Indian nuclear installations, including nuclear power plants, are secure against cyber attacks, the government informed the Parliament earlier this week.
In a written reply to a question in the Upper House of the Indian Parliament, the Atomic Energy Minister, Jitendra Singh, said the country’s nuclear establishment has an already established rigorous procedure for design, development and operation of the systems used in the local installations.
“The safety and security critical for the systems are designed and developed in-house using custom built hardware and software, which are subjected to regulatory verification and validation, thereby making them resistant to cyber security threats”, Singh said.
According to the Minister, the safety and security critical infrastructure of the Indian nuclear establishments, such as control network and safety systems of plants are isolated from the Internet and the local IT network.
The government’s Department of Atomic Energy (DAE) has specialist groups like the Computer and Information Security Advisory Group and the Task force for Instrumentation and Control Security to look after cyber and information security of DAE units. These groups undertake the process of strengthening cyber security of all units under the DAE through hardening of systems and audits, he added.
In November 2020, global cybersecurity company Group-IB had revealed that the hackers who attacked and breached defenses at India’s Kudankulam Nuclear Power Project (KNPP) in Tamil Nadu state last year may have remained undetected for more than six months. The revelation is contained in the Singapore-based Group-IB’s latest Hi-Tech Crime Trends 2020/2021 report.
The first two units at KNPP, operated by state-run Nuclear Power Corporation of India Ltd (NPCIL), have been commissioned in 2014 and 2017, respectively, while construction is underway for the next four units 3-6 of the project whose equipment suppliers and technical consultants are the Russian state atomic energy corporation Rosatom.
Group-IB, which analysed the Kudankulam cybersecurity breach in their previous report on Hi-Tech Crime Trends 2019/2020, said their analysis of an archive containing the remote-administration tool, Dtrack, attributed to North Korean hackers group Lazarus, revealed “that the logs contained data from a compromised machine running Windows that belonged to an employee of the Nuclear Power Corporation of India Ltd (NPCIL).”
News of the hacking was first made public by a former analyst at India’s National Technical Research Organisation (NTRO), Pukhraj Singh. NPCIL had, thereafter, admitted the breach, saying that “identification of malware in the NPCIL system is correct. The matter was conveyed by CERT-In (Computer Emergency Response Team) when it was noticed by them on September 4, 2019.”
The KNPP unit 2 was shut down on October 19, 2019, which Group-IB believes is related to the hacking. In a statement issued at the time, NPCIL had said the attack had only affected the network used for administrative purposes, which was separate from the network operating the control systems for the nuclear reactors.
In its report, Group-IB had said: “The nuclear industry is turning into the number one target for state-sponsored threat actors. Unlike the previous reporting period, during which no attacks were observed, the current one was marked by attacks on nuclear energy facilities in Iran and India.”
In its earlier report for the period 2019-20, Group-IB had said: “In some cases, their (hackers) attacks involved shutting down energy infrastructures or certain facilities in various countries. For example, in 2019, Lazarus attacked a nuclear organization in India, which led to the power plant’s second unit being shut down.”
The malware DTrack was first identified by Russian software solutions provider Kaspersky Labs. In a report published in September 2019, Kaspersky Labs said the malware’s targets included banks and research centres in India.
The operating units 1 and 2 at KNPP are equipped with advanced Russian-designed Pressurised Water Reactors (PWRs) of the VVER-1000 category, each with a capacity of 1,000 MW, while the remaining four units under construction are also proposed to be fitted with VVER-1000 units with more advanced safety features.