Cybersecurity Goes Nuclear: an Indian Perspective

Source:

THE CHALLENGES OF NUCLEAR SECURITY (2024)

Chapter 7: Cybersecurity and Nuclear Facilities

Pulkit Mohan , Cliff Glantz , Guy Landine,

Sri Gourisetti, Ph.D. , and Radha Kishan Motkuri

With this report, I continue to analyse and summarise critical information that you, the reader, need to be aware of. This report, which is taken from Chapter 7 of the newly published book “The Challenges of Nuclear Security: US and Indian Perspectives” from Palgrave Publishing delves into the critical intersection of cybersecurity and nuclear facilities, specifically from an Indian perspective.

What I found crucial in Chapter 7, “Cybersecurity and Nuclear Facilities” is that this excellent research emphasises the unique challenges posed by cyber threats to nuclear infrastructure and the importance of integrating robust cybersecurity measures within nuclear security frameworks. The authors have done a fantastic job of explainging the challenges of cybersecurity in a nuclear world. I highly recommend that you go to the source and read the whole chapter. But here, a condensed Digest which I hope will get you started.

The key findings of this report are:

• The interconnectedness between digital technologies and nuclear facilities introduces significant cybersecurity risks that must be addressed to ensure the safety and security of nuclear infrastructure.
• Historical incidents, such as the cyberattacks on Iran’s Natanz facility and India’s Kudankulam nuclear power plant, underscore the potential severity of cyber threats to nuclear facilities.
• Effective cybersecurity strategies for nuclear infrastructure require a combination of robust technological safeguards, inter-agency coordination, and international cooperation.
• India's current cybersecurity measures and policies need substantial enhancement to mitigate the growing cyber threats to its nuclear facilities effectively.

Analysis: an Indian Perspective

Identifying Risks and Vulnerabilities

The complexity and interconnectedness of modern digital technologies have amplified the risks associated with cyber threats to nuclear facilities. Key risks include unauthorised access to nuclear materials, disruption of safety and control systems, and potential radiation discharge. The sophistication of cyber operations, as seen in the 2010 cyberattack on Iran's Natanz facility, highlights the catastrophic potential of such threats.

Key Indicators for Risk Assessment

• Importance of Instrumentation and Control (I&C) System Functions: I&C systems are crucial for both safety and security. Their compromise can lead to severe consequences, including radiation release and theft of sensitive materials.
• Threat Identification and Assessment: Understanding the types and sources of threats is essential. This includes state actors, non-state actors, and insiders.
• System Attractiveness and Vulnerabilities: The inherent vulnerabilities and attractiveness of I&C systems to adversaries necessitate rigorous cybersecurity measures.
• Operating Environment and Potential Consequences: The specific operating environment and potential outcomes of system compromise must be thoroughly analysed.

Cybersecurity in India: An Overview

India's extensive nuclear infrastructure and increasing reliance on digital technologies have heightened the need for robust cybersecurity measures. The National Cyber Security Policy of 2013 aims to protect information infrastructure and build capabilities to respond to cyber threats. However, the policy's implementation remains a challenge, with a need for continuous updates and improvements.

Objectives of India's Cybersecurity Policy

• Creating a Secure Cyber Ecosystem: Establishing a trustworthy IT system to enhance adoption across all sectors.
• Strengthening Regulatory Frameworks: Ensuring compliance with global security standards and best practices.
• Enhancing National and Sectoral Mechanisms: Developing 24/7 mechanisms for threat assessment and crisis management.
• Developing Indigenous Security Technologies: Focusing on research, development, and commercialisation of secure ICT products.
• Building a Skilled Workforce: Training 500,000 professionals in cybersecurity over five years.
• Public-Private Partnerships and Global Cooperation: Enhancing collaboration at both national and international levels.

India’s Cyber and Nuclear Infrastructure

India's nuclear infrastructure's cybersecurity is overseen by several key institutions, including the Computer Information and Security Advisory Group (CISAG), the national-level Computer Emergency Response Team (CERT-In), and the National Technical Research Organisation (NTRO). These bodies work together to conduct audits, provide guidelines, and respond to cyber incidents.

Key Institutions

CISAG: Responsible for periodic audits and providing cybersecurity guidelines.

CERT-In: Handles cybersecurity incidents, providing analysis, emergency response measures, and guidelines.

NTRO and DCyA: Focus on technical intelligence and cyber threats pertaining to military and national security.

Case Study: The Kudankulam Breach

The 2019 cyber breach at the Kudankulam Nuclear Power Plant serves as a critical case study. The breach, which affected the administrative network, highlighted the need for robust cybersecurity measures. While the plant's control systems remained unaffected due to air gaps, the incident underscored the necessity of comprehensive cybersecurity protocols.

Key Learnings from Kudankulam Breach

Public Attention and Governmental Response: The breach garnered significant public attention and prompted a robust governmental response, including involvement from CISAG and CERT-In.

Implementation of Additional Measures: Post-incident, measures such as hardening internet connectivity, restricting removable media, and blocking malicious websites were implemented.

