The Kundankulam Nuclear Power Plant (KKNPP) is India's largest and newest nuclear facility. Owned by the Nuclear Power Corporation of India Limited (NPCIL), KKNPP rests on a legacy of controversy from safety issues and a nearly decade-delay in construction to absent offsite spent fuel storage and subsequent court battles—the recent cyber attack being the latest in the list. What exactly happened at KKNPP?
On October 28th, reports began circulating that computer systems at KKNPP contained malware—a claim NPCIL initially denied. Officials at Kudankulam stated the plant is safe from cyber attack because "Indian nuclear plants including Kudankulam have standalone control systems that are not connected to the internet or any other external network." According to the Economic Times, a plant spokesperson stated, "Any cyberattack on the nuclear power plant control system is not possible."
Two days later, on October 30th, plant officials confirmed the cyber attack, stating an administrative computer had been infected but is isolated from "critical internal networks." NPCIL also notes they were aware of the malware since September. They did not address any data theft.
The MSi team of cybersecurity experts, ethical hackers and control systems veterans compiled the following details of the nuclear power plant cyber attack in India:
The attack likely did not affect reactor controls. Research and technical data may have been the target. The attack apparently focused on the collection of technical information using a Windows SMB network drive share with credentials hard-coded into the malware to aggregate files to steal.
A version of the 'DTrack RAT' used in the attack was tied to North Korea's Lazarus threat group by researchers based on code shared with DarkSeoul (a malware attack that wiped hard drives at South Korean media companies and banks in 2013).
A computer used by an employee in the finance department was compromised. Captured DTrack malware samples indicate May 2019 for the earliest compiled examples; discovery occurred months later in September of 2019. This suggests that the attackers compromised critical administrative credentials before or in May; moreover, they either had access to or worked on gaining access for almost four months before discovery. This is consistent with international statistics indicating approximately 100 days to discover a cyber breach after the breach has already occurred.
As part of the malware attack, Domain Administrator Credentials were hardcoded, suggesting complete control and compromise of the business network and all domain connected systems. This also indicates a targeted attack, reminiscent of the attacks of U.S. and European plants in 2017 attributed to Russia.
The Command and Control (C&C) server to which the malware reported was a system on the internal network, which indicates several systems were successfully compromised. The malware used standard web and Windows file sharing protocols to operate, making detection without specific security tools unlikely.
The plant had initially denied there was a compromise at all. While plant personnel have since confirmed the cyber attack, they continue to insist that an unexpected reactor shutdown at the facility is entirely unrelated, indicating the attack's restriction to the business network as a fundamental justification.
Notification of the attack came from a third party, not from plant staff.
The MSi team analysis concludes: "Given all the above, it would be prudent to add both protection and continuous monitoring to both the operational and business networks. We routinely find during our assessment engagements numerous ways for an attacker to infect selective equipment, such as engineering laptops, printers and Voice Over Internet Protocol (VoIP) telephones, to bridge the gap between IT and OT networks."
The Economist states, "India needs better cyber-hygiene in its nuclear industry. So does the world." It's a statement that rings true across cybersecurity and industry professionals for one key reason: the cyber defense pointed to by plant personnel in denying and confirming the cyber attack is air gapping—a "security strategy (that) can leave a nuclear plant quite vulnerable."
MSi CEO, David Drescher, and CTO, Dan Park, are currently touring India, meeting executives at major industrial companies and working with MSi partners in India. "We are learning a lot about the current OT landscape in India with a heightened sense of interest in OT cybersecurity," said David Drescher. "Most large industrial companies in India are in a similar stage to many of the companies we work with in the U.S. and Europe: They want to do an OT assessment to understand the risk, identify how to cost-effectively mitigate these risks, gain OT network visibility and apply protections without impacting production." With the rapid implementation of digital, industrial automation 4.0 and similar initiatives, the need for enhanced OT cybersecurity has accelerated.
