Cyber Security Threats to the Indian Strategic Organizations
Quote from Dr Tahir Mahmood Azad on 27th June 2020, 1:57 amCyber threats in nuclear security have emerged as a core issue in contemporary world politics and although various threat scenarios have been developed, cyber-attacks on strategic organizations and their nuclear weapons is a most serious concern.
All states with nuclear weapons face a growing threat from these emerging capabilities, including India. The country is rapidly expanding its civil and military nuclear capabilities and infrastructures, and it is unclear if the country has paid sufficient attention to cyber threats during this expansion. India has already experienced several cyber incidents at its nuclear facilities. For example, in 1998 an American teenage hacker broke into India’s Bhabha Atomic Research Centre (BARC) and downloaded passwords and emails.[i] Again, in September 2019, India experienced a cyber-attack on the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu, which was confirmed by the Nuclear Power Corporation of India Limited (NPCIL).
Threats to Civilian Facilities
India’s NPCIL operates 22 commercial nuclear power reactors, across seven sites, and has plans for a further 21 reactors by 2031. Of these, the KKNPP is India’s largest nuclear power plant, which currently operates two Russian-designed and supplied 1,000 MWe VVER pressurized water reactors. KKNPP is adding four more reactor units of the same capacity, making the project one of the biggest partnerships between India and Russia. While, official statements hold that the attack did not cause any operational, safety or critical damage, it has actually exposed vulnerabilities in India’s approach to cyber security; according to an article in the Washington Post, “VirusTotal, a virus scanning website owned by Google’s parent company, Alphabet, has indicated that a large amount of data from the KKNPP’s administrative network has been stolen.”
In addition to compromising information security, cyber-attacks on nuclear power plants could have severe physical outcomes, particularly if the network that operates the machines and software controlling the nuclear reactor are compromised. It can be further utilised in a blended attack to expedite sabotage, theft of nuclear materials, or, in the worst-case scenario, a reactor meltdown. In a heavily populated country like India, any radiation discharge from a nuclear facility would be a major disaster. The malware used in the KKNPP attack was known as ‘Dtrack’ which is a “monitoring and intelligence gathering tool that scans networks and systems for potential vulnerabilities that can be exploited.” Dtrack can rapidly penetrate and take benefit of the slightest breach or blind spot in security protections, such as non-secure ports, out-of-date or unpatched systems, or the latest addition, the unmanaged internet of things (IoT) devices.
To give greater confidence in its remedies, Indian officials should increase transparency in its efforts to counter such threats, both at the KKNPP and across its nuclear fleet.
Developing Security Culture
As India’s nuclear security culture is still developing and in its evolutionary phase, more efforts, credible human resource, training and counter measures are required to deal with cyber security threats. The expansion of both India’s civilian and military nuclear infrastructure requires enormous resources and trained and reliable manpower.
Threats to Military Programme
In addition to the civilian nuclear industry, there are concerns that cyber operations could also affect India’s nuclear weapons complex via the country’s nuclear facilities, delivery systems and communications systems. Should these threats be realized, their impact on nuclear command, control and communications (NC3) during a time of crisis could have disastrous consequences.
According to the SIPRI Yearbook 2019, the Indian arsenal includes 130 to 140 warheads – this will increase as India enhances its nuclear triad and modernizes its forces. In addition to usable weapons, the International Panel on Fissile Materials estimates that India has a plutonium stockpile of 0.58 ± 0.15 tons and a highly enriched uranium stockpile of 4.0 ± 1.4 tons. Not all of this will be used for weapons – for example, it will contribute towards India’s thorium-reactor program or will be used in nuclear submarines and research reactors.
