The Pegasus Spyware controversy – lessons from Kudankulam
The parallel story of two malware/cyber attacks and lessons not learnt from them
Two incidents of malware/cyberattacks made headlines across the country on October 30, 31 and November 1, 2019. One, which caused quite some consternation, was a malware intrusion in a computer system at the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu. The KKNPP belongs to the Nuclear Power Corporation of India Limited (NPCIL), which is the flagship public sector undertaking of the Department of Atomic Energy (DAE).
The other attack was cyber snooping. It led to the Government of India asking for an explanation from WhatsApp on Israeli spyware “Pegasus” being used to infect the phones of more than a dozen Indians. The victims in India are human rights activists, those who speak up for tribals and the Dalits, lawyers and journalists. The messaging platform WhatsApp identified the Israeli Company, NOS Group, as having developed the spyware “Pegasus.”
According to Times of India of November 1, 2019, WhatsApp revealed that about 1,400 people had been targeted worldwide, including more than a dozen in India, by the surveillance technology which is so invasive that it can read and transmit the entire content of phone and operate its camera.
Times of India said, “WhatsApp did not name the entities behind the clandestine surveillance attempts but identified the Israeli company NOS Group as having developed the spyware. NOS, however, said it sells Pegasus only to vetted governments and their agencies.”
The news led to a row, with the Congress accusing the Bharatiya Janata Party (BJP) Government at the Centre of snooping on human rights activists. Congress spokesman Randeep Surjewala posted questions on Twitter to Union Information Technology Minister Ravi Shankar Prasad. Surjewala asked, “Which agency of GOI has purchased and deployed the Pegasus surveillance software? Who, PMO or NSA, authorised the purchase? What action do you intend taking against the guilty?” (Times of India, November 1, 2019).
Ravi Shankar Prasad reacted sharply, asking the Congress to remember the circumstances under which former President Pranab Mukherjee’s office was bugged when he was a Minister in the Manmohan Singh Government. The Union Minister said the Centre had asked WhatsApp “to explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens.”
The issue got murkier when several cyber experts said that a computer emergency team of the Union I.T. Ministry team knew of WhatsApp’s “vulnerability” when the cyberattack issue first came to light in May 2019 (Times of India, November 3, 2019).
Coming to Kudankulam, the NPCIL has found itself on a sticky wicket on the issue with its somersaults. On October 29, 2019, top Kudankulam officials of the NPCIL claimed that no malware intrusion had taken place in the computers at the KKNPP. The next day, A.K. Nema, a top NPCIL official at its headquarters in Mumbai, admitted that “Identification of malware in NPCIL system [in the KKNPP] is correct.”
Kudankulam Nuclear Power Plant | PTI
Before coming to the issue proper, let us look at the basic facts about the KKNPP: two Russian reactors called VVER-1000, each with a capacity of 1,000 MWe each, are operating near a village called Kudankulam in Radhapuram taluq of Tirunelveli district in Tamil Nadu. They are Light Water Reactors which use low-enriched uranium as fuel and light water (ordinary water) as coolant and moderator. Although the reactors, turbines, steam generators and all the equipment and components are from Russia, it is the NPCIL which built the two reactors, operates them and maintains them too. Thus, the two reactors belong to the NPCIL. Russia, under “a sovereign” and “binding” agreement with India, is to supply low-enriched uranium fuel for the entire lifetime of the two reactors, which are expected to generate electricity for about 40 years each.
Two more Russian VVER-1000 units – that is, the third and fourth reactors - are under construction now at Kudankulam. It is again the NPCIL which is building them. Kudankulam will also house the fifth and sixth Russian reactors. So it will be a massive nuclear establishment, which will generate 6,000 MWe when all the six reactors are generating to full power.
Kudankulam has had a chequered history. It remained a non-starter for ten years after Prime Minister Rajiv Gandhi and Soviet President Mikhail Gorbachev signed an Inter-Government Agreement on November 20, 1988, to build two Russian reactors at Kudankulam. The project did not take off because of the disintegration of the Soviet Union in the early 1990s and differences over the rouble-rupee payment ratio. However, it sprang to life on June 21, 1998, when a supplementary to the Inter-Government Agreement was signed in New Delhi by Russian Minister for Atomic Energy Yevgeny Adamov and India’s Atomic Energy Commission Chairman Dr R. Chidambaram. The most important point here is that Russia was bold enough to sign this nuclear power project agreement with India just a month after India had conducted five nuclear tests at Pokhran, Rajasthan, in May 1998 when A.B. Vajpayee was Prime Minister. It was a critical period for India. Many countries including the U.S. France and the U.K. were boycotting India in international fora and they had slapped sanctions, embargoes and technology denial regimes on India. But Russia proved that it was a true friend of India by signing the supplementary agreement and the Kudankulam nuclear power project received a fresh lease of life.
