Across the world, cybersecurity architecture is becoming more complex and increasingly requiring advanced safety mechanisms to protect against system vulnerabilities and potential crises. Cyber threats are one of the greatest challenges in terms of security. This is particularly crucial in the case of nuclear systems as cyber infiltration can render safety and security mechanisms ineffective. This is no different in the case of India, as the country has an extensive and growing nuclear program. Over the years, countries, including India have heavily invested in building robust physical protection mechanisms in the nuclear sector and this has made the likelihood of a cyber or blended attack more likely given the rapid technological advancements in the field. As nuclear infrastructure becomes increasingly more integrated with cyber technologies, the risks of its hacking, disruption, and potential for sabotage also increase. The adversarial goal for any cyberattack is to exploit a system’s vulnerabilities and then control, execute, and maintain a presence. Cyberattacks may result in theft of nuclear/radioactive materials, radiation release due to malicious intent of adversaries, theft of sensitive information about nuclear facilities, reactor designs etc. Access to nuclear facilities through cyberattacks can result in direct physical access to the facility, materials and information which adds to challenges of interconnectedness of cyber and physical nuclear security. India’s civilian and military nuclear programs have varying security procedures with different priorities and levels of secrecy. However, given the sensitive nature of nuclear materials in general, cybersecurity must be an integral part of the country’s nuclear security infrastructure.
To adequately address the cybersecurity challenges faced in the context of India’s nuclear program, it is vital to analyze the current policy framework as well as identify vulnerabilities that the systems protecting the country’s nuclear facilities may be susceptible to. Additionally, looking at notable incidents of cyber breaches at nuclear systems and the lessons learned would provide useful insights to avoid similar threats for India. India can also learn from best practices developed by countries leading the effort such as United States and Japan. Furthermore, engaging with international organizations such as the IAEA and relevant literature emerging from such institutions is essential to strengthen cybersecurity in nuclear systems. The growing cyber security challenges for India’s nuclear facilities require a multi-faceted approach. As the Indian nuclear security and safety infrastructure incorporates cyber technologies, it is essential for policymakers and the industry to engage more deeply with international cyber security practices, collaborate on improving cyber-nuclear security mechanisms with like-minded countries and actively work on building a more robust cyber-nuclear security framework for the country.
The Cyber-Nuclear Security Nexus in India
Cybersecurity gained greater salience in India after the Snowden leaks in June 2013 revealed surveillance by the U.S. National Security Agency (NSA) on multiple countries including India. Since the Snowden leaks and the release of its 2013 Cybersecurity Policy, India has taken steps toward improving its cybersecurity architecture and safeguards. Although cybersecurity does factor into India’s nuclear security architecture, it can be argued that there is limited emphasis on building and strengthening the infrastructure to respond to the rapidly growing and evolving cyber threats. India’s overall cybersecurity policy has remained inadequate in responding to the risks of cyberattacks and infiltration. Cyberattacks in India reportedly rose by 300 percent in 2020, and in February 2021, India made headlines after power outages across Mumbai in the summer of 2020 were linked to a possible hacking of its power grid by China at the onset of the Ladakh standoff.
