Indian officials acknowledged towards the end of October that a cyberattack occurred at the country’s Kudankulam nuclear power plant. An Indian private cybersecurity researcher had tweeted about the breach three days earlier, prompting Indian authorities to initially deny that it had occurred before admitting that the intrusion had been discovered in early September and that efforts were underway to respond to it.
According to a Washington Post, Kudankulam is India’s biggest nuclear power plant, “equipped with two Russian-designed and supplied VVER pressurized water reactors with a capacity of 1,000 megawatts each. Both reactor units feed India’s southern power grid. The plant is adding four more reactor units of the same capacity, making the Kudankulam Nuclear Power Plant one of the largest collaborations between India and Russia.”
While reactor operations at Kudankulam were reportedly unaffected, this incident should serve as yet another wake-up call that the nuclear power industry needs to take cybersecurity more seriously. There are worrying indications that it currently does not: A 2015 report by the British think tank Chatham House found pervasive shortcomings in the nuclear power industry’s approach to cybersecurity, from regulation to training to user behavior. In general, nuclear power plant operators have failed to broaden their cultures of safety and security to include an awareness of cyberthreats. (And by cultures of safety and security, those in the field—such as the Fissile Materials Working Group—refer to a broad, all-embracing approach towards nuclear security, that takes into account the human factor and encompasses programs on personnel reliability and training, illicit trafficking interception, customs and border security, export control, and IT security, to name just a few items. The Hague Communiqué of 2014 listed nuclear security culture as the first of its three pillars of nuclear security, the other two being physical protection and materials accounting.)
This laxness might be understandable if this incident were the first of its kind. Instead, there have been over 20 known cyber incidents at nuclear facilities since 1990. This number includes relatively minor items such as accidents from software bugs and inadequately tested updates along with deliberate intrusions, but it demonstrates that the nuclear sector is not somehow immune to cyber-related threats. Furthermore, as the digitalization of nuclear reactor instrumentation and control systems increases, so does the potential for malicious and accidental cyber incidents alike to cause harm.
This record should also disprove the old myth, unfortunately repeated in Kudankulam officials’ remarks, that so-called air-gapping effectively secures operational networks at plants. Air-gapping refers to separating the plant’s internet-connected business networks from the operational networks that control plant processes; doing so is intended to prevent malware from more easily infected business networks from affecting industrial control systems. The intrusion at Kudankulam so far seems limited to the plant’s business networks, but air gaps have failed at the Davis-Besse nuclear power plant in Ohio in 2003 and even classified US military systems in 2008. The same report from Chatham House found ample sector-wide evidence of employee behavior that would circumvent air gaps, like charging personal phones via reactor control room USB slots and installing remote access tools for contractors.
The consequences of a cyber-based intrusion at a nuclear power plant could range from loss of confidential employee or business information to potentially causing a reactor shutdown or physical damage. The industry must realize that cyberattacks can be the main event, rather than simply a means to enable more traditionally imagined threats like physical intrusions. And regardless of the consequences of a given incident, public statements like those from Indian authorities last week that refuse to even admit the possibility of cyberattack will undermine public trust—an existential resource for many nuclear power programs.
Despite speculation about potential North Korean responsibility or escalation with Pakistan, revealing the culprits and motives associated with the Kudankulam attack matters less for the nuclear power industry than fixing the systemic lapses that enabled it in the first place. The good news is that solutions abound: The Nuclear Regulatory Commission has issued guidance for US operators on improving workforce development and performance assessment for cybersecurity at nuclear power plants. And the National Nuclear Security Administration includes cybersecurity in their security assessments at US and international facilities, along with technical exchanges and training programs. It also developed a course on cybersecurity for nuclear power plant operators in partnership with the International Atomic Energy Agency—which has published its own technical guides on computer security, and recently held its first cybersecurity course for nuclear power plant operators.
Countries need not depend solely on international organizations or other governments for this expertise. Public-private partnerships like the World Institute for Nuclear Security and World Association of Nuclear Operators also share information about best practices and can serve as a knowledge conduit for states where nuclear power implicates national security concerns. The challenge now is integrating this knowledge into the workforce and maintaining it over time. But the institutionalization of cybersecurity does not present an insurmountable barrier.
One item to note, however, is that the problem’s scale and complexity is only likely to grow as more states join the nuclear power club. And even with years of experience, no country is immune from succumbing to cyberattack: The incident occurred in a country whose nuclear power program dates back to the 1950s, and previous cyberattacks have struck nuclear facilities in countries with similarly long-established nuclear power programs, including Japan, France, and the United States. That they have still fallen victim to breaches bodes ill for prospective newcomers like Jordan, whose national Computer Emergency Response Team is only two years old. One can expect that nuclear newcomers with less indigenous cybersecurity expertise will need more help from international partners, and will face a steeper uphill climb towards maintaining that workforce.
If there is a silver lining to the recent cyberattack, it is that India now has an opportunity to become a leader in nuclear cybersecurity. India has established the Global Centre for Nuclear Energy Partnership as a forum for bilateral and multilateral cooperation in nuclear security that could be widened to include cybersecurity.
The problem of cybersecurity is not new to the nuclear power industry, and it does not require solutions radically different from those already in place in fields such as finance and commercial aviation. The nuclear industry’s history of safety and security culture, and the body of research on sector-specific cybersecurity recommendations, together can offer a path toward a nuclear power industry that better defends itself against cyber threats. The avenues for fostering cooperation and sharing best practices have been established, as has the need for workforce development.
But the example of a well-established nuclear power program responding to a breach with denial, obfuscation, and shopworn talk of so-called “air-gaps” demonstrates how dangerously little progress the industry has made to date.