By Dr Manpreet Sethi*
As the world—pretty much the entire world—grapples with COVID-19, it is clear that the enormity of the pandemic will not leave any aspect of the economy untouched. Inter-state and societal interactions are also expected to feel the impact. Life may never be the same again. An event of almost similar magnitude in recent memory is the one that took place on 11 September 2001, when the twin towers in New York city came crashing down. That incident, too, changed many things, particularly how the world travelled; as elaborate and many inconvenient security restrictions became the norm.
With the current uncertainty generated by the new Coronavirus, it is a good time to spare another thought for the dangers of nuclear security that too can emerge quickly and leave a widely destructive trail. The subject of nuclear terrorism has silently faded out of public sight and political attention ever since the Nuclear Security Summit (NSS) process ended in 2016. Of course, institutions like the International Atomic Energy Agency (IAEA), Interpol, and some arms of the UN have continued to implement action plans that were drawn when the NSS process wound up. But, over the past four years, there has not been much public scrutiny of the implementation of measures related to the many dimensions of nuclear security. This is too important an issue to let out of sight, and any untoward incident that would qualify as an act of nuclear terrorism would yet again have an impact of the kind that 9/11 or COVID-19 have wrought on countries.
The NSS process that lasted through 2010-2016 paid special attention to the securing of nuclear and radiological material through proper material accounting and regulatory processes. National responsibilities were clearly delineated and were to be performed in keeping with some identified international instruments and benchmarks. During these four years, the number of subscriptions to these instruments increased, and countries took pride in showcasing efforts towards the fulfilment of their relevant obligations. Attention was also drawn to the physical security of nuclear sites, including obviating chances of airplane crashes into nuclear reactors, à la 9/11.
The NSS process, however, finished without adequately shining the spotlight on all dimensions of nuclear terrorism. While the chances of theft of nuclear material or physical intrusion into nuclear sites and unauthorised access to orphan radiological material were addressed and sought to be minimised, the possibility of cyberattacks to virtually interfere with nuclear operations did not get as much attention.
In contemporary nuclear threat perceptions, cyber threats to nuclear power plants and facilities as part of a country’s critical infrastructure have significantly grown. With physical access becoming difficult, cyberattacks—which can be long distance, remote-controlled, and non-attributable—have naturally emerged as more attractive. These can be undertaken for purposes of espionage of technological information, data theft from networked systems, or to trigger some sort of malfunctioning of command and control systems, including accidents such as the loss of coolant (LOCA) kind at a nuclear power plant.
While no such incidence of a great magnitude has yet taken place in the 400-plus nuclear power plants operational across the world, cyber probes of various kinds have, nevertheless, occurred. As per one publication, “There have been over 20 known cyber incidents at nuclear facilities since 1990 all over the world…” A recent such incident came to light in the context of the cyberattack on the Indian nuclear power plant at Kudankulam in September-October 2019.
According to media reports that began to come out in October 2019, a US-based cyber security company had, on 4 September 2019, informed the Nuclear Power Corporation of India (NPCIL), the operator of all Indian nuclear plants, that an unauthorised actor had breached domain controllers at the Kudankulam nuclear power plant (KKNPP). The initial reaction from the plant officials was a complete denial of any malware infection in their systems since such a cyberattack was “not possible.” A press release from the KKNP Training Superintendent and Information Officer stated, “KKNPP and other Indian nuclear power plants control systems are stand alone and not connected to outside cyber network and Internet.” But, a day later, the NPCIL admitted that there had indeed been a security breach that had been informed to them by the Computer Emergency Response Team-India (CERT-In). The breach was eventually traced to an infected personal computer that was used for administrative purposes, but was also connected to the Internet. Fortunately, as was reported, the PC was isolated from the critical internal network.
Indeed, the Computer and Information Security Advisory Group of the Department of Atomic Energy (CISAG-DAE), which is responsible for the cyber security of nuclear power plants, has long argued that the practice of air gapping, or physically isolating critical computers or networks from unsecure networks such as the Internet, is an effective way of securing critical infrastructure. However, several cyber experts have pointed out vulnerabilities in this process that may be created by use of removable media, approved access points for maintenance activities, third-party updates, or even by charging personal phones via reactor control room, etc. For all its benefits, air gapping obviously does not guarantee adequate security and cannot be a reason for complacency.
Much speculation has taken place after the KKNPP incident about who might have been behind the attack. Several theories abound, and some are backed by analysis undertaken by cyber professionals. Most have concluded that the motive of the attack was theft of information and not sabotage of plant operations. While plant control and instrumentation systems were not compromised in any way, the attack did highlight the challenge of definitive attribution in case of cyberattacks. This can be exploited by both state and non-state perpetrators of such attacks. Another benefit accrues from the ambiguity about the purpose of the attack. Even when ostensibly unsuccessful, an incidence of this nature nevertheless sends nuclear operators scrambling for patches for perceived vulnerabilities, and thus causes accretion of costs and dissipation of energies.
While enough cyber experts are engaged within and outside the nuclear establishment to secure them from cyber threats, it needs saying that the cyberspace allows new opportunities to resolute enemies to create problems at functioning nuclear plants by causing sabotage to effectuate different degrees of malfunctioning. These threats will only increase as greater digitalisation of power plants’ control systems takes place, which is inevitable given the pervasive utilisation of such technologies. The only defence against them can be stringent articulation and implementation of cyber security standard operating procedures (SoPs) by all those involved, and zero-tolerance for any violations by vigilant regulators. Outsiders (adversaries of all kinds) will constantly be on the lookout for vulnerabilities, and the onus will be on the insiders to keep all avenues blocked.
India must remain engaged with the international community on this issue and be part of national or IAEA-driven technical or training programmes. Regular cyber security courses for all plant personnel, depending on their involvement in digital networks, will be critical to imbue the establishment with a cyber security culture. This culture, in fact, must pervade a wider universe that should also include suppliers, vendors, contractors, and even transporters; any of whom could be used by resolute adversaries to sneak in cyberattacks. In case of nuclear power plants, virtual security is going to matter as much as their physical security.
*Dr Manpreet Sethi is Distinguished Fellow, Centre for Air Power Studies, New Delhi.