On Tuesday, India’s largest nuclear power station, the Kudankulam Nuclear Power Plant, pushed back on unconfirmed reports that it had suffered a cyber attack. The plant, located in the southern Indian state of Tamil Nadu, issued a statement that said reports of a cyber attack were “false information … being propogated (sic) on the social media platform, electronic, and print media.”
A statement attributed to R. Ramdoss, the training superintendent and information officer at the plant, clarified that “Kudankulam Nuclear Power Project (KKNPP) and other Indian Nuclear Power Plants Control Systems are stand alone and not connected to outside cyber network and Internet,” apparently asserting that physical separation from global networks—or “air-gapping”—would suffice as a protective measure.
“Any Cyber attack on the Nuclear Power Plant Control System is not possible,” the statement continued. “Presently, KKNPP Unit-1 &2 are operating at 1000 MWe and 600 MWe respectively without any operational or safety concerns,” the statement concluded.
One of the reports on a purported cyber incident at the plant suggested that the North Korea-linked Lazarus Group may have been behind an intrusion. The report cited an unverified online data dump.
The official denial of any cyber attack rests on the notion that a physically separated power plant system is invulnerable to cyber attack. While this may be true for remote attacks, it does not protect against physical intrusion—either by nefarious human actors intending to tamper with the systems themselves, or who may seek to install malware from the inside. In September 2019, the U.S. Department of the Treasury sanctioned Lazarus Group alongside other North Korean hacking groups known to be related to North Korea’s Reconnaissance General Bureau, the country’s overseas intelligence arm.
“Although many asset owners feel their systems are protected because there is no physical or logical connectivity into critical network enclaves, the networks are very rarely and ever truly isolated,” a March 2019 report from the Fissile Materials Working Group observed. For instance, USB keys or other digital devices may enter and exit air-gapped facilities.
Perhaps the most well-known example of a cyberattack penetrating a so-called “air-gapped” nuclear facility was the Stuxnet worm cyberattack on Iran. A report by Yahoo News earlier this year described how the worm managed to penetrate the otherwise air-gapped Iranian enrichment plan near Natanz: by using a human mole.
“Engineers at Natanz programmed the control systems with code loaded onto USB flash drives, so the mole either directly installed the code himself by inserting a USB into the control systems or he infected the system of an engineer, who then unwittingly delivered Stuxnet when he programmed the control systems using a USB stick,” the report noted, describing previously unreported details about a joint American and Dutch effort to disable the plant.
The Indian central government has yet to issue any statement on the reports of an intrusion at the Kudankulam plant. Shashi Tharoor, an opposition Indian lawmaker, tweeted that “If a hostile power is able to conduct a cyber attack on our nuclear facilities, the implications for India’s national security are unimaginable,” in response to the reports. “The Government owes us an explanation,” he added.