Industrial control system veteran, Mark Baggett, discusses the air gap defense strategy further, noting "Stuxnet impacted a nuclear facility that was supposed to be air-gapped. Clearly, that facility was still attacked. Everyone thinks they are air-gapped until they're not. Mike Tyson infamously said, 'Everyone has a plan, until they get punched in the mouth.'" And that's it. Herein lies the problem.
When I first started implementing control systems across operations 30 years ago, everywhere was air-gapped because different companies didn't talk to other companies back then. If you wanted a printer on your Honeywell control system, you had to buy a Honeywell printer. You couldn't use a Panasonic printer because it didn't work with the equipment. The corporate office wanted spreadsheets that were in Microsoft Excel version; operators didn't have Microsoft. You had to use a Honeywell spreadsheet or spit out the data, print and take it to someone else to type it into Microsoft. Everybody had a problem with this process; we wanted open systems.
Over time we started connecting systems together to make them work more efficiently. We created the OT cyber exposure problem for ourselves because we all wanted open systems. Now, we have to go back and fix it. That's called cybersecurity and why I joined MSi in the early days of OT cybersecurity about five years ago as Vice President of Industrial Control Systems.
Today, we fly across the U.S. and world to assess critical assets and related control systems and install our solutions. I haven't seen one air-gapped system. Everyone says the network is air-gapped, but there's always some connection that somebody puts in the network. During assessments and MSi Platform deployments, we plug in MSi hardware, our IDS-A device, and instantly start to see a variety of network activity and connections no one in operations or IT knew existed. Management may think the operation is air-gapped, but when you get down to the field level and start looking at these systems, they've made connections to the OT network easier for them, as employees, to work on things. Air gapping sounds good as a company and as a principle. But when it gets down to implementation and practice, it doesn't work as flawlessly as some might imagine.
The second issue with an air gap strategy is multiple ways exist to gain access to an OT network. Obvious entry points exist like spear-phishing and social engineering, which tries to get employees to make those illicit connections. Third-party remote access to systems remains another major concern, especially as equipment vendors offer enhanced performance contracts tied to remote monitoring of their systems. Less obvious vulnerabilities also exist. Say you buy control system replacement cards off the internet. There's one that's a few hundred dollars cheaper than the version from the original equipment manufacturer. Procurement looks at that and thinks, "I can save the company several thousands of dollars if I buy these products from this company instead." But those products are made at a facility that has malware. The team puts that replacement card in the OT network, and operations don't know any better. The technicians don't know any better; the cards look genuine and original. The OT team didn't realize a different company supplied the equipment.
Insider threats also bypass air gap defenses, intentional and unintentional. When you're air-gapped, there's always a process to get information or data from IT over to OT. You download a manual, for example, on the IT side and then plug it in on the OT side so you can work. We found manuals downloaded from a Romanian site that was a known malware source. But I've downloaded manuals, we all have. It's what we do because nobody keeps manuals anymore, you can't find the box whenever you've got to work on something, so you look it up on the internet. And the operator wants it on his control system, so he downloads the manual and puts it on the control system with the malware on it. It's a simple, innocent thing to do. And he was allowed to do it. And even though the network is air-gapped, it doesn't matter.
The bottom line is you need to look at your control systems. Make sure there is nothing that shouldn't be there. It goes back to clearly mapping your OT network, adding continuous monitoring, segmenting the network and establishing a protective layer levels 0 and 1 in the Purdue ICS reference architecture.
Air gapping as a cyber defense has a history within operations and control system worlds. Yet, as internet-connected technology continues to escalate in terms of both adoption and sophistication, an equal measure of cybersecurity must also be put in place—ideally at equivalent adoption and sophistication rates.
Assessing existing OT cyber risks is the first step for many operations to identify critical cyber risks and mitigation actions. Armed with that intel, organizations can then devise their long-term cyber strategy and plan to achieve cyber resiliency. After the risks are understood, gaining OT network visibility, asset inventory and tracking, segmentation and layering in OT cyber protections follows.
MSi has been working with leading industrial, defense and government organizations for the past six years to help assess critical OT cyber risks and mitigate these risks with easy-to-install and maintain solutions purpose-built for the control system environment.