Important Considerations and Recommendations

India's nuclear industry faces several challenges, including the integration of cybersecurity measures within its existing security frameworks. There is a need for:

• Enhanced Interaction with Cybersecurity Experts: Collaboration with experts from other industries to understand and mitigate cyber risks.
• Investment in Training: Training personnel across nuclear facilities to ensure a comprehensive understanding of cybersecurity.
• Development of National Guidelines for Cyber Threats: Establishing national guidelines similar to the Design Basis Threat (DBT) document for physical protection.
• Promotion of Cybersecurity Awareness: Educating nuclear facility personnel about the importance of cybersecurity to foster a strong security culture.

A U.S. Perspective

The U.S. approach to nuclear cybersecurity, regarded as a global benchmark, provides valuable insights for enhancing India's cybersecurity measures.

Historically, the U.S. nuclear sector underestimated cybersecurity threats due to the analogue nature of control systems. However, the transition to digital systems has necessitated stringent cybersecurity measures.

Key Incidents Highlighting Cyber Risks

2003 SQL Slammer Worm: Disrupted the Davis-Besse Nuclear Power Plant, highlighting vulnerabilities in interconnected systems.

2006 Browns Ferry Incident: Network traffic overload caused a shutdown, demonstrating the impact of cyber vulnerabilities on operational systems.

2010 Stuxnet Attack: Targeted Iran’s Natanz facility, showcasing the potential for sophisticated cyberattacks on nuclear infrastructure.

Threat Agents and Vulnerabilities

The primary adversaries in cyber threats to nuclear facilities include nation-states, cybercriminals, terrorists, hacktivists, and insiders. Each group poses distinct threats and requires tailored cybersecurity measures.

Vulnerability Categories

Business-Level Vulnerabilities: Lack of well-defined policies for access control.

System-Level Vulnerabilities: Use of default or simplistic passwords, flaws in software, and supply-chain security issues.

U.S. Regulatory Approach

The U.S. NRC’s cybersecurity regulations and guidance have evolved over time to address the growing cyber threats. The performance-based rule (10 CFR 73.54) and the compliance-based approach (RG 5.71) offer a comprehensive framework for nuclear cybersecurity.

Key Regulatory Milestones

2002-2003 Security Orders: Addressed cybersecurity in design basis threat assessments.

2009 10 CFR 73.54: Established performance-based requirements for protecting digital systems.

2010 RG 5.71: Listed over 100 security controls for critical digital assets.

Potential Risks from a Cyberattack

Cyberattacks on nuclear facilities can compromise confidentiality, integrity, and availability, leading to significant consequences such as:

Impacts on Health and Safety: Manipulation of control systems resulting in explosions or fires.

Environmental Impacts: Release of hazardous materials due to compromised systems.

Economic and Public Perception Impacts: Extended shutdowns, loss of revenue, and undermined public confidence.

Defence and Response

Effective cybersecurity involves deterrence, detection, delay, denial, and resilience. Defence-in-depth, incorporating multiple layers of security, is critical for robust protection.

Recommendations

To address the identified challenges and enhance cybersecurity for nuclear facilities, the following recommendations are proposed:

Enhance Inter-Agency Coordination: Foster collaboration between cybersecurity institutions and traditional nuclear security establishments.

Invest in Training and Skill Development: Develop a cadre of skilled cybersecurity professionals and educate all nuclear facility personnel on cybersecurity best practices.

Establish Comprehensive Cybersecurity Guidelines: Develop national guidelines for cybersecurity in nuclear infrastructure, akin to the DBT document for physical protection.

Promote International Cooperation: Strengthen bilateral and multilateral engagements to leverage global expertise and resources in cybersecurity.

Implement Rigorous Cybersecurity Measures: Incorporate best practices in system design, periodic assessments, and supply-chain security to mitigate cyber risks.

Conclusion

Integrating cybersecurity measures within nuclear security frameworks is imperative to safeguard against evolving cyber threats. Historical incidents and the increasing sophistication of cyber operations highlight the urgent need for comprehensive cybersecurity strategies. By enhancing inter-agency coordination, investing in training, establishing national guidelines, and promoting international cooperation, India can significantly bolster the cybersecurity of its nuclear infrastructure. The dynamic nature of cyber risks necessitates continuous vigilance and adaptation of security measures to ensure the safety and security of nuclear facilities.

Australian Perspectives

For those businesses operating in Australia, I have previously discussed SOCI – Security of Critical Infrastructure.

Read more here: https://www.dhirubhai.net/pulse/perfect-storm-dr-darryl-carlton-fag3c/?trackingId=9nAl0%2BodQBu%2BJaUjC%2BCpeA%3D%3D

Pathfindr

Technics Publications

Steve Hoberman, DMC

Further Reading

1. Mohan, Pulkit, et al. "Cybersecurity and Nuclear Facilities." In The Challenges of Nuclear Security: U.S. and Indian Perspectives, edited by S. Paul Kapur, Rajeswari Pillai Rajagopalan, and Diana Wueger, 2024.
2. De Groot, Juliana. "What Is Cyber Security? Definition, Best Practices & More." Digital Guardian.
3. Baylon, Caroline, Roger Brunt, and David Livingstone. "Cyber Security at Civil Nuclear Facilities: Understanding the Risks." Chatham House, September 2015.
4. "National Cyber Security Policy-2013." Ministry of Electronics & Information Technology, Government of India, July 2013.
5. "CERT-In Annual Report (2019)." Indian Computer Emergency Response Team, Ministry of Electronics & Information Technology, Government of India.