From 1991, the NPCIL started erecting the two Russian VVER-1000 units at Kudankulam. There was no problem in acquiring the vast land on the sea-shore because the land was barren. There were some delays in the construction because the nuclear equipment and components often arrived late from Russia. When the first unit was all set to be commissioned in December 2011, it ran into a big road-block. A sustained agitation mysteriously broke out in several fishing villages around the Kudankulam project against the commissioning of the reactor. The epicentre of the protests was the spacious forecourt of St. Lourde’s Church at Idinthakarai, the village closest – less than two km away – from the Kudankulam project. Fishermen feared that the “hot” condenser water which would be let into the sea would kill the fish and that they would lose their livelihood. Married women feared that they would not be able to conceive because of the “coloured smoke” (sic, that is, excess steam) that would be let into the atmosphere from the reactor. The fishermen’s agitation was led by S.P. Udayakumar, leader of the People’s Movement Against Nuclear Energy (PMANE). The PMANE leaders and the fishermen had one demand: scrap the Kudankulam power project. What preyed on their mind was the accident and the consequent deadly radioactivity released into the atmosphere at the nuclear power station at Fukushima-Daichi in Japan in March 2011. The PMANE members and fishermen laid siege to the plant near its main gate and did not allow the NPCIL engineers to enter the plant for nearly two years. So the nuclear power equipment could not be serviced. The anti-nuclear power activists held the project to ransom. In this, they had the silent support of the Jayalalithaa government in the State, which wanted to settle political scores with the Manmohan Singh government at the Centre.
Finally, after Prime Minister Manmohan Singh did some plain-speaking with Chief Minister Jayalalithaa and her party, the All-India Anna Dravida Munnetra Kazhagam (AIADMK) had won a by-election to the Assembly from a nearby constituency, the agitation was called off. The first unit went critical on July 13, 2013. The second unit was commissioned later.
The two operating reactors at Kudankulam have excellent safety features. They have many features in place to cool the radioactive fuel in case of an accident and to ensure that no radioactivity is leaked into the atmosphere. They have multiple safety features in keeping with what is called “defence-in-depth” philosophy. There is redundancy provisioned into the system so that if one chain of safety features fails, another will take care of the situation. The reactors have been installed inside a massive circular building with two extremely thick walls, respectively called the primary containment and the secondary containment. The building is topped with a double-walled dome. The primary containment wall is 1.20 metres thick and is built with reinforced concrete. The wall is lined with leak-proof steel sheets inside. The secondary containment wall is 0.6 metres thick. These massive “fortification”-like walls will ensure that no radioactivity escapes into the atmosphere if an accident occurs in the course of the reactor’s functioning. They would protect the reactor even against a tsunami, earthquakes or an aircraft crashing on the reactor building.
To ensure that the reactors’ fuel core is cooled during an incident or accident, each reactor building has big water tanks containing water mixed with boron to douse the fuel. If there is a loss of electricity supply, four diesel-generating sets will generate six MWe to illuminate the reactor building, turbine building and so on. The DG sets have been installed nine metres above the mean sea level, isolating them from floods. There is a “core-catcher” – a huge tank with lakhs of litres of water at the bottom of the reactor building – into which the molten reactor fuel will fall and thus radioactivity will not reach the atmosphere. Besides, there are safety features in the reactor building to prevent any hydrogen explosion.
Coming to the Control Room, it is the nerve centre of the reactor building. It is from the Control Room that the reactor operators run the reactor and monitor its performance, the behaviour of the fuel rods, the fuel depletion etc.. The reactor operators are like the pilots of aircraft. They are graduate and post-graduate engineers from various disciplines. The Operators have to pass periodical tests to retain their licence to operate the reactors. Even their reaction time to emergencies is tested. The Control Room is fully computerised with advanced software and algorithms. It is isolated from the computer systems outside and internet to prevent cyber attacks, deliberate malware intrusion, virus entry and so on. Thus, it is a stand-alone system. The entry of personnel into the Control Room is strictly regulated. They have to use passwords.