Strategic Implications
Cyber security threats have already posed a major challenge to India’s civilian nuclear industry, and pose serious challenges to its strategic organisations. The challenges seem limitless in their paradigms, such as the implications for safe, secure and reliable nuclear command and control systems; advancement in information security; nuclear signaling and the preservation of highly sensitive nuclear knowledge; strategic deterrence; and the surfacing of a cyber-nuclear security dilemma. It is a fact that nuclear weapons systems were developed even before the evolution of computer technology and slight attention was given to possible cyber exposures. Against this background, contemporary nuclear policy often observes the extensive practice of digital technology in nuclear systems.
Cyber-security for a nuclear facility can be separated into two key parts: Instrument and Control Security (ICS), and Facility Network Security (FNS). There are numerous distinctions between these fragments of security, including diverse methodologies, mechanisms, and the consequence of disaster in each sphere. There are certain possibilities that non-state actors or rogue elements might steal sensitive data, modify software codes or critical communications links, subvert and compromise networks and computers, and/or intrude with other connected hi-tech techniques; the potential to do this in advance and perhaps without the rival knowing advances a whole new set of encounters and questions for nuclear weapons management, security and strategy.[ii]
In addition to cyber’s implication of strategic stability, cyber has the potential to impact domestic sentiment and reaction. The current Indian domestic situation is also highly volatile, and Pakistani officials perceive Prime Minister Modi to be an aggressive Hindutva-nationalist. In addition to hints that India could change its nuclear no first use policy, a series of events have happened under the Modi government which have destabilised India internally. This destabilization may have direct implications on its security culture. A country which already has a weak nuclear safety and security culture would ultimately lead to catastrophic incidents.
Furthermore, non-state actors or rogue elements may take advantage of the current Indian situation and steal sensitive nuclear information, sabotage facilities or destabilise the nuclear reactor. A country with serious domestic issues, ethnic clashes, conflict among Hindu and non-Hindu communities, separatists and freedom movements reflects the uncertain future of India.
[i] Futter, Andrew, Hacking the Bomb: Nuclear Weapons, Cyber Threats and the Incipient Digital Age, Washington: Georgetown University Press, 2018.
[ii] Andrew Futter, “Cyberthreats and nuclear weapons,” RUSI Occasional Paper, July 2016.
Cyber threats in nuclear security have emerged as a core issue in contemporary world politics and although various threat scenarios have been developed, cyber-attacks on strategic organizations and their nuclear weapons is a most serious concern.
All states with nuclear weapons face a growing threat from these emerging capabilities, including India. The country is rapidly expanding its civil and military nuclear capabilities and infrastructures, and it is unclear if the country has paid sufficient attention to cyber threats during this expansion. India has already experienced several cyber incidents at its nuclear facilities. For example, in 1998 an American teenage hacker broke into India’s Bhabha Atomic Research Centre (BARC) and downloaded passwords and emails.[i] Again, in September 2019, India experienced a cyber-attack on the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu, which was confirmed by the Nuclear Power Corporation of India Limited (NPCIL).
Threats to Civilian Facilities
India’s NPCIL operates 22 commercial nuclear power reactors, across seven sites, and has plans for a further 21 reactors by 2031. Of these, the KKNPP is India’s largest nuclear power plant, which currently operates two Russian-designed and supplied 1,000 MWe VVER pressurized water reactors. KKNPP is adding four more reactor units of the same capacity, making the project one of the biggest partnerships between India and Russia. While, official statements hold that the attack did not cause any operational, safety or critical damage, it has actually exposed vulnerabilities in India’s approach to cyber security; according to an article in the Washington Post, “VirusTotal, a virus scanning website owned by Google’s parent company, Alphabet, has indicated that a large amount of data from the KKNPP’s administrative network has been stolen.”
