There’s no transparency: SP Udayakumar on the cyber attack on Kudankulam Nuclear Power Plant

Pallava Bagla/Corbis/Getty Images
15 November, 2019

On 30 October, the Nuclear Power Corporation of India Limited, or NPCIL, confirmed that a cyber attack had taken place on the Kudankulam Nuclear Power Plant in Tamil Nadu’s Tirunelveli district. “Identification of malware in NPCIL system is correct,” the press release stated. The admission came a day after the NPCIL denied the attack, and said it was “not possible.” The attack first came to light after VirusTotal, a cyber-security website, released data which showed that a virus known as DTrack had breached the nuclear plant’s network. Subsequently, Pukhraj Singh, a cyber-intelligence specialist, raised the issue on social media. He tweeted that “extremely mission-critical targets were hit” and that the government was notified “way back.” Singh was formerly with the National Technical Research Organisation, a technical-intelligence agency. He said he first learned of the intrusion when he was conctacted by a “third party” that had discovered the breach. Singh tweeted that he had notified the National Cyber Security Coordinator, a cyber security and e-surviellance agency, on 4 September. NPCIL’s initial denial of the attack and then admission, compelled by Singh’s public disclosures, is illustrative of the opaqueness with which it functions.

Since construction began on the Kudankulam nuclear power plant in 2002, it has faced sustained protests by local villagers, most of whom belong to the fishing community. They claim that the plant’s effluent would damage the local environment, the marine life and threaten their livelihood. SP Udayakumar founded the People’s Movement Against Nuclear Energy, a community-based civil-rights group, that has spearheaded the protests against the plant and demanded its unconditional shutdown. In the past, the police have cracked down on the protests and charged several villagers with sedition.

In the aftermath of the cyber attack on the plant, Udayakumar spoke to Aathira Konikkara, a reporting fellow at The Caravan. He discussed the absence of any reassurance from the authorities about the continued safety of the plant. “The project [is] a lot more vulnerable than what we really thought,” he said. “It is prudent to shut down the first two reactors immediately and to go for an independent inquiry with international experts.”

Aathira Konikkara: Now that the cyber attack on the Kudankulam plant has been officially confirmed, what are your fears and concerns as someone who has represented the local community in the anti-nuclear movement?
SP Udayakumar: One, you can see that they are very lackadaisical about the whole security issue. They are complacent about not only cyber security, but about the security of the entire institution. Second, they are ignorant about vulnerabilities of the nuclear power plant and the overall security of the local people.

AK: In June this year, you sought a white paper from the plant authorities on the safety of the plant. What led you to demand a safety assessment from the plant authorities at that time?
SPU: We have been demanding a white paper for a very long time, since the beginning of the project, because we proved with solid material evidence that there were construction problems in the project, meaning the dome of the Kudankulam nuclear power plant was rebuilt after the wiring had been done. So they reworked on the whole dome. The integrity of the construction has been questioned not just by us but by so many other people. We should also talk about the substandard parts and equipment that they have used in their project. Electricity generation itself has been very erratic because the first reactor has been shut down more than fifty times. And the second reactor has been shut down more than twenty times. The second unit was shut down on 19 October. The administration said it was shut down because of a turbine problem. But it was actually because of low steam generation that may have been caused by the virus attack. These guys don’t say anything openly. There is absolutely no transparency or accountability and that makes us very worried. This recalcitrant attitude—“We know it, we can deal with it, what do you know, we are the authorities”—this kind of authoritarian attitude and behaviour is really problematic.

AK: Has this cyber attack vindicated your stance that the plant was never as safe as the authorities have always claimed?
SPU: Exactly. I read that this North Korean espionage attack has been going on. [Issue Maker Labs, a South Korea-based group of malware analysts, has claimed that the cyber attack was organised by North Korean hackers who were backed by the North Korean government.] So obviously the plant has never been safe. And besides the infrastructural, instrumental and other problems, they have also been adding to the computer-systems problems.

AK: The Indian Space Research Organisation has been alerted about a threat to their systems as well. The Russia-based cyber security company, Kaspersky, said that more financial institutions and research centers in India may have been targeted. What do you think these revelations means for the anti-nuclear movement across the country?
SP: I read in The Washington Post that the ISRO’s [the Indian Space Research Organisation] National Remote Sensing Centre [has been targeted] by North Korean [cyber activity]. When a nuclear power plant that has to be a high-security institution can be snooped on like this, obviously the anti-nuclear activists have several reasons to be worried about. These guys can use this malware for manipulating the data, for stealing the data from the nuclear power plant which may have to do with the security. They will know the stock of uranium or other such information. These things can be stolen or they could even manipulate a reactor meltdown by fiddling with the coolant system. So with this crucial data and access to computers, they could create a havoc. And in a highly and densely populated country like India, it could be something very dangerous. Anti-nuclear activists across the country have enough and more reasons to be worried and concerned.

