12 June 2020, NIICE Commentary 5309
Simran Kothari
Impact of cyber-attacks on developed and emerging countries are alike. In this article, we shall focus on how Industrial Control System (ICS) could be hacked even when tightly air gapped.
Air gap does provide a certain level of protection to the nuclear plant, as in the case of Kudankulam Nuclear Power Plant (KKNPP) but the gap does not safeguard it entirely. The case of KKNPP is possibly conducted by Lazarus Group whose activity and IP address could directly be linked to North Korea. There are many reasons to why a group may want to have control over India’s nuclear programme, and at the same time there are various reasons to not believe that this activity is done by a nation state, particularly Korea. India is one of the few countries to have good diplomatic and trade relations with North Korea.
Over the last few years, cyber security has been an issue of grave importance for both developed and developing nations. In the previous week, the coincidental shutdown of one of the plants led to speculations that the two were connected. The initial official response from the plant authorities refuted these reports. Subsequently, officials from other agencies, including the Office of the National Cyber Security Coordinator (NCSC) confirmed these reports, and the Nuclear Power Corporation of India Limited (NPCIL), the parent body responsible for running nuclear power plants in the country, issued the official press release giving out limited yet important information. Press Release stated that the infected computer was solely used for the administrative purposes and no leakage of sensitive information was reported with this breach
As technological advancements increase, there is an elevated threat of being targeted by cyber-attacks on both individual and national level. Generally, cyber-attacks as suggested by the history, have been conducted by the nation states or the coalition of nations in order to ensure superiority over the nation being threatened.
Kudankulam: One incident, Many facets (Samuel C and Sharma M, 2019) highlights the brief issues of cyber security with regards to nuclear and energy security of a country. Though it is not a comprehensive analysis, it does provide an insight into the world of cyberspace and espionage and their interplay in the present and the scenarios one can expect in the near future.
Stuxnet still remains a prime example to show how even the most advanced air gapped could be breached and how cyber space can be easily used by individuals, groups or nation states to penetrate into the country to either attack or simply keep a track on the activities of a particular nation. Cyber space is a space which is open to all and till now, a structure hasn’t been formulated to govern that space. Moreover, the malware does not reach to main systems but even an attack on a personal computer connected to the IT network which has day-to-day administrative information can be a threat to the whole nuclear plant. Since, business sensitive and classified information traverses over IT networks, and are stored and processed over IT systems, they are an obvious and a soft target to gather sensitive information. It could further be used in perpetrating malicious and hostile acts which could disable, destroy or compromise the computer resource critical to the security or safety of the facility or it could simply be used for R&D of some other nation.
Internet remains a space which can be accessed by all the nations. The space is mostly used for constructive purposes but with the modern times, the purpose of internet has changed. Dark web and the space are used as a weapon to threaten the very sovereignty of the nation. The fact that it could infect ICS which might have a deeper impact on the plant shows how a simple malware can make the whole system vulnerable and exposed to greater risks. Countries today, are more vulnerable as internet is an open space and is accessible than ever. Countries are now capable to go beyond traditional means to assert their authority and are inclining towards more creative and unimaginable ways to win the race of balance of power. Espionage and secret operations have been a culture of countries from 18th century onwards but now, while the purpose remains the same, ways have changed. Global commons, like, internet followed by cyber space have taken drivers set in this modern way of warfare. Case of KKNPP proves to be a great example to study how internet and something like malware or virus which was often overlooked, can disrupt the entire structure and is an issue of rigorous investigation if found in critical areas. It also portrays how countries will bent over backwards to make sure they stay in that power or elevate their existing position in the power hierarchy. Although the KKNPP provides very little information in terms of espionage, it hints that that maybe the operation ran deeper and was intended at something wider, KKNPP was just one of the points where it was detected.
In the contemporary era, looking for solution and providing solution is undoubtedly a much more intense task and it is getting difficult to look for solutions with each passing day. Only proactive approach would be the need of stringent measures such as mass surveillance on dark web and opting for cognizance of the new threat vectors. Countries do no directly participate but rely on third part vendors to get their work done effectively. It is natural that they do not want to be blamed in the interconnected world and pay the price of economic, social and political marginalization.
Countries like the US, accomplished enough to identify “redlines” for appropriate and unacceptable cyberspace activity, key to punishment for dissuasiveness, have struggled in dissuading attacks against its cyber infrastructure. The principle of dissuasion clearly needs to be more updated to make it workable in cyberspace. International cooperation on this particular issue has been rather talked about in books and is practically non-existent in practice. International community needs a greater and more efficient approach in restricting this space which is offering more negatives than positives. But even when restricting something as common as internet will be followed by debates on freedom and access to knowledge. There needs to be a consensus on what to do with the attackers and the nation states if and when found guilty to set an example for the community as a whole.
While the Kudankulam attack did not cause damage to critical systems or, apparently, affect reactors, it revealed that India’s cyber defenses are based on outdated principles such as the air gap strategy. Early denials by NPCIL officials suggested a sense of complacency about cyber defense, which means that India’s critical infrastructure is vulnerable to attack. Cyber-attacks may increase the risk of a military escalation. Since the recent Kashmir crisis, there has been an increase in Pakistan’s cyber-attacks on India. Indians have also responded with their own cyber operations against Pakistan. Given the low threshold of military escalation between India and Pakistan and the high potential for escalating from cyber to the real world, India may wish to treat the Kudankulam attack as a wake-up call to its vulnerable cyber defenses in nuclear installations and other critical infrastructure.