(Bulletin of the Atomic Scientists – By Alexander Campbell, Vickram Singh) – Lessons from the cyberattack on India’s largest nuclear power plant

Indian officials acknowledged on October 30th that a cyberattack occurred at the country’s Kudankulam nuclear power plant. An Indian private cybersecurity researcher had tweeted about the breach three days earlier, prompting Indian authorities to initially deny that it had occurred before admitting that the intrusion had been discovered in early September and that efforts were underway to respond to it. (…)

While reactor operations at Kudankulam were reportedly unaffected, this incident should serve as yet another wake-up call that the nuclear power industry needs to take cybersecurity more seriously. There are worrying indications that it currently does not: A 2015 report by the British think tank Chatham House found pervasive shortcomings in the nuclear power industry’s approach to cybersecurity, from regulation to training to user behavior. In general, nuclear power plant operators have failed to broaden their cultures of safety and security to include an awareness of cyberthreats. (And by cultures of safety and security, those in the field—such as the Fissile Materials Working Group—refer to a broad, all-embracing approach towards nuclear security, that takes into account the human factor and encompasses programs on personnel reliability and training, illicit trafficking interception, customs and border security, export control, and IT security, to name just a few items. The Hague Communiqué of 2014 listed nuclear security culture as the first of its three pillars of nuclear security, the other two being physical protection and materials accounting.)

This laxness might be understandable if last week’s incident were the first of its kind. Instead, there have been over 20 known cyber incidents at nuclear facilities since 1990. This number includes relatively minor items such as accidents from software bugs and inadequately tested updates along with deliberate intrusions, but it demonstrates that the nuclear sector is not somehow immune to cyber-related threats. Furthermore, as the digitalization of nuclear reactor instrumentation and control systems increases, so does the potential for malicious and accidental cyber incidents alike to cause harm.

This record should also disprove the old myth, unfortunately repeated in Kudankulam officials’ remarks, that so-called air-gapping effectively secures operational networks at plants. Air-gapping refers to separating the plant’s internet-connected business networks from the operational networks that control plant processes; doing so is intended to prevent malware from more easily infected business networks from affecting industrial control systems. (…)

Despite speculation about potential North Korean responsibility or escalation with Pakistan, revealing the culprits and motives associated with the Kudankulam attack matters less for the nuclear power industry than fixing the systemic lapses that enabled it in the first place. The good news is that solutions abound: The Nuclear Regulatory Commission has issued guidance for US operators on improving workforce development and performance assessment for cybersecurity at nuclear power plants.  (…)

If there is a silver lining to the recent cyberattack, it is that India now has an opportunity to become a leader in nuclear cybersecurity. India has established the Global Centre for Nuclear Energy Partnership as a forum for bilateral and multilateral cooperation in nuclear security that could be widened to include cybersecurity.

 

READ FULL ARTICLE >>> https://thebulletin.org

PHOTO CREDIT:  www.indiatoday.in/india/story/nuclear-power-corporation-confirms-malware-in-computer-at-kudankulam-plant