This piece is part of the series, 25 Years Since Pokhran II: Reviewing India’s Nuclear Odyssey
Introduction
Cyber threats have become increasingly complex and sophisticated. Sabotaging critical national infrastructure, including nuclear facilities, has become a common tactic in geopolitical conflicts, jeopardising essential services that underpin governmental, economic, and societal functions, as well as public safety and national security. Accordingly, the cybersecurity of nuclear infrastructure has emerged as a pertinent concern within the broader rubric of nuclear security.
India has not remained immune from this geopolitical turbulence in cyberspace. The country has not yet witnessed a crippling cyberattack on its computer networks or critical national infrastructure. Nevertheless, challenges remain in securing Indian nuclear infrastructure as the government steps up national cyber defence.
Cyber threats to nuclear installations
When India conducted the nuclear tests in May 1998, the global cybersecurity landscape was dominated mainly by ‘nuisance value attacks’ such as virus infections, spyware, phishing-enabled cybercrimes, and website defacements. Distributed Denial-of-Service (DDoS) or ransomware attacks that disrupted websites and other critical infrastructure services
had not yet become prominent. Many actors coveted offensive or malicious cyber capabilities, but only the major military powers held such capabilities. Moreover, geopolitical rivalries had not yet fully trickled into cyberspace. Therefore, the cyber threat landscape was much less complex than it is today.
The Stuxnet worm’s infection of Iranian nuclear facilities in 2010 illustrated the potential consequences of such real-life sabotage.
The following two decades, however, witnessed a dramatic transformation as dependence on the internet and information and communication technology became ubiquitous and attack vectors multiplied. More nations pursued malicious and offensive cyber capabilities; some even set up dedicated units to reconnoitre their adversaries’ vulnerabilities, whereas some engaged proxy non-state actors to target their adversaries. Subsequently, cyberattacks sabotaging critical national infrastructure surged.
For years, security researchers had
discussed the potential of rogue state and non-state actors disrupting critical infrastructure operations. For the first time, the
Stuxnet worm’s infection of Iranian nuclear facilities in 2010 illustrated the potential consequences of such real-life sabotage. The virus, reportedly designed by the United States and Israel,
targeted the Natanz uranium enrichment plant, spinning the centrifuges out of control and affecting the reactor operations. Before reaching its target, the worm exploited the same vulnerabilities in computers from other countries as in Iran. As a result, it infected the computer networks of several critical infrastructure facilities worldwide.
Cybersecurity of India’s nuclear infrastructure
Stuxnet’s target was the Iranian nuclear programme, but what alarmed the Indian officials was its
rapid spread in the country, reportedly
infecting as many as 80,000 computers. Though there were no significant disruptions, this episode brought critical infrastructure protection to India’s cybersecurity agenda, prompting the adoption of the
National Cyber Security Policy in 2013, which underlined the “protection of information infrastructure and preservation of the confidentiality, integrity and availability of information in cyberspace” as the core of secure cyberspace. Furthermore, in 2014, the government formed the
National Critical Information Infrastructure Protection Centre to work with the public and private sectors to bridge vulnerabilities in their critical infrastructure systems.
In less than a decade, the inadequacy of these measures was laid bare when malware targeted the Kudankulam nuclear reactor in Tamil Nadu in September 2019. According to the Nuclear Power Corporation of India Limited (NPCIL), the attack
breached the nuclear plant’s administrative network but did not cause significant disruption or damage. The malware was reportedly
custom-built to breach the reactors’ computer network, signifying a deliberate hack. The perpetrator of the breach remained unclear, but
speculations abounded on North Korea’s involvement.
To strengthen information security at the nuclear facilities, the Bhabha Atomic Research Centre developed a USB-based ‘AnuNishta’ hardware device (to block unauthorised execution of applications and firmware modules), ‘MEGH-3’ cloud computing system, and ‘AnuDocs’ internet-based document sharing system.
Unsurprisingly, this incident raised many questions about the
cybersecurity of India’s nuclear facilities, particularly the government’s response mechanisms, where the officials first
denied the breach and then admitted it.
But even while admitting the hack, they were careful in
highlighting its limited impact and remedial steps implemented to secure nuclear plants from future breaches. These included authorisation, authentication, and access control mechanisms; rigorous configuration control; and surveillance. Other agencies, too, stepped in. For instance, to strengthen information security at the nuclear facilities, the Bhabha Atomic Research Centre
developed a USB-based ‘AnuNishta’ hardware device (to block unauthorised execution of applications and firmware modules), ‘MEGH-3’ cloud computing system, and ‘AnuDocs’ internet-based document sharing system.
Challenges
These steps have strengthened India’s
nuclear security and prevented a repeat of the Kudankulam incident. However, two major issues impede the realisation of a comprehensive cybersecurity posture for India’s nuclear infrastructure.
SCADA Security
The security of Supervisory Control and Data Acquisition (SCADA) systems that manage operations at critical infrastructure facilities, including nuclear power reactors, constitutes a persistent concern. Some SCADA systems are legacy systems installed decades before network-based threats or cyberattacks became routine. They were protected by isolation due to their remote locations and the use of proprietary industrial networks. However, as remote operations and real-time information sharing became a norm, these systems came online and were exposed to cyber threats. This risk is accentuated by a lack of patched systems (outdated and vulnerable systems), which can be sitting ducks for cyberattacks.
American cybersecurity firm Recorded Future revealed that Chinese military-linked hackers had breached the networks of at least seven State Load Dispatch Centres, which managed SCADA systems of the electricity grid in Northern India.
Confidential data from India’s principal technical agency for dealing with cyber threats, the Computer Emergency Response Team, reveals that hundreds of attacks on the SCADA systems of India occur annually and anecdotal evidence suggests that their scale and frequency have increased over the years. For example, in April 2022, American cybersecurity firm Recorded Future
revealed that Chinese military-linked hackers had breached the networks of at least seven State Load Dispatch Centres, which managed SCADA systems of the electricity grid in Northern India.
Air gap myth
In demonstrating the cyber resilience of nuclear installations, Indian officials have often emphasised the importance of air-gapped systems—isolating computers and other critical devices from any secured or unsecured network. However, these air gaps can easily be breached by malicious USB devices. For example, the delivery of the Stuxnet worm to the Iranian reactors’ computer systems was enabled through a USB drive. This instance also illustrates the danger posed by insider threat—the risk posed by those with access to an organisation’s physical or digital assets.
Besides the above challenges, a key consideration in the context of Indian nuclear security is New Delhi’s
recognition as “a responsible state with advanced nuclear technology.” Therefore, any potential cyber breach of the Indian nuclear infrastructure will not just sabotage the operations but also dilute or malign India’s image as a responsible nuclear power with established safety and security standards. Any such cyberattack will have a reputation cost as it will raise questions on the safety culture and standards of the Indian nuclear programme.
Conclusion
Twenty-five years after the Pokhran nuclear tests, the Indian government has put in place arrangements to secure the country’s nuclear infrastructure. However, with the increasing complexity and sophistication of cyber threats to critical national infrastructure (of which nuclear plants and installations are vital), policymakers must evolve a comprehensive risk analysis framework that keeps pace with emerging threat vectors and fosters resilience.
Dr Sameer Patil is a Senior Fellow at Observer Research Foundation
India uses Critical Information Infrastructure (CII) to describe critical national infrastructure. The Information Technology Act, 2000
defines CII as that “computer resource, the incapacitation or destruction of which, shall have a debilitating impact on national security, economy, public health or safety”.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.