In addition to compromising information security, cyber-attacks on nuclear power plants could have severe physical outcomes, particularly if the network that operates the machines and software controlling the nuclear reactor are compromised. It can be further utilised in a blended attack to expedite sabotage, theft of nuclear materials, or, in the worst-case scenario, a reactor meltdown. In a heavily populated country like India, any radiation discharge from a nuclear facility would be a major disaster. The malware used in the KKNPP attack was known as ‘Dtrack’ which is a “monitoring and intelligence gathering tool that scans networks and systems for potential vulnerabilities that can be exploited.” Dtrack can rapidly penetrate and take benefit of the slightest breach or blind spot in security protections, such as non-secure ports, out-of-date or unpatched systems, or the latest addition, the unmanaged internet of things (IoT) devices.
To give greater confidence in its remedies, Indian officials should increase transparency in its efforts to counter such threats, both at the KKNPP and across its nuclear fleet.
Developing Security Culture
As India’s nuclear security culture is still developing and in its evolutionary phase, more efforts, credible human resource, training and counter measures are required to deal with cyber security threats. The expansion of both India’s civilian and military nuclear infrastructure requires enormous resources and trained and reliable manpower.
Threats to Military Programme
In addition to the civilian nuclear industry, there are concerns that cyber operations could also affect India’s nuclear weapons complex via the country’s nuclear facilities, delivery systems and communications systems. Should these threats be realized, their impact on nuclear command, control and communications (NC3) during a time of crisis could have disastrous consequences.
According to the SIPRI Yearbook 2019, the Indian arsenal includes 130 to 140 warheads – this will increase as India enhances its nuclear triad and modernizes its forces. In addition to usable weapons, the International Panel on Fissile Materials estimates that India has a plutonium stockpile of 0.58 ± 0.15 tons and a highly enriched uranium stockpile of 4.0 ± 1.4 tons. Not all of this will be used for weapons – for example, it will contribute towards India’s thorium-reactor program or will be used in nuclear submarines and research reactors.
Strategic Implications
Cyber security threats have already posed a major challenge to India’s civilian nuclear industry, and pose serious challenges to its strategic organisations. The challenges seem limitless in their paradigms, such as the implications for safe, secure and reliable nuclear command and control systems; advancement in information security; nuclear signaling and the preservation of highly sensitive nuclear knowledge; strategic deterrence; and the surfacing of a cyber-nuclear security dilemma. It is a fact that nuclear weapons systems were developed even before the evolution of computer technology and slight attention was given to possible cyber exposures. Against this background, contemporary nuclear policy often observes the extensive practice of digital technology in nuclear systems.
Cyber-security for a nuclear facility can be separated into two key parts: Instrument and Control Security (ICS), and Facility Network Security (FNS). There are numerous distinctions between these fragments of security, including diverse methodologies, mechanisms, and the consequence of disaster in each sphere. There are certain possibilities that non-state actors or rogue elements might steal sensitive data, modify software codes or critical communications links, subvert and compromise networks and computers, and/or intrude with other connected hi-tech techniques; the potential to do this in advance and perhaps without the rival knowing advances a whole new set of encounters and questions for nuclear weapons management, security and strategy.[ii]
In addition to cyber’s implication of strategic stability, cyber has the potential to impact domestic sentiment and reaction. The current Indian domestic situation is also highly volatile, and Pakistani officials perceive Prime Minister Modi to be an aggressive Hindutva-nationalist. In addition to hints that India could change its nuclear no first use policy, a series of events have happened under the Modi government which have destabilised India internally. This destabilization may have direct implications on its security culture. A country which already has a weak nuclear safety and security culture would ultimately lead to catastrophic incidents.
Furthermore, non-state actors or rogue elements may take advantage of the current Indian situation and steal sensitive nuclear information, sabotage facilities or destabilise the nuclear reactor. A country with serious domestic issues, ethnic clashes, conflict among Hindu and non-Hindu communities, separatists and freedom movements reflects the uncertain future of India.
[i] Futter, Andrew, Hacking the Bomb: Nuclear Weapons, Cyber Threats and the Incipient Digital Age, Washington: Georgetown University Press, 2018.
[ii] Andrew Futter, “Cyberthreats and nuclear weapons,” RUSI Occasional Paper, July 2016.