The 2019 cyberattack on the Kudankulam nuclear reactors indicates critical vulnerabilities in cybersecurity for the nation, demanding investigation
The October 2019 cyber attack on a computer system at the Kudankulam Nuclear Power Plant in Tirunelvelli district, Tamil Nadu, by Dtrack virus paved "new pathways to severe accidents that can result in widespread radioactive fallout." Furthermore, "Attempts to lower this risk would further increase the cost of nuclear power." These statements were made by M V Ramana, Professor and Simons Chair in Disarmament, Global and Human Security and Lauren J. Borja, postdoctoral research fellow MacArthur Nuclear Security Fellow at the Center for International Security and Cooperation at the University of Stanford. The two affected nuclear reactors were connected to the electric grid in October 2013 and August 2016 and hence, the danger of collapse and destruction of a large segment of national power transmission and distribution network looms large.
The hack was disclosed by Pukhraj Singh, a former security analyst for India's National Technical Research Organisation who spotted a VirusTotal upload, linked to a malware infection at the KKNPP. The matter is public now. The government was notified way back that extremely mission-critical targets were hit. Earlier in the first week of September last year, he tweeted sensing a casus belli (an act or situation that provokes or justifies a war) in the Indian cyberspace that "sucks at every level". The malware, a version of Dtrack virus, is a backdoor Trojan developed by the Lazarus Group, an elite hacking unit, based in North Korea and allowed to function by the North Korean government.
KKNPP authorities initially pooh-poohed Singh's tweet and with a nod from its parent company, Nuclear Power Corporation of India Limited, released a statement forthwith denying that sensitive systems were compromised. "Any cyberattack on the nuclear power plant control system is not possible", they wrote and got published in the major national dailies but KNPP had to eat its words on the same day to confirm the cyber attack.
The Dtrack virus is not new to India as it has invaded the banking and financial sectors but has never targeted power plants. The NPCIL confirmed that the "Identification of malware in NPCIL system is correct," but tried to cover up saying that the malware-infected its administrative network only but was held at bay from the critical internal network and also that the two networks were isolated.
Borja joined Ramana to question NPCIL's argument. Borja's research covers cyber insider threat to the U.S. nuclear arsenal and goes into the effect of new technology on nuclear security issues and constructed an ultrafast laser apparatus for studying fundamental interactions inside semiconductor materials with unprecedented resolution while doing her Ph.D. at the University of Berkeley. Ramana, whose stature as a scientist is globally recognised in the same scholastic area, warned against the complacency of combating cyber threat earlier too, stating that the malware was more sophisticated than initially thought and may have also potentially targeted at retrieving information specifically from KKNPP. Lazarus has antecedents of attacking power plants of different countries including South Korea, including the infamous WannaCry and Sony Breach. Kaspersky (anti-virus makers) pointed out the "connected activity from Lazarus to IP addresses in North Korea."
Interestingly, the cybersecurity firm acknowledges that this may be a 'false flag' operation intended to obfuscate the cyber criminal's true location but this is very doubtful. The targeted nature of the malware version, detected on KKNPP computers suggests that there might actually be a second version of the virus, created from information gathered during the initial infection. By coding in information specific to KNPP networks, hackers might have tried to make the second round of malware more lethal. "There is precedent for hackers using a persistent presence on a network to successively unleash more complex and devastating attacks; one example was the devastating cyber attacks in 2015 and 2016 on Ukraine power grid," pointed out Ramana and Borja.
The hackers, obviously keen on eliciting information about the plant including technical information pertaining to the design of the facility, might inflict major damage to some nuclear installations. The case of the Stuxnet attack, launched by US and Israeli intelligence services to attempt to sabotage Iran's uranium enrichment programme, is fresh in mind. The possibility of an espionage component, although the most expensive aspect of the entire operation, cannot be ruled out. German control system security consultant Ralph Langner deserves praise for deciphering the Stuxnet attack whose development cost was roughly estimated at around ten million dollars. Dtrack virus, aimed at gathering information, might be less costly.
But quantitative and financial assay is still nebulous. Rebecca Slayton in a paper 'What Is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment', published in the MIT- journal International Security,
mentioned differences of opinion among scholars on the threat to cyberspace. "Sweeping claims about the offence-defence balance in cyberspace are misguided because the balance can be assessed only with respect to specific organisational skills and technologies. The balance is defined in dyadic terms, that is, the value minus the costs of
offensive operations and the value minus the costs of defensive operations. The costs of cyber operations are shaped primarily by the organisational skills needed to create and manage complex information technology efficiently", she inferred.
Views expressed are strictly personal