Kudankulam Nuclear Plant’s critical digital assets not susceptible to cyber-attack: Experts
Revelations of cyber intrusions in the network of Kudankulam Nuclear Power Plant by a North Korean hacker group had sent the Indian populace in a frenzy. However, the experts associated with the power project have ruled out the possibility of cyber-attack on a nuclear power plant as the operating system of the plant are not connected to any internet.

As the news broke on twitter, the skeptics of the nuclear power have been raising questions about it safety and have caused mass concern. The statement by the Nuclear Power Corporation of India Ltd (NPCIL) accepting that a malware has been detected in NPCIL system has been interpreted out of context. The breach was reported on September 4 and investigations revealed that the infected computer belonged to a user who was connected “in the Internet connected network used for administrative purposes”. The point that the system was isolated from critical internal network was conveniently buried.

“The systems involved in operating the plant are completely independent and are never connected to any other system or the internet. So the possibility of cyber-attack on the systems involved in operating the plant does not exist,” RK Sinha, former secretary of the Department of Atomic Energy (DAE) under whom Kudankulam Nuclear Power Plant’s first unit was connected to the grid, told Nuclear Asia.

Nuclear power facilities use digital and analog systems to monitor, operate, control and protect their plants. Digital assets critical to plant systems for performing safety and security functions are isolated from the external networks, including the Internet. This separation provides protection from many cyber threats.

Further elaborating on it he said: “To give a simple example, an automatic domestic washing machine too incorporates a control software that makes the machine respond to various sensors as well as user choices – but it can never be hit by cyber-attack since it does not provide any access to any external network, or internet.” Hence the reports that the hackers had gained controller-level access to the nuclear power station seems exaggeration.

The DTrack malware that infected one computer connected to the administrative system of the Nuclear Power Plant was trailed back to a North Korean hacker group Lazarus. Reports have attributed the hacking to North Korea’s interest in the Thorium-fuelled Nuclear Power, something that India has been pursuing for long. The cyber-intrusion does warrant concern but not paranoia.

India’s safety protocol of isolating critical operational equipment of the Kudankulam Nuclear Power Plant are similar to those followed at key defence establishments. The Indian Armed Forces as well operate on internal network system that is not connected to any external networks; and even use of Compact Discs and pen drives on the internal network is forbidden.
Laying any doubts about the cyber security of a nuclear power plant to rest, the Managing Director of Zyfra Pavel Rastopshin said that the automated control systems of nuclear power plants are not connected to internet. Zyfra is a Finnish-Russian company that develops industrial digitalisation technologies. “Such systems transmit relevant information ‘outwards’ (including to a crisis center) over special, protected communication channels. Conventional networks, for instance, for accounting workflows, are connected to the Internet. But these networks also exist separately and are not physically connected with automated control systems,” Rastopshin said.

Allaying the fear that many people had following the attack, Rastopshin added: “Nobody can connect to such systems and start illegally managing the nuclear power plant, for instance, by giving commands to extract control rods: the safety system, which is responsible for this, works on unvarying algorithms. Access is forbidden for external carriers.”

India has already reported to International Atomic Energy Agency (IAEA) about the safety measures.
“Specific guidance has been developed to assist States with the development and implementation of information and computer security programmes as part of their nuclear security regimes. It includes technical guidance on Security of Nuclear Information, Computer Security at Nuclear Facilities and Computer Security Incident Response Planning at Nuclear Facilities.”

As per the Nuclear Regulatory Commission (NRC) of the US, “A cyber-attack cannot prevent critical systems in a nuclear energy facility from performing their safety functions. Nuclear power plants are designed to shut down safely if necessary, even if there is a breach of cyber security. They are also designed to automatically disconnect from the power grid if there is a disturbance caused by a cyber-attack.” NRC further elaborates measures taken for the cyber security of Nuclear Power Plant, “Critical digital assets” that perform safety, security, and emergency preparedness functions at nuclear power plants are not connected to the Internet. When devices like thumb drives, CDs, or laptops are used to interface with plant equipment, strictly monitored measures are in place.

There is no denying the fact that cyber threat has increased owing to large scale digitalisation taking place in nuclear facilities. Hence, cyber risk to nuclear facilities requires constant evaluation and response, especially as the industry increases its reliance on digital systems.

Recognising the dynamic nature of cyber security field, the International Security Department at Chatham House convened an 18 month study to explore the potential impact of digitisation on and implications for the civil nuclear sector. The report titled “Cyber Security at Civil Nuclear Facilities: Understanding the Risks” and released in September 2015 enumerated many challenges facing the civil nuclear facilities. It attributes the opaqueness in communicating any breach of cyber security breach at nuclear facilities as the main hindrance in assessing the extent of problem. Also, limited collaboration between nuclear-industry with other sectors that have been making giant strides in cyber security as a glaring lacunae in the improvement. Calling for an international cyber security regime, the report recommended to address these problems.

India could also take cue from the recent cyber intrusion to fire wall its cyber security measures at civil nuclear installations and bring them up to speed to present day threats.