In 2013, the Indian government released a first-of-its-kind national cybersecurity policy. However, eight years later, this policy has yet to be updated. Although India’s Prime Minister Modi announced that there would be a new national policy outline in 2020 this policy has yet to be released. Additionally, the fact that India’s nuclear domain and its security architecture is shrouded in secrecy means that there is no explicit mention or focus on the nuclear domain in the 2013 policy. Like nuclear policies, cybersecurity practices remain under-discussed in the public domain. It would be disingenuous to suggest that India’s nuclear policy does not have cybersecurity mechanisms in place that are involved in protecting its nuclear systems. India has a Defence Cyber Agency and a National Technical Research Organisation, which are responsible for mechanisms that work to counter cyber risks and threats to the country. Additionally, India has Computer Emergency Response Teams that work with agencies such as the National Critical Information Infrastructure Protection Centre and the National Disaster Management Authority to protect critical cyber infrastructures. The National Cyber Coordination Centre (NCCC) is India’s operational cybersecurity and e-surveillance agency, its main role is in screening communications metadata and coordinating intelligence collection among agencies. Further, India has a Computer & Information Security Advisory Group (CISAG) which is responsible “for conducting periodic audits on information systems as well as provide guidelines for countering cyberattacks and mitigating the impact on India’s nuclear infrastructure.”1
India has established several key agencies to counter the growing challenges on cybersecurity. However, the effectiveness of its cybersecurity policies in the nuclear domain lies with the ability to effectively incorporate cybersecurity, cyber infrastructure, and its operating agencies into the larger nuclear security framework. Efficient and effective cybersecurity mechanisms require cohesive inter-agency coordination to strengthen said mechanisms. It is also essential for government authorities to acknowledge, interact with, and evolve cybersecurity protocols and procedures regularly to reflect a rapidly changing security environment. An effective cybersecurity policy also requires clear demarcation of roles, responsibilities, and contingency plans for short and long-term implementation and altering based on circumstances and technological advancements. Additionally, and most importantly, a renewed emphasis on understanding cyber risks and acknowledging the importance of cyber-nuclear security is essential in the Indian context. To address the aforementioned challenges and requirements, a cyber-nuclear policy must take shape and clearly identify roles and responsibilities across agencies as well as create frameworks to address cyber risks and vulnerabilities, build resilience measures, and contribute to robust contingency planning.
The Dangers of Cyberattacks in the Nuclear Domain
Cyber threats in the nuclear domain present a unique challenge that require adaptive and sustainable mechanisms to mitigate the ever-changing risks. There are several instances of cyberattacks on nuclear systems that allow for countries like India to learn and better prepare the security infrastructure for the rising cyber threats in the nuclear domain.
The instance of cyber threats and attacks in Iran, particularly the 2010 Stuxnet attack on the country’s Natanz uranium enrichment plant, highlight the dangers of cyberattacks and cyber warfare for a country with nuclear systems. Stuxnet emerged as an extremely sophisticated and dangerous malware and deeply impacted the security mechanisms of several countries. More recently, the attack on the Natanz facility in 2021, which targeted the industrial control systems and destroyed the power supply to centrifuges used to create enriched uranium, underscored the sophistication and capabilities of the cyber domain. Keeping the political considerations and implications of these cyberattacks aside, the security implications for such breaches are worrying on their own. It would be in India’s best interest to actively address the imminent risks, drawing from global incidents and using them to further strengthen the country’s security mechanisms and improve or replace outdated and vulnerable cybersecurity technologies, whether it may be administrative computer networks (as witnessed by the Kudankulam incident) or security mechanisms that employ identified risky technologies at nuclear facilities.
As India’s nuclear ambitions expand, so does the possibility of gaps and vulnerabilities emerging in the cyber domain. These vulnerabilities were most notably shown in the 2019 malware attack at the Kudankulum nuclear power plant in Tamil Nadu and on the Indian Space Research Organisation headquarters in Karnataka. The cyber breach was an infection of a modification of a malware known as Dtrack, which has been used to attack financial institutions in India in the past and made by to the North Korea-linked Lazarus group. The incident is a prime example of why countries cannot and must not become complacent with their cyber-nuclear security infrastructure.
Fortunately, the malware was limited to the administrative systems. The failure of the malware to permeate into the plant control or instrumentation is attributed to the preventive access tool known as air gaps. Air gaps refer to “computers or networks that are not connected directly to the internet or to any other computers that are connected to the internet.” However, while air gaps helped prevent a more severe breach in the Kundankulam incident, experts have noted that “many of the traditional methods of cyber defense at nuclear facilities—including firewalls, antivirus technology, and air gaps—are no longer enough to match today’s dynamic threats.” After the incident, CISAG recommended measures for immediate and short-term implementation such as “hardening of internet and administrative intranet connectivity, restriction on removable media, blocking of websites & IPs which have been identified with malicious activity, etc.”
While it is reassuring to note that the critical nuclear system was not breached, the incident raises serious concerns about the vulnerabilities exposed in the attack and possibly lessens the already-limited confidence in nuclear power within the public. Short-term measures, although necessary, do little to increase the overall effectiveness of cybersecurity if not matched with larger longer-term policy changes. These short-terms measures, as recommended by CISAG, are important but reactive. A national cyber-nuclear policy can proactively increase resilience of nuclear infrastructure by updating traditional methods—such as air gaps and firewalls—into a more dynamic cyber-security strategy that engages with the rapidly evolving technology environment.
