The Kudankulam Nuclear Power Project (KKNPP) in Tamil Nadu on Tuesday denied any hacking of its control system. However, senior government officials said an audit has confirmed that an “incident” had occurred, though not on the main operations of the plant.
A third-party multinational IT company discovered the attack in early September and alerted the National Cyber Security Council (NCSC).
A source said the NCSC set up a cyber audit team that visited the site in mid-September. They met KKNPP officials in the first week of October and submitted an advisory with recommendations. The source confirmed that a “breach” had happened and that cleaning of the foreign intrusion was going on.
“Some sort of vulnerability has been discovered,” said the source. “In terms of the breach, there are layers. It definitely did not impact the main operations. It affected computers that are used for administrative purposes only.”
A final report of the audit is yet to come.
In a press release on Tuesday, KKNPP said: “This is to clarify Kudankulam Nuclear Power Project (KKNPP) and other Indian Nuclear Power Plants Control Systems are stand alone and not connected to outside cyber network and Internet. Any Cyber attack on the Nuclear Power Plant Control System is not possible.” P Ramadoss, Training Superintendent and Information Officer, added that the two units of the plant are currently operating “without any operational or safety concerns”.
The government source said the NCSC and KKNPP jointly decided to issue the press release denying an attack on its control system, since the audit found that only the administrative layer was affected and not the operations.
“When the government finds that critical infrastructure has been affected, they want to deny it,” the source said. “If they don’t deny it or come out with a clarification, it could get amplified and reflect poorly on them. They denied it because it appeared on social media.”
The NCSC-led team included officials from Indian Computer Emergency Response (CERT-In), National Critical Information Infrastructure Protection Centre (NCIIPC), Information and Broadcasting Ministry and the Department of Telecommunications. The advisory to KKNPP included recommendations to update their systems, have regular audits and make careful procurements.
Congress MP Shashi Tharoor sought an explanation from the government on Twitter: “This seems very serious. If a hostile power is able to conduct a cyber attack on our nuclear facilities, the implications for India’s national security are unimaginable. The Government owes us an explanation.”
Speculative social media posts had linked the breach to a virus known as DTrack, a spy tool that cybersecurity company Kaspersky discovered in breaches of Indian financial institutions and research centres last year. The official did not confirm or deny this link.