Cyber Threats and Nuclear Security in India

Author Name: Etfa Khurshid Mirza      06 Dec 2019     Cyber

After the Indian nuclear power plant, it was the Indian space agency that was attacked by suspected North Korean hackers during the Chandrayaan-2 mission. India’s Space Research Organization (ISRO) was warned of the expected cyber-attack during Chandrayaan-2 failed moon mission. It is not the first time that India’s critical infrastructure came under attack. Earlier, on October 4th 2019, the cyber-attack on the Indian nuclear power plant was confirmed by India’s National Cyber Security Council. The malware was found on the Kundankulam Nuclear Power Plant (KNPP) in Tamil Nadu. The said attack was not admitted earlier when it was reported initially in September 2019, which provided a cause for concern over a month later. This cyber-attack on the Indian nuclear power plant poses serious questions regarding nuclear security. The attackers acquired high-level access and it is reported that sensitive targets, ‘mission-critical targets’, were hit.

 

In nuclear security, computer-based-systems provide nuclear safety and security, material accountancy, system controls, and sensitive information management systems. The cyber threat in nuclear security intends to target such computer-based systems with the intent of theft of information, modifying or destroying a specified target through unauthorized access. Computer security exercised within a nuclear security regime seeks to minimize risks of cyber-attacks that could contribute to nuclear security events. Cyber-attacks may put at risk the Confidentiality, Integrity and/or Availability (also known as CIA triad) of the information within computer-based systems. Cyber-attacks, therefore, jeopardize the ability of the systems to perform assigned functions. One of the main concerns are the Sensitive Digital Assets (SDAs), which are used to store, process, and control or transmit sensitive information. The compromise of an SDA could result in an adverse impact on nuclear security functions.

Nuclear security remains a national responsibility, but all states have an obligation under international arrangements to ensure that their nuclear security is not compromised. In this regard, the Convention on Physical Protection of Nuclear Material (CPPNM) makes it obligatory to ensure all nuclear facilities and material remains under stringent security at par with the best international practices. According to the CPPNM, states should establish mechanisms for the protection of the confidentiality of information, the unauthorized access to which could lead to the compromise of the physical protection of nuclear material and other related facilities. It also requires that the computer-based systems used for physical protection, nuclear security, and safety, nuclear material accountancy and control should be protected against compromise which should be consistent with threat assessment.

 

In 2016, the International Atomic Energy Agency (IAEA) member states highlighted the priorities and recognized the threat of cyber-attacks against nuclear facilities as a serious concern and showed commitment to work towards strengthening of information security and computer security. Computer-based-system vulnerabilities could be identified as technological, physical protection, and administrative process. Even if an organization takes measures to protect its system from any attack, sometimes the prevalent computer vulnerabilities can lead to cyber-attacks, setting digital assets at risk. To protect information and other supporting elements, it must be considered to protect Sensitive Digital Assets (SDAs) which store, process, control, or transmit sensitive information. The main aim of computer security is to protect the system from a cyber-attack which could result in any severe consequence, like degraded capability to prevent, detect, and respond to nuclear security events, or loss of sensitive information.

 

A computer-based-system when attacked by a virus or other malware with no specific focus against the system or organization is called a non-targeted attack. In such type of attacks, a compromised system is accessed by an unauthorized external connection which can compromise emails and other valuable data. Whereas, in a direct or targeted attack, a specific target is chosen which could be an organization, a system or even a specific person. In a direct attack, if the adversary is unable to achieve its objective in early attempts, it can target past employees of the organization as well. Persistent attacks are sustained and may involve an early compromise followed by a lengthy period of information collection. This kind of attack can compromise the record of individuals with key positions and keep track of the flow of the information as the attacker may even maintain a persistent presence in the system for months.

 

In the case of Indian cyber-attack, the virus known as Dtrack was identified, a version of which was also used to infiltrate Indian Automated Teller Machines (ATMs) to steal customers' information. The developers were identified as the North Korean group, Lazarus. This seems a direct and targeted attack on such critical Indian infrastructure, happening thrice in two months. The breach of security and loss of information was evident in all these attacks. Linking the cyber-attack on the nuclear power plant to the security of the largest nuclear power plant in India poses grave concerns and raises serious questions regarding India’s implementation of the rules and regulations, which are binding for all member states as per the CPPNM.

 

India presents itself as a responsible nuclear weapons state which has exercised measures to prevent such incidents and has built its case for the Nuclear Suppliers Group (NSG) membership by claiming its unmatchable record on nonproliferation, nuclear security and safety. This cyber-attack has exposed India’s inherent susceptibilities and its culture of complacency. To cover up its follies, India initially claimed that the most recent cyber-attack was on the administrative side and not the operations side, but these exposed India’s vulnerabilities. In the field of nuclear security, a future attack could be on the reactor operations, which could potentially lead to nuclear reactor failure or a melt-down, has serious consequences for the region. Irrespective of where the attack happened, any such successful attempt in a nuclear facility is a serious issue.

The writer is the Researcher at the Centre for Aerospace and Security Studies (CASS) and her area of specialization is Nuclear and Strategic Affairs. She can be reached at cass.thinkers@gmail.com