Cyber-Nuclear Security in the Global Context: Lessons and Recommendations for India
Cybersecurity is not just a national challenge. It impacts countries globally and therefore requires global solutions. In the nuclear context, it is imperative that similar, like-minded nations collaborate, exchange useful information, and share best practices to combat the rising threat of cyberattacks. There are several countries, like the United States and Japan, with highly advanced and robust cybersecurity systems in place for their nuclear systems. Such countries actively engage with the developments and advancements in the cyber domain in order to continuously build resilience measures and contingency planning to address the associated risks. Collaboration with such international actors would provide India with the opportunity to learn and incorporate the learnings and best practices into the context of the country’s cyber-nuclear infrastructure.
In addition to collaborating with the aforementioned countries, with whom India has signed civil nuclear cooperation agreements, India can also collaborate with partners such as the United Kingdom and Russia to better equip its cyber-nuclear infrastructure. These agreements cover several areas of cooperation such as exchange of information, expertise on reactor designs, nuclear safety etc. Given the increasing importance of cybersecurity in the current global nuclear context, India should extend collaboration through these agreements to the cyber-nuclear domain. This can be conducted through technology exchange, exchange of experts, information-sharing agreements, as well as joint exercises and workshops to better equip the security infrastructure at nuclear systems to counter cyber challenges.
Additionally, it would be worthwhile for India to engage more deeply with the private sector in the cyber domain. India has generally limited the involvement of the private sector in the nuclear domain. India’s largely indigenously developed nuclear weapons program and nuclear fuel cycle capabilities for civilian use are wholly controlled by the government. Similarly, the nuclear safety and security framework of the country is entirely under governmental agencies. However, in the case of cybersecurity challenges specifically, there is a lot to learn and adapt into the cyber-nuclear security culture. Private actors—whether it is firms or individual actors—are consistently challenging the notions of cybersecurity due to both malicious and ethical intents. Bringing in industry experts from the field has been a part of cybersecurity policies for countries like the United Kingdom, and India should similarly incorporate their involvement into the country’s cybersecurity policy.
Finally, the primary point of concern for India’s nuclear systems in terms of cyber risks and threats remains the lack of importance given to a clear, concise, and robust policy framework. The lack of a cyber-nuclear policy for India exacerbates issues of vulnerability, lack of education and awareness as well as enhanced inter-agency coordination and response to cyber threats. Cyber threats are constantly evolving, and the dynamic nature of the cyber domain dictates the need for prioritization of cybersecurity in the nuclear security architecture. Cybersecurity requires similar levels of focus and interest within the nuclear domain as issues of insider threat and physical protection.
The Kudankulam incident brought in short-term measures to deal with the problems highlighted by the incident. However, it is imperative that a successful cybersecurity policy works to continually address cybersecurity challenges in a much more dynamic manner which works towards long-term sustainability of said policy to counter cyber risks. India’s current cyber-nuclear set-up does not adequately accord importance to a larger policy framework in order to protect against cyber threats. In this regard, India’s nuclear infrastructure, through a cyber-nuclear policy, must engage in periodic assessments of its cybersecurity mechanisms and its effectiveness in order to better equip nuclear infrastructure against these threats. Given the sensitive nature of nuclear materials and infrastructures, it is important to create policies that offer both short-term and long-term solutions and accommodate change with changing security needs and contexts. Further, collaboration with allies in the field is key opportunity for India to build, improve and evolve its ability to actively respond to emerging threats and risks that are an unavoidable part of the world.
Editor’s Note: This article is part of series of pieces published in partnership with CRDF Global. Articles for the series, written by recipients of the CRDF-SAV research grant in nuclear security, cover topics ranging from cyber security at civilian nuclear energy sites, regional and international cooperation in South Asia, to personnel protection at nuclear sites, and other topics related to nuclear security on the subcontinent.
Click here to read this article in Urdu.
Image 1: IAEA Imagebank via Flicker
Image 2: via Wikimedia Commons