Nuclear Power Corporation of India Limited (NPCIL) announced on October 30 that the malware “Dtrack” had been found on the administrative network of the Kudankulam Nuclear Power Plant (KKNPP) in early September 2019. KKNPP is the largest nuclear power plant in India, equipped with two Russian-designed VVER pressurized water reactors, each with a capacity of 1,000 megawatts. Both reactor units feed southern India’s power grid.
On November 4, KKNPP issued a press release stating that its reactors are operating normally and emphasizing that all critical systems for KKNPP and other NPCIL plants are “air-gapped and impossible to hack.” The term “air-gapped” is often used in the cybersecurity context to describe isolated control processing technologies or systems that are not connected to the internet or external networks, and are therefore considered safe from cyberthreats.
Dtrack malware, which has been used in widespread attacks across India, is capable of logging keystrokes, scanning connected networks, and monitoring active processes on infected computers. According to the US Department of Justice, Dtrack shares elements of code from other malware attributed to a North Korean state-sponsored hacking operation called the Lazarus threat group. It is currently unclear whether data was stolen from the KKNPP network. While KKNPP’s nuclear power control networks do not appear to have been affected by the Dtrack attack, exploitation of an administrative network can be used by hackers as a jumping-off point for attacks on a control systems network.
Title 10 of the Code of Federal Regulations, Section 73.54, “Protection of Digital Computer and Communication Systems and Networks” requires, in part, that US Nuclear Regulatory Commission (NRC) licensees provide high assurance that digital computer and communication systems and networks are adequately protected against cyberattacks. Regulatory Guide 5.71, “Cyber Security Programs for Nuclear Facilities,” expands upon the cybersecurity requirements for licensees, namely that all critical digital assets (CDAs) must be protected from direct and indirect connections to critical systems. The indirect connections may include “air-gapped” systems, CDAs behind a one-way security boundary device, or “sneaker nets” by which data or software is manually carried from one digital device to another and transferred using physically transportable storage media, such as floppy disks, thumb drives, portable hard disks, or other modes of data transfer.
As previously reported on Up & Atom, the NRC has prioritized cybersecurity for licensees in 2019. NRC staff completed a Power Reactor Cyber Security Program Assessment to identify key areas for improvement by capturing lessons learned from stakeholders. Most recently, the NRC’s Office of the Inspector General audited NRC’s cybersecurity inspections at nuclear power plants. The Audit’s recommendations included that the NRC “use the results of operating experience and discussions with industry to develop and implement suitable cyber security performance measure(s) (e.g. testing, analysis of logs, etc.) by which licensees can demonstrate sustained program effectiveness.” Morgan Lewis will continue to track national and international cybersecurity threats for nuclear power plants.