The Nuclear Power Corporation of India Limited (NPCIL), on Wednesday, 30 October, confirmed in an official press release that the identification of “malware in NPCIL system is correct”. This is a significant admission by NPCIL after Tuesday’s blanket denial that “any attack on the Nuclear Power Plant Control System is not possible.”
The Quint had reported on Tuesday the strong evidence of a malware attack on the IT systems of the Kudankulam Nuclear Power Plant (KKNPP) in September, but NPCIL had then denied it.
But in the latest press release, NPCIL senior official AK Nema said that the matter had been conveyed by CERT-In on 4 September. This corroborates cybersecurity expert Pukhraj Singh’s claim that he had informed the National Cyber Security Coordinator of the DTrack malware attack on 3 September.
“The matter was immediately investigated by DAE specialists,” the press release clarified. NPCIL functions under the Department of Atomic Energy (DAE), which comes directly under the Prime Minister’s Office (PMO).
According to the statement, the infected computer belonged to a user who was connected to the internet. This Internet network was “isolated from the critical internal network”, the press release said.
Former NTRO official and cybersecurity expert, Pukhraj Singh, who says he first informed the National Cyber Security Coordinator Lt Gen Rajesh Pant on 3 September, told The Quint that he had pointed out that it was the IT network of the power plant had been compromised – which is very different from its control systems.
“A domain controller, which authenticates and authorises resources in a centralised manner, generally sits on the administrative IT network. The Operational Technology network is generally air-gapped, as it’s most critical. I was merely pointing out that the administrative IT network seems to be compromised. It doesn’t necessarily imply the reactor’s control systems were impacted.”Pukhraj Singh, Cybersecurity Expert
As cybersecurity expert Anand Venkatanarayanan explained to The Quint, even this would be a very serious issue. “This is problematic,” he said, “because a compromise even on the IT systems can reveal a lot, including key personnel information, their schedules and other personal data .”
Cyber Security Chief Responds to The Quint
National Cyber Security Coordinator Lt Gen Rajesh Pant, who was informed by cybersecurity expert Pukhraj Singh on 3 September of the potential malware attack on the IT network of the Kudankulam Nuclear Power Plant, had told The Quint on Wednesday that “any such reports that affect our critical sector are taken very seriously by the government.”
Prior to Pant’s response, the only official statement issued on Tuesday was by R Ramdoss, Training Superintendent at KKNPP, who had denied any attack on the plant’s control systems.
Ramdoss said that the Kudankulam Nuclear Power Plant and the control systems of other Indian nuclear power plants are “standalone and not connected to outside cyber network and internet.”
“The critical systems are additionally protected with an air-gapped and also a defence in depth approach and I assure you that our agencies such as NCIIPC and CERT-in are ensuring the same without any compromise,” Pant had told The Quint.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)