A Million Dollar Security Gap - Nobody Talks About

India's largest nuclear plant lost 858,000 files, not through its reactor systems, but through a contractor's contractor. Here's the million-dollar security gap even the SANS Five ICS Critical Controls don't cover: third-party risk

A Million Dollar Security Gap - Nobody Talks About

Lesson from India's Largest Nuclear Plant Data Breach

Let's Talk About What SANS Didn't Cover

Let's get one thing out of the way first, this article is not about the SANS Five ICS Cybersecurity Critical Controls.

You already know them well: OT-Specific Incident Response, Defensible Architecture, Visibility & Monitoring, Secure Remote Access, and Risk-Based Vulnerability Management. They are the foundation of any serious OT security program, and if your organization hasn't implemented them yet, that is where you should start before reading anything further.

This article expands beyond those SANS 5 Critical Controls For World Class OT / ICS Cybersecurity on two equally important areas that deserve greater attention in many OT environments: Physical Security and Third-Party/Supply Chain Risk Management

You may have locked every door in your house, but handing a key to someone with poor security defeats the purpose. That's why Third-Party Risk Management matters.

That single idea is the entire lesson behind the Kudankulam Nuclear Power Plant data breach. Let's walk through it.

A short disclaimer before we begin: everything discussed in this article is based entirely on publicly available sources. It is written for educational purposes, to help individuals and organizations recognize common attack techniques and safeguard their own infrastructure. The intent is not to speculate or assign blame, but to understand how the incident occurred, identify the attack pattern, determine where controls failed, and explore how similar incidents can be prevented. We will also compare this incident with earlier supply chain and third-party attacks to see whether threat actors are reusing the same playbook.


Understanding the Kudankulam Nuclear Power Plant (KKNPP) Data Breach

This was a third-party supply chain compromise that resulted in the exposure of sensitive information related to KKNPP. Here's how we know that. Let's dig in.

Understanding the Parties Involved

Party

Organization

Role

First Party

Nuclear Power Corporation of India (NPCIL) / Kudankulam Nuclear Power Plant (KKNPP)

Asset owner and plant operator. Owns and operates the nuclear facility.

Second Party

Citizens of India / Government of India / Electricity consumers

The recipients of the service (electricity). In cybersecurity, the second party is usually not the focus.

Third Party

Reliance Infrastructure (the contracted entity providing IT/OT services)

Direct contractor providing services to NPCIL. NPCIL has a contractual relationship with them.

Fourth Party

Yotta, a hosting provider used by the contractor for lower-cost virtual private server (VPS) hosting

Service provider used by Reliance. NPCIL (First Party) typically has no direct contract with Yotta.

 What Actually Happened?

The Kudankulam Nuclear Power Plant (KKNPP) became associated with a significant data breach that is currently under investigation by CERT-In, India's national cybersecurity agency.

According to publicly available reports, the attackers stole approximately 858,000 files. After the ransom demand was reportedly rejected, the threat actors published around 19,000 of the most sensitive documents, totaling approximately 14.3 GB, on the dark web.

It is important to understand this clearly: the compromised system was not part of the nuclear plant's Operational Technology (OT) environment.

Instead, the attack targeted a server belonging to Reliance Infrastructure, the contractor responsible for infrastructure work on Units 3 and 4 under a contract awarded in 2018. The compromised server was hosted by Yotta, making this a textbook example of third-party and fourth-party supply chain risk.

What Information Was Exposed?

The leaked documents reportedly included:

•    Blueprints for ventilation and cooling systems.

•    Floor plans of the common control room.

•    Vendor proposals, supplier information, equipment evaluations, and project meeting records.

•    A USD 112 million insurance policy covering terrorism-related risks.

•    Various engineering and project documentation related to plant construction.

Based on publicly available information, the nuclear reactor systems supplied by Rosatom were not impacted, and there is currently no evidence that the plant's OT or Industrial Control Systems (ICS) were compromised.

Timeline of the Incident

•    29 May 2024 — Suspicious activity was reportedly detected on the compromised server.

•    End of June 2024 — Reliance Infrastructure informed the hosting provider after threat actors claimed to possess stolen data.

•    11 June 2024 onward — The stolen files began appearing on the dark web after the ransom demand was reportedly rejected.

Although the exact sequence of events remains under investigation, publicly available reports indicate that the data leak originated from a partially compromised Reliance Infrastructure server hosted by Yotta, rather than from the operational systems of the nuclear facility itself.

