What if a hacker launched attack compromised the security system at a highly sensitive nuclear materials storage facility, allowing terrorists seeking highly enriched uranium to build bomb access? What if cyber-terrorists took control of a nuclear power plant, allowing a Fukushima-scale meltdown? Worse yet, what if hackers spoof a nuclear missile attack, forcing a hasty retaliatory strike that could kill millions? The cyber threat affects nuclear risks in at least two ways: it can be used to compromise nuclear command and control systems and undermine the security of nuclear materials and facility operations.
Historically, India has paid little attention to cyber risks posed by civilian and military nuclear facilities. Overall, India’s cyber security policy has remained inadequate in the face of evolving and emerging cyber warfare and attack threats, particularly in critical sectors such as nuclear energy. Both the Indian Space Research Organisation (ISRO) headquarters in Bengaluru and the Kudankulam nuclear power plant in Tamil Nadu experienced security breaches in late 2019.
Cybersecurity Consequences and Implications for Nuclear Security
The level of access obtained as a result of a cyber-attack determines its severity. An adversary’s ability to gain access to NC3 systems, for example, has specific and multi-level implications in the context of military nuclear systems. If an adversary gains access to a nuclear weapons system’s command and control infrastructure, they will be able to circumvent the weapons’ security and possibly launch or use nuclear warheads or missiles without authorization. Cyber breaches increase the likelihood of nuclear system vulnerabilities. Malware or viruses can infiltrate systems at various points throughout the manufacturing and supply chain.
The importance of nuclear cyber security is no different in India. According to a 2018 internet security threat report released by the security software company Symantec, India was one of the top five countries in the world facing cyber threats and targeted attacks. The Department of Electronics and Information Technology issued the first policy framework of its kind in 2013 to articulate a national cyber security policy. The policy document outlines the guidelines and objectives for protecting the country from cyber-attacks.
Nuclear security concerns the prevention, detection, and response to theft, sabotage, unauthorized access, illegal transfer, or other malicious acts involving nuclear material and other radioactive substances, as well as their associated materials.
The IAEA Nuclear Security Series of publications addresses facilities. These publications are consistent with and supplement international nuclear security instruments such as the amended Convention on the Physical Protection of Nuclear Material, the Code of Conduct on the Safety and Security of Radioactive Sources, UN Security Council Resolutions 1373 and 1540, and the International Convention for the Suppression of Acts of Nuclear Terrorism.
Vulnerability of Nuclear Command and Control Systems
|Enabling – positive controls||Disabling – negative controls|
|A Direct hack in the command and control systems||Sabotage weapons systems.|
|Issue “go codes” to weapon systems and nuclear commanders||Jam communications and early warning systems, disabling them — orders cannot be received and commanders are left confused.|
|Dissimulate or mislead early warning systems into believing that a nuclear attack is underway. Distort the nuclear information space.||Weaken nuclear systems by stealing information on how they work.|
|Use terrorist proxies and other non-state actors.||State-based actors are likely to pursue such attacks.|
Given the rapid pace of technological progress, cyber security should be a top priority when modernizing nuclear systems and facilities. While encouraging private sector participation, government agencies should be at the forefront of technological advancements and develop measures to prepare for consequences across procedures and scenarios. Indeed, threats are ever-changing, and the risks to critical infrastructure cannot be overlooked. The onus is on a country’s ability to develop robust cyber security measures that account for existing threats while allowing for necessary changes for those that may not yet exist. Faced with the challenges of nuclear system modernization and the concomitant emerging threats from state and non-state actors, the debate over cyber security is heating up.
Author: Ms. Himanshi Singh, Intern, CyberPeace Foundation