Since the Kudankulam Nuclear Power Plant near Kanyakumari confirmed on October 30 that it had been the target of a cyberattack, there has been a great deal of commentary – and speculation – about it. As researchers in the field of cybersecurity for critical infrastructures, we wish to describe how these systems are usually secured and to separate the hype from the fact.

IT vs. OT

To understand cyber attacks on critical infrastructures, we need to understand one concept: IT vs. OT.

Organisations that operate critical infrastructures have two distinct cyber networks: an Information Technology network and an Operational Technology network. The IT network facilitates organisational management – it is the backbone that allows functions like payroll, employee management and even the laptops that employees use. This network is almost always internet-connected, although “firewalls” are commonly used to provide security by restricting access to outsiders.

The OT network, on the other hand, is the nervous system of the process. In the case of power plants, like the one in Kudankulam, the OT network has machines that run control algorithms to manage power generation, others that run protection software to mantain safety and yet others to store historical data for analysis.

It is routine for the control systems of such OT networks to be “air-gapped” from the IT systems of the same organisation. This means that no path exists between the OT and IT networks. When a physical air gap is deployed, computers on the OT network are not connected to the internet. The only way data can pass into or out of the network is when someone connects an external storage device (like a USB stick).

More often, though, the air gap is software-defined, using a firewall. The firewall contains rules to prevent any external connections from being established with the isolated computer network. The most common reason for having a firewall-based air gap is to allow for a controlled software update of an OT network device. While this might seem to be an exploitable foothold, it should be noted that no air gap (including a physical one) is impossible to surpass. This is evident from several attacks on critical infrastructure in the recent past.

In a statement after the attack, the authorities at the Kudankulam Nuclear Power Plant Plant released a statement saying that the plant “..and other Indian Nuclear Power Plant Control Systems are stand-alone and not connected to an outside cyber network and the Internet. Any cyberattack on the Nuclear Power Plant Control System is not possible.”

This essentially is an oversimplification of what we just described.

What harm can be caused

If an attacker can get access to the OT network and then can escalate their privileges to a level where they can send control commands to the process, they may be able to cause harm. Why do we say “may”? Because for a successful attack on a control system, the attacker must understand the process they are controlling. It takes months of staying within the OT network to gather enough intelligence to get a vague understanding of the process and how to control it.

Take, for instance, the Stuxnet case in 2010, when attackers were able to target nuclear centrifuges in Iran. Security researchers who reverse-engineered the code in the malware found that it was extremely focused and meant to hit centrifuges in one of the country’s nuclear power plants. The attackers had knowledge of all the equipment used in the plants, their make, models, as well as software versions. The attack was initiated by malware that was present in USBs. This is the level of prior knowledge, and reconnaissance needed to attack a nuclear power plant.

Fuel arrives at the Kudankulam plant. Credit: IAEA Imagebank [CC BY-SA 2.0 (https://creativecommons.org/licenses/by-sa/2.0)]

Even if an attacker can understand how the network functions, the attacker must then be able to disable all possible safety mechanisms that are fairly extensive in nuclear power plants. If an attacker can perform these steps, they can cause large-scale damage, ranging from destroying the turbines to taking human lives.

The Ukraine attack in 2016 was yet another case similar to Stuxnet. Attackers disabled power distribution stations in Ukraine, causing a widespread blackout. The attack started several months before the blackout actually occurred. The attack began when attackers targetted several employees of the companies and embedded Microsoft Word documents with malware to gain access to the IT networks.

This allowed them to collect credentials to the OT network and gained access to it. They even attempted to overwrite software on the power grid protection equipment to render it useless. They erased boot-records in the control systems servers and went on to perform a denial-of-service attack on the call centres to prevent them from notifying any customers.

Power plants in Ukraine, as well as Iran, were secured in a way similar to that of Kudankulam. Attackers still found ways to attack the plants and were able to make the jump from IT to OT. Hence, the argument the Kudankulam Nuclear Power Plant authorities make about the impossibility of OT attack in their press release is not entirely valid.

So what really happened in Kudankulam?

An analysis of the malware sample (now on VirusTotal) shows that it is a modification of a previously known and used malware, Dtrack, which has been used in the past to attack financial institutions in India. It is a Remote Access Trojan, which means that it is malware that looks like a legitimate file but it actually allows a remote user to command a machine.

An analysis of the malware can give insights into the goals of the attacker. First, there is a Collect History function that recovers internet search history from the browser installed on the machine; there are search queries for both Google Chrome and Mozilla Firefox history files. Second, the malware attempts to collect local operating system registry information such as registered owner, registered organisation, install date, and current user. Thirdly, the malware gathers a list of currently active processes on the machine. Finally, it scans for information regarding the network the affected machine is on. All of this information is then written into temporary files that can be extracted to a remote server by the attacker.

How did we know that Kudankulam was attacked? An analysis of the malware sample (after it was posted online) shows one specific command that contains the username KKNPP, which most likely belonged to the power plant. This is what pushed the security community to worry about it.

All of the malware functions point to one thing: reconnaissance. There is no displayed understanding of the control system or of specific processes in the operational environment. However, there are a few hardcoded local IP addresses that might point some prior reconnaissance effort of the plant’s IT environment. The attackers were probably using this as a stepping stone and were trying to gather any information that they can about the control system: the browser history could, for example, show if certain control equipment vendor websites are visited often for software updates.

There have, however, been process failures that have been experienced at Kudankulam in the last few months. While it might be a stretch to correlate the two, if an attacker was able to compromise the OT network of Kudankulam, the power plant could exhibit such process failures.

The Kudankulam plant under construction. Credit: IAEA Imagebank [CC BY-SA 2.0 (https://creativecommons.org/licenses/by-sa/2.0)]

Course correction

Attributing an attack to a nation-state or a group of individuals is a challenging task. The common practice is for researchers to look at similarities between malware samples (think of elements like coding principles and reused code) and determine with some confidence that they came from the same source.

In the case of the malware found in Kudankulam, similarities have been found to the Dtrack and ATMDtrack attacks, which in turn looked similar to the 2013 DarkSeoul attack campaign which froze thousands of computers in South Korean banks and media firms. It was attributed to a threat actor known as Lazarus – which wasn’t an actual name of a group but merely a pseudonym assigned by the security community. No one knows what nation funds or houses the group, but the Kaspersky cybersecurity firm has found IP addresses that can be traced to North Korea, thereby making it a possible suspect.

Kudankulam was, in fact, hacked, but unlike what a lot of the initial social media posts suggested, the attack wasn’t on life-threatening critical infrastructures. The IT vs OT air-gap seems to have served its purpose.

While power plants are prepared for such vulnerabilities in the IT network, it should still sound an alarm for the government to impose cybersecurity regulations and mandate that these power plants hire penetration testers and auditors to expose and fix any holes that a foreign state might leverage to gain control of our nation’s critical infrastructure.

Kartik Palani is a PhD researcher at the University of Illinois at Urbana-Champaign, and Prashant Anantharaman is a PhD researcher at Dartmouth College. They specialise in the security and resiliency of Energy Delivery Systems.