Threat Actor

The attack has been attributed to the ransomware group World Leaks, a threat actor previously linked to attacks against several high-profile organizations, including Nike and Tata Group.

According to public reporting, the group follows a double-extortion model — stealing sensitive data before encrypting systems. If the victim refuses to pay the ransom, the stolen information is publicly released.

In this incident, World Leaks reportedly demanded a ransom from Reliance Infrastructure. When the demand was declined, the group published a portion of the stolen documents on the dark web.

Initial Assessment

Based on the information currently available, there is no evidence that the Operational Technology (OT) network or the nuclear reactor control systems were directly breached.

Instead, this appears to be ransomware-driven data theft targeting a third-party contractor (Reliance Infrastructure), whose infrastructure was hosted by a fourth-party service provider (Yotta).

While the OT environment remained unaffected, the incident clearly demonstrates how a compromise within the extended supply chain can expose highly sensitive engineering documentation and project information related to critical infrastructure.


Yes! We Don't Have a Formal Root Cause Analysis. So How Do We Learn the Lesson?

Fair question, and one every reader should ask before trusting any "lessons learned" article, including this one.

Neither NPCIL, Reliance Infrastructure, nor CERT-In has published a formal Root Cause Analysis (RCA) report for this incident, and realistically, they may never release one publicly. That is normal for critical infrastructure operators, and especially normal for nuclear facilities, where the same detail that helps a security team fix a control can just as easily help the next attacker.

So does that mean we can't learn anything useful from this incident? No, and here's why.

A root cause and an attack pattern are not the same thing. A formal RCA tells you exactly what happened, minute by minute, inside one specific organization: which log was missing, which patch was skipped, which credential was reused. An attack pattern tells you how an entire class of attack works, and that, we already know, because we have seen it before.

This breach carries every fingerprint of a pattern that security researchers have documented for over a decade: a well-defended asset owner (NPCIL) connected to a contractor (Reliance Infrastructure) connected to a hosting provider (Yotta), and the compromise entered through the weakest link in that chain, not the strongest. SolarWinds, NotPetya, and the recent Tata Electronics breach all followed the same shape: attackers rarely need to breach the well-guarded nuclear plant directly, when the contractor's contractor's server will do.

When a pattern repeats itself across unrelated victims, unrelated industries, and unrelated years, you don't need a case-specific RCA to know where your own exposure sits. You need to check whether your organization has the same shape of weakness. That is exactly the lesson this article is built to deliver.

And this is precisely where the SANS Five ICS Cybersecurity Critical Controls, as valuable as they are, go quiet. Those five controls were designed to defend the plant's own network perimeter: incident response, defensible architecture, visibility, secure remote access, and vulnerability management. None of them are built to directly answer the question this breach raises: what happens when the exposure isn't inside your perimeter at all, but inside a vendor's vendor's server, three hops removed from anything you control? Time to go beyond those minimum 5 controls.

If you've read my earlier article, "7 Critical Controls for OT/ICS Cybersecurity", If not, You can read it here:

https://icscyberpro.net/seven-ot-ics-critical-controls-for-world-class-cybersecurity/

If we analyze any attack carefully, we can almost always find a pattern. And if there is a pattern, it can be defended against, human error aside.

This, at its core, was a third-party supply chain compromise that resulted in the exposure of sensitive information related to KKNPP. Let's now unpack the two overlooked areas that made it possible.


1. Physical Security: The Control That Makes All Other Controls Work

Nothing is secure if physical security is compromised. None of the cybersecurity controls will hold up if someone can physically walk in and touch the equipment. Let me explain how this happens in practice.

BYOD doesn't work inside an OT network the way it does in IT. What's common instead is that the vendor owns the proprietary engineering software required to configure, calibrate, or program specific industrial assets, PLCs, RTUs, HMIs, or smart instrumentation.

These software suites, Siemens TIA Portal, Rockwell Studio 5000, Schneider EcoStruxure, and similar platforms, are notoriously expensive and heavily licensed. Vendors typically keep these licenses tied to their own corporate engineering laptops, and the software often requires very specific OS versions, legacy Java runtimes, or custom drivers to talk to physical serial ports or specialized network interface cards.