AK: Have you had the chance to speak to the people in Kudankulam? What is the sentiment on the ground now? Are there any efforts to mobilise?
SPU: People in and around the Kudankulam project are still worried about the safety and efficacy of the Kudankulam reactor. But with an undemocratic and authoritarian nature of the NPCIL, KKNPP [Kudankulam Nuclear Power Plant], DAE [Department of Atomic Energy] and the government of India, people feel that a democratic and non-violent struggle would never be accepted or even respected. So people are very reluctant to take to the streets again. They know the situation is very relevant, very alive. Their opposition to the nuclear reactor is very stable and stubborn. But unfortunately, they don’t feel that they are being heard or understood.

AK: Despite the official confirmation from NPCIL about the cyber attack, we have not heard any statement from the central government commenting on it despite this being a matter of national security. Why do you think this issue is not being treated with the required political urgency?
SPU: Several political parties in Tamil Nadu like MDMK [Marumalarchi Dravida Munnetra Kazhagam], SDPI [Social Democratic Party of India], Manithaneya Makkal Katchi, Tamizhaga Vazhvurimai Katchi and other parties have issued statements condemning it, demanding more information and supporting our demand for an independent enquiry and a white paper. Actually, most of the major parties have not spoken about this. It is really problematic and bothersome. They are worried that their national security credentials will be questioned or will be suspected. They don’t want that to happen. Secondly, many of these political parties don’t know the technical details. Especially the leaders are not well-informed about these hi-tech matters. So they are reluctant to say something which they cannot really understand or explain to the public and the press. Also they tend to trust the government a lot more than they should. The prime minister [Narendra Modi] is the minister of atomic energy in the central government. But the prime minister rarely speaks about anything of national relevance. And he only gives audience to cinema actors and people like that.

AK: What are the demands of your organisation right now? Are you still looking for a complete shutdown of the plant?
SPU: Yes, even now we stand our ground that the Kudankulam nuclear power plant hasn’t been constructed with the international quality. Equipment and parts that have been used in the plant are substandard and dangerous. There are a lot of problems internally that the authorities are trying to hide. So this cyber attack [is] making this whole thing more vulnerable. Already we pointed out that the Kudankulam computers have Russian language instructions and markers. So most people here wouldn’t understand Russian. Then we were told that [the German multinational company] Siemens is responsible for the security and official network arrangements. And now we know that external hackers or a group of hackers have been intruding into the system. That makes the project a lot more vulnerable than what we really thought. So given this situation, it is prudent to shut down the first two reactors immediately and to go for an independent inquiry with international experts. Having done that study, they should produce a white paper for the public. We don’t trust these politicians. We don’t trust these officials. They are all corrupt and crooked and they care only about their families and their children. Not our families and our children. They should also not go for the expansion of the Kudankulam reactors.

AK: How many more units can come up as per the expansion plan?
SPU: They are planning four more. The third and fourth units are being constructed and they have started excavation for the fifth and sixth. Actually, Modi has signed a deal recently for more reactors when he met with [the Russian president] Vladimir Putin. Those contracts should be immediately rescinded because what you have got is not working. And why should we put our people’s money on this and help the Russian economy? These are all our demands.

We are meeting with [Shilpa Prabhakar Satish], the Tirunelveli collector, [on November 8]. The Tirunelveli collector herself has not been kept in the loop about what is exactly going on. Should we be concerned or not? What are the firefighting mechanisms that are put in place? Nothing. Absolutely zero. The district collector is the district’s disaster management authority. And if something happens, what will they do to protect the people? How come these officials are not kept in the loop and informed about the developments? And who actually knows? Nobody speaks. Kudankulam authorities don’t even answer the phone calls of the local press. NPCIL doesn’t say a word. And the prime minister who is the atomic energy minister, has no clue about anything. What is going on in this country is really bothersome. We cannot live under these circumstances. So we are planning to take the issue to the people. As a first step, we are meeting the district collector and asking her what exactly is going on and what we should do. If she doesn’t give us a satisfactory answer, we will turn to the people. We have to educate the people.

This interview has been edited and condensed.