Cyber-Attack on Indian Nuclear Power Plant Exposes Threat of “Snooping” Malware

On October 20th, 2019, authorities in India confirmed that one of its nuclear power plants had been hacked. The malware attack on the Kudankulam Nuclear Power Plant (KKNPP), first noticed on September 4th, has since been attributed to the North Korean state-sponsored threat group known as Lazarus.

While the malware did not target critical control systems--instead infecting a network used for administrative purposes--the attack highlights the potential for a catastrophic attack.

Malware variant that opens doors to future cyber-attacks

The malware used in the KKNPP attack, Dtrack (which was also used to propagate the WannaCry ransomware attacks in 2017), is a monitoring and intelligence gathering tool that scans networks and systems for potential vulnerabilities that can be exploited. In this way, Lazarus was able to open a doorway into the KKNPP network. This could make an attack easier going forward by establishing a “persistent presence on the nuclear power plant’s networks”.

Once embedded, Dtrack can quickly take advantage of the slightest gap or blind spot in security defenses, such as non-secure ports; unpatched or out-of-date systems; or new, unmanaged IoT devices. All of these pose significant cybersecurity risks in the utilities sector.

It’s little wonder that a former analyst who initially discovered and flagged the attack to India’s National Cyber Security Coordinator called the attack a “casus belli”--an “act of war”.

Limitations of regulated security controls in utilities sector exposed

Critical National Infrastructures, such as nuclear power plants, are required to comply with stringent cybersecurity requirements to protect against cyber-attacks. Yet, their controls typically encompass critical systems and networks associated with safety-related functions and secondary functions considered “important-to-safety”.

security ratings snapshot example

Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.

See Your Rating
Button Arrow

As the attack on KKNPP demonstrates, a multi-layered defense strategy is needed to protect against the persistent and stealthy nature of today’s threat landscape.

The importance of continuous monitoring to reduce cyber risk

An important best practice is to incorporate a continuous monitoring tool, like BitSight Security Ratings, into your security performance management program. With BitSight, you can quickly assess the cyber risk of your own networks and those of their third-party supply chain (59% of data breaches originate with third-party vendors) and gain real-time visibility into the security posture of your organization. You can monitor for infections and other vulnerabilities while modeling different scenarios and paths of remediation to project future security performance.

This form of continuous monitoring also incorporates alerts. If a security rating drops below a certain number, automated notifications ensure that you’ll be able to react quickly and responsively.

Finally, continuous monitoring facilitates a more streamlined way to report key metrics on security performance to executives and the Board in an easily understandable and accessible way. This drives more information and productive conversations around cyber risk than complex, point-in-time audits or assessments can.

Compliance does not equal security

As we’ve stated previously, the alternative to a continuously monitored organization is to be a “compliance-focused” organization—but, as the attack on KKNPP shows, compliance does not equal security. Therefore, it’s safe to say that having a continuous monitoring strategy is not a best practice; it’s simply necessary to operate a successful and secure organization.