran agreeing to zero stockpiling of enriched uranium just days prior. This event, unfortunately, was not an isolated one, rather it reflects a pattern of nuclear exceptionalism where certain states such as India, continue to be rewarded for non-compliance with international regulations, while others such as Iran, are censured and even subjected to military action based on hypothetical realities.

The latest deal would see Canada sell close to 22 million pounds of uranium concentrate to India over 8 years, starting in 2027, a sale more than ten times the last Canada-India uranium agreement of 2015, which supplied 7 million pounds of concentrate over 5 years.

Read More »

Data Centres as the New Military Targets in Modern Conflicts

The character of warfare has evolved in tandem with the changing nature of military targets. In early March 2026, Iran bypassed traditional military targets and struck the physical part of the digital infrastructure at Amazon Web Services (AWS) data centres in the UAE and Bahrain. Until now data centres had been considered an unassuming target, as they did not house any military equipment or hardware. However, the US-Israel war on Iran, has transformed these billion dollar sites into high-value targets because of their ability to act as server farms on which adversaries’ websites, apps, AI systems and the entire digital infrastructure run.

Data centres are digital ecosystems where the delivery of cloud services depends on the integrity of physical infrastructure. Disruption in any one part of the shared infrastructure does not remain isolated and risks triggering widespread systemic failure. In the case at hand, Amazon operated multiple availability zones within each region in the United Arab Emirates and Bahrain. Iran struck two of the three availability zones in the UAE, while in Bahrain, a zone was damaged by drone debris causing an extended power outage and connectivity problems that further disrupted service across the Gulf.

Read More »

The Sovereign Shield

Pakistan’s defence industry is gearing up from a localised purchase requirement to a globalising high-tech export industry. For long the military-industrial complex of Pakistan had been dominated by military needs of the border security and the costly importation of foreign technology. This tendency, however, seems to be reversing slowly. Pakistan is attempting to edge closer to a model of self-reliance in this regard in terms of tactical security and geoeconomic rebalancing that is spearheaded by the JF-17 Block III, the Super Mushshak, and the unmanned systems. This is very clear in its international defence contracts of between 10 to 13 billion dollars.

But export headlines simply aren’t enough to succeed. The defence ecosystem of Pakistan is built on the basis of a strategic triangle in which the PAF is the challenging end-user and technological enabler of the defence ecosystem, a nascent domestic defence sector with focus on platforms such as the JF-17 and the overall economy that will have to eventually underpin and benefit of the activity. The first two legs have demonstrated great strength. The most challenging one is the economic leg, however. Export spikes can be short lived unless structural reforms are adopted. It is the work to be done by chance, that is to assemble these three factors in a self-sustaining system.

Read More »