Lessons From the Cyberattack On India’s Largest Nuclear Power Plant

Dan Drollette shares an article by two staffers at the Center for Global Security Research at Lawrence Livermore National Laboratory from The Bulletin of Atomic Scientists. “Indian officials acknowledged on October 30th that a cyberattack occurred at the country’s Kudankulam nuclear power plant,” they write, adding that “According to last Monday’s Washington Post, Kudankulam is India’s biggest nuclear power plant, ‘equipped with two Russian-designed and supplied VVER pressurized water reactors with a capacity of 1,000 megawatts each.'” So what did we learn? While reactor operations at Kudankulam were reportedly unaffected, this incident should serve as yet another wake-up call that the nuclear power industry needs to take cybersecurity more seriously. There are worrying indications that it currently does not: A 2015 report by the British think tank Chatham House found pervasive shortcomings in the nuclear power industry’s approach to cybersecurity, from regulation to training to user behavior. In general, nuclear power plant operators have failed to broaden their cultures of safety and security to include an awareness of cyberthreats. (And by cultures of safety and security, those in the field — such as the Fissile Materials Working Group — refer to a broad, all-embracing approach towards nuclear security, that takes into account the human factor and encompasses programs on personnel reliability and training, illicit trafficking interception, customs and border security, export control, and IT security, to name just a few items. The Hague Communique of 2014 listed nuclear security culture as the first of its three pillars of nuclear security, the other two being physical protection and materials accounting.) This laxness might be understandable if last week’s incident were the first of its kind. Instead, there have been over 20 known cyber incidents at nuclear facilities since 1990. This number includes relatively minor items such as accidents from software bugs and inadequately tested updates along with deliberate intrusions, but it demonstrates that the nuclear sector is not somehow immune to cyber-related threats. Furthermore, as the digitalization of nuclear reactor instrumentation and control systems increases, so does the potential for malicious and accidental cyber incidents alike to cause harm. This record should also disprove the old myth, unfortunately repeated in Kudankulam officials’ remarks, that so-called air-gapping effectively secures operational networks at plants. Air-gapping refers to separating the plant’s internet-connected business networks from the operational networks that control plant processes; doing so is intended to prevent malware from more easily infected business networks from affecting industrial control systems. The intrusion at Kudankulam so far seems limited to the plant’s business networks, but air gaps have failed at the Davis-Besse nuclear power plant in Ohio in 2003 and even classified U.S. military systems in 2008. The same report from Chatham House found ample sector-wide evidence of employee behavior that would circumvent air gaps, like charging personal phones via reactor control room USB slots and installing remote access tools for contractors… [R]evealing the culprits and motives associated with the Kudankulam attack matters less for the nuclear power industry than fixing the systemic lapses that enabled it in the first place. “The good news is that solutions abound…” the article concludes, noting guidance, cybersecurity courses, technical exchanges, and information through various security-minded public-private partnerships. “The challenge now is integrating this knowledge into the workforce and maintaining it over time… “But last week’s example of a well-established nuclear power program responding to a breach with denial, obfuscation, and shopworn talk of so-called ‘air-gaps’ demonstrates how dangerously little progress the industry has made to date.”