It is against this background of safety features obtaining in the Kudankulam reactors and indigenous reactors operating in other parts of the country that news broke of a malware intrusion in a computer at KKNPP.
On October 30, 2019, the NPCIL admitted to a malware attack in one of its Personal Computers (PC) in the Kudankulam plant, just a day after the plant officials asserted that no cyberattack on its systems was possible.
A.K. Nema, Associate Director (Corporate Planning and Corporate Communications) and Appellate Authority, NPCIL, said in a terse press release on October 30, 2019, “Identification of malware in NPCIL system is correct. The matter was conveyed by the CERT-In [Computer Emergency Response Team -India] when it was noticed by them on September 4, 2019."
"The matter was investigated by the DAE [Department of Atomic Energy] specialists. The investigation revealed that the infected PC belonged to a user who was connected in the internet-connected network used for administrative purposes. This is isolated from the critical internal network. The networks are being continuously monitored."
"The investigation also confirms that the plant systems are not affected.”
The previous day, R. Ramdoss, Training Superintendent and Information Officer, KKNPP, said the alleged cyberattack was “false information.” He said in a press release, “Some false information is being propagated on the social media platforms, electronic and print media with reference to the cyber attack on the Kudankulam Nuclear Power Plant.” He added, “This is to clarify that KKNPP and other Indian nuclear power plants’ control systems are stand-alone and not connected to outside cyber network and internet. Any cyber-attack on the nuclear power plant control system is not possible. Presently, KKNPP unit 1 and 2 are operating at 1000 MWe and 600 MWe respectively, without any operational or safety concerns.”
The press release was issued after Twitter was scorched with tweets of a cyber attack in the KKNPP and that a virus called “DTrack RAT” had infected the systems there.
In sum, the burden of the song sung by the NPCIL officials was that news about a malware attack on the KKNPP’s control systems was not correct. But a malware intrusion did take place in a PC at KKNPP. This PC was connected to the internet for administrative purposes, say for HR work or for buying flight and train tickets. The malware intrusion did not take place in the two units’ control systems which control the functioning of the reactors – this was the NPCIL’s stand.
But Pukhraj Singh, a specialist in cyber intelligence, tweeted on October 28, 2019, that domain-control access at the KKNPP had been breached. “Extremely mission-critical targets were hit”, he alleged. It should be noted that Mr Pukhraj Singh had played an important role in setting up the cyber-warfare operations cell of the National Technical Research Organisation (NTRO) of the Union Cabinet Secretariat.
Who to believe?
Poovulagin Nanbargal, a group which is against nuclear power and fights for environmental protection, said the “NPCIL’s acceptance” of a malware attack confirmed the worst fears that nuclear power reactors were not only prone to natural disasters but cyber attacks. It wanted the Centre and the State Government to investigate the cyberattack and “bring the culprits to book.”
The acceptance of Cyber attack in NPCIL systems by NPCIl only confirms the worst fears that Nucl reactors are not only prone to natural disasters but also to Cyber attacks.@iaeaorg @npcilhq pic.twitter.com/4XTJd21QmW— பூவுலகின் நண்பர்கள் (@Poovulagu) October 30, 2019
S.K. Sharma, Chairman and Managing Director, NPCIL, would merely tell reporters, “Security, be it physical or cyber, is one area” whose details “we do not discuss.” Sharma added, “But be assured that the reactors are safe and are being monitored by experts.”
K.N. Vyas, Chairman, AEC, said separately, “Computerisation in nuclear power stations has taken a tremendous amount of time because nuclear power-generating countries were having doubts about safety. Therefore, the systems that are involved in the operation of our plants are completely independent and are never connected to any other system or internet. This is as per the international safety standards.
A former top NPCIL engineer explained that all the control systems in the NPCIL reactors were isolated from outside and that there were triplicate channels of safety. The computer systems in the Control Room had triplicate chains and they were insulated from the outside network. They were not connected to the network. There were locking systems. Passwords should be used to open the system. Authorisation systems were in place. Access to control systems were limited. Outsiders cannot (access) the Control Room.
The NPCIL would not have found itself on the mat on this issue if its officials at Kudankulam had been transparent right from the beginning.