NPCIL Malware: Small incident, but the big worry is justified

The isolation of business systems and control systems are just assumed; not known. So, the worry is very, very real.

NPCIL Malware: Small incident, but the big worry is justified - CIO&Leader

By now, the incident of a malware hitting Nuclear Power Corporation of Indian Ltd (NPCIL)’s Kudankulam Nuclear Power Plant (KNPP) is all across media and social media.

The matter has been politicized after Congress’ Shashi Tharoor—incidentally, quite active on Twitter—appealed to the government to come clean on the matter and DMK’s M K Stalin asked for a probe. As usual, social media has been divided across ideological/political lines. Almost nine out of ten joining the debate do not understand anything. From the rest, most are playing on others’ ignorance. A few sane voices are not getting heard.

One of those voices is Pukhraj Singh, a cyber intelligence analyst,  earlier involved with the setting up of the cyber defence operations center of the Indian government, who first spoke about it on Twitter and whose tweet was quoted by Shashi Tharoor to demand that the government ‘owes us an explanation’.

“I just witnessed a casus belli in the Indian cyberspace and it sucks at every level,” Singh tweeted, in a somewhat cryptic manner, way back on 7 September 2019.

Once other users started discussing it on Twitter, he tweeted again on 28 October, quoting his original tweet: “So, it's public now. Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit.”

What is significant is that Singh claimed that there were ‘other targets’, ‘scarier than KNPP’. The government is largely silent on this and so is the media.

Next day he clarified that he did not discover the intrusion but a third party did that. He also claimed that he notified National Cyber Security Coordinator about this on 4 September 2019, a good three days before he tweeted about it. Later, in another tweet, he corrected the data: It was 3 September and not 4 September. That is a day earlier.

That is when Twitter went abuzz, Shashi Tharoor quoted him, asking the government to come clean and Twitter went abuzz. The first reaction that came from the authorities was a denial.

In an official statement, signed by R Ramadoss, Training Superintendent & Information Officer, KNPP said, “Some false information is being propagated on the social-media platform, electronic and print media with reference to the cyber-attack on Kudankulam Nuclear Power Plant.” 

“This is to clarify KNPP and other Indian Nuclear Power Plants Control are standalone and not connected to outside cyber network and Internet. Any cyber-attack on the Nuclear Power Plant Control System is not possible. Presently, KNPP Unit-1 and 2 are operating at 1000 MWe and 600 MWe respectively without any operational or safety concerns,” it added.

That was the beginning of all confusion. While KNPP was (most probably) right in ascertaining that ‘KNPP Unit-1 and 2 are operating at 1000 MWe and 600 MWe respectively without any operational or safety concerns,’ it went a little overboard by claiming that ‘any cyber-attack on the Nuclear Power Plant Control System is not possible.’

But that is not what made things confusing. Confusion started when KNPP, a government agency, decided to play on words—the way some politicians and some businesses do—to take advantage of the ignorance of the public and the journalists.

So, the next day when Nuclear Power Corporation of India Limited (NPCIL), admitted that identification of malware in NPCIL system is correct, media called it a U-turn.

In the war of words that followed, the slightly more-aware supporters of the government pointed out that there is nothing in the NPCIL statement that contradicts the earlier statement by KNPP. While the malware information is correct, it ‘did not’ affect the plant operational system and only the office/business system.

“The matter was immediately investigated by the Department of Atomic Energy (DAE) specialists. The investigation revealed that the infected PC belonged to a user who was connected in the internet connected network used for administrative purposes. This is isolated from the critical internal network. The networks are being continuously monitored,” the NPCIL statement clarified.

“Investigation also confirms that the plant systems are not affected,” it reaffirmed.

This gives rise to multiple questions and doubts:

  1. Why did the KNPP statement remain silent on the office PC that was affected, when social media was abuzz and instead called everything false information?
  2. What changed between 28 October and 29 October 2019 for NPCIL to admit that indeed it was impacted, even though the same statement admitted that ‘the matter was conveyed by the Indian Computer Emergency Response Team (CERT-In) when it was noticed by them on September 4, 2019.”
  3. How much can we rely on this assurance that the plant is not affected?
  4. Why should a government agency try to play on the ignorance of the common man? It could have explained the difference between an office PC and the operational system. The Industrial Control Systems (ICS) and the business systems are usually isolated and the ICS in critical strategic infrastructure are rarely connected to public internet.

An ICS expert, Joe Slowik (@jfslowik) raised some pertinent points on Twitter. He questioned if assumption about the isolation of these two systems in India is there. In the US, the UK, Canada, Germany and France, “there's general confidence about network isolation between business and operational networks as both best practice and regulatory requirement - but does anyone know about India?” he asked. And if it is there in principle, he asked if its followed and enforced? India, anyway is known for great rules, with minimal enforcement.

And he sums up perfectly.

“On its face this looks 'bad', but lack of details and operational understanding means no one on the socials can accurately assess possible impacts and implications given very little info right now,” he tweeted.

It comes back to where it started—whether you want to believe the control systems are completely isolated or they are not. If it is the latter, while NPCIL may still be right in saying that they are not affected right now, but the possibility of their getting affected is very real.

What is really worrying is that the type of malware and where it was found.

Dtrack Remote Administration Tool (RAT) is a known cyber-espionage malware from Lazarus Group, an infamous advanced persistence threat actor responsible for multiple cyber-espionage and cyber-sabotage operations. And it was found inside what should be the paragon of safety and security – a large nuclear plant of one of the few nuclear power nations in the world.

It is difficult to believe it was there to steal data from the employee payroll or office accounting system!

The Endnote

However, the incident will go down as one of the best things to happen if this sensitizes the government and that results in some real action.

Let’s hope for the best…And I do not have hearts to complete the saying.

(Theme Image Credit: Reetesh Chaurasia/Wikipedia)


Add new comment