Hyderabad: On October 29, the Kudankulam Nuclear Power Plant (KNPP) issued a press release stating that “some false information is being propagated (sic)…with reference to a cyber attack” on the power plant. This was in response to reports in social media that “mission-critical systems of the nuclear plant had been hit by malware.”
This denial found few takers, and the next day KNPP was forced to put out another press release: "Identification of malware in the NPCIL (National Power Corporation of India Ltd) system is correct. The matter was conveyed by CERT-In when it was noticed by them on September 4, 2019."
The whole issue was downplayed by saying, "The investigation revealed that the infected PC belonged to a user who was connected to the Internet-connected network. This is isolated from the critical internal network."
While it is true that the functioning of the nuclear plant was not affected, it would be instructive to look at a similar and more successful attack on another nuclear facility. One month after President Obama took over the office in 2009, centrifuges at the Iranian Natanz nuclear enrichment facility began spinning out of control. This is considered the first known use of an offensive cyberweapon by one country against another. Fred Kaplan has outlined some details of this attack in his book 'Dark Territory: The Secret History of Cyber War'.
The worm developed by the Americans to infect the Natanz control systems was extraordinarily sophisticated and exploited five vulnerabilities, not previously known (commonly termed zero-day exploits), in the Windows operating system. Figures of the centrifuges destroyed at Natanz vary between 1000 and 2000, but it set back the Iranian Uranium enrichment effort by a few years.
What is important to note in this cyberattack is the preliminary effort that went into its execution. As described by Kaplan, preparations had begun three years earlier in 2006, and the National Security Agency (NSA) “teams had discovered vulnerabilities in the computers controlling the reactor and had prowled through their network, scoping out its dimensions, functions, and features, finding still more vulnerabilities.” This is where the cyberattack – and there is no other way to describe this- on the KNPP starts looking worrisome. We still do not know if the information stolen from the infected computer could be used to facilitate further attacks.
The stark reality is that the world is today engaged in a quiet but potentially deadly cyberwar in which critical infrastructure that runs a country is at considerable risk. In March 2018, the American Department of Homeland Security and the Federal Bureau of Investigation issued an alert on Russian government's cyber intrusions, “targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors."
In June 2019, the New York Times reported, "United States is stepping up digital incursions into Russia’s electric power grid in a warning to President Vladimir V. Putin and a demonstration of how the Trump administration is using new authorities to deploy cyber tools more aggressively.”
There are numerous examples that we have entered a dangerous, uncharted territory – the cyberattack on Estonia in 2007, the North Korean hack of Sony Pictures, the Iranian cyberattacks on Saudi Aramco and U.S. banks, the Chinese cyber theft of U.S. military technology, and the suspected U.S. cyber intervention resulting in North Korea’s missile failures in 2016.
Many steps are required to keep India secure from the danger of cyber threats, but the start must be made with the indigenization of hardware and software in our critical infrastructure. Countries are known to implant malware in their IT products before it is exported to potential adversaries. Glenn Greenwald’s book 'No Place to Hide', details how NSA employees intercepted Cisco routers and implanted them with backdoors before shipping them to organizations targeted for surveillance. A Bloomberg report of October 2018 brought out that China’s intelligence services had ordered subcontractors in China to plant malicious chips in Supermicro server motherboards bound for the U.S.
Given this danger, many countries have restricted the use of foreign products in critical networks. Beijing has banned government purchases of Microsoft Windows, Apple products, Cisco, and security software from Symantec and Kaspersky Lab. The U.S. has banned Chinese Huawei and ZTE technology products from government contracts.
In India, we have done very little to encourage our indigenous industry. Over 60 percent of software and hardware used by BSNL, is sourced from either Huawei or ZTE. This is despite Huawei having been investigated for hacking a BSNL network in 2014. The Quint, in a 2016 report, had revealed that the request for a proposal for military communication equipment (Network for Spectrum) had been manipulated to favour Cisco.
We must also address the critical issue of which organisation in India is responsible for responding to a serious cyberattack that threatens India’s national security? The answer to this question is hazy. If the Indian defence services are responsible for protecting the nation, they must also lead in deterring and offensively responding to serious cyber threats. We have now set up a Defence Cyber Agency, but there is no clarity on the authority and mandate given to this agency. It would be helpful to take a leaf out of the U.S. Cyber Command, which has one of its focus areas as, "strengthening our nation's ability to withstand and respond to a cyberattack.”
According to a Data Security Council of India report, Cyber Insurance in India, between 2016 and 2018, India was the second most affected country by cyberattacks. Threats will only grow, and we must move quickly to put in place policies and structures to mitigate the impact of a cyberattack on our critical infrastructure.