When a critical asset fails, or during a scheduled shutdown or turnaround, every minute counts, production is halted and time is money. Vendors often plug their laptops directly into the asset to modify ladder logic, push firmware updates, adjust setpoints, or pull raw diagnostic logs directly from a controller when central visibility isn't enough. During Factory Acceptance Testing (FAT) and Site Acceptance Testing (SAT), vendor laptops are used the same way, to validate systems before handover.

Now You May Be Wondering: What's the Actual Risk?

When that laptop bridges into your OT environment, it effectively bypasses your perimeter defenses and introduces real risk.

The vendor engineer may have travelled from another site, stayed in a hotel, and connected that same laptop to hotel Wi-Fi, an airport network, or their own corporate network just hours earlier. That laptop can unintentionally carry IT ransomware, or even OT-specific malware, straight into an environment where many systems still lack modern Endpoint Detection and Response (EDR) coverage.

Another common risk: vendors leave a Wi-Fi adapter or cellular hotspot active while simultaneously connected to the OT Ethernet network. This can accidentally create an unmonitored bridge between the internet and the plant's critical process control network, quietly bypassing every control you've put in place.

How to Mitigate This Risk

In a perfect world, vendors wouldn't need to bring physical machines at all. In the real world, many plants still lack the infrastructure to support secure alternatives. Ideally, the plant provides dedicated, hardened, on-site Engineering Workstations with all required vendor software pre-installed; if the plant can't provide one, the vendor brings their own. Similarly, if the plant lacks a secure, MFA-protected jump host or a properly designed Industrial DMZ (IDMZ) for remote engineering access, physical presence becomes the only practical option.

Since vendor work can't be eliminated entirely, strong compensating controls are what actually reduce the risk:

•    Isolated Vendor VLANs — If a vendor must connect to the network, place them in a highly restricted, temporary VLAN that only permits communication with the specific IP addresses of the assets they're servicing, not the entire plant network.

•    Dedicated On-Site Engineering Assets — Move toward a model where vendors use plant-owned, hardened engineering laptops that never leave the site, or provide access through a tightly monitored Virtual Desktop Infrastructure (VDI) hosted inside the IDMZ.

•    Verify Firmware — A plant automation engineer should over-the-shoulder monitor the entire session. If firmware is being pushed, insist that the binary hash (SHA-256) is verified against the official OEM release notes before it's loaded.

•    Physical Port Security — Disable unused switch ports, lock network cabinets, and physically secure engineering access points to prevent unauthorized connections.

Physical access control for people matters just as much, you have to control who gets in and out of the facility, and make sure nothing sneaks out either.

Without this, you risk a Stuxnet-style attack. Cyber defenses are useless if someone can tamper with equipment inside the facility.

In OT, physical security is non-negotiable, think locks, badges, device checks, and policies to stop insider or external breaches.


2. Supply Chain, Third-Party, and Fourth-Party Risk

No matter how secure your home is, it's very important to know who is getting into it. One vulnerable third party can become the entry point to your next breach.

The same principle applies to Operational Technology environments.

Today, organizations outsource a significant share of their critical operations to external vendors, system integrators, OEMs, managed security providers, cloud service providers, and maintenance contractors. Some of the most common categories are shown below:

Service Category

What Is Outsourced

Why?

OEM & System Integrator Support

Long-term service agreements (LTSAs) for major automation platforms (Siemens, Rockwell, Emerson, Honeywell, etc.).

Only the OEM has the proprietary software, licenses, and specific engineering skills to maintain complex logic.

Predictive Maintenance & Telemetry

Remote monitoring of vibration data, oil analysis, and thermodynamic performance of turbines, pumps, and heavy rotating equipment.

Leverages cloud-hosted analytics, machine learning, and AI models to predict a failure before it occurs.

Managed OT Security (MSSP / MDC)

24/7 monitoring of OT network traffic via an Industrial Security Operations Center (ISOC) utilizing tools like Dragos or Claroty.

Building an internal, round-the-clock OT cyber-monitoring team requires scarce, highly specialized talent.

Plant Turnaround & Commissioning

Project-based staffing during scheduled outages to execute massive upgrades, replace legacy equipment, and handle calibrations.

Plants cannot afford to maintain 200 extra engineers on payroll full-time when they only need them for three weeks a year.

Industrial Network & Telecom Management

Routine management of backbone routing, firewall policies, switching infrastructure, and plant-wide industrial wireless networks.

Traditional IT networking is frequently shifted to external MSPs who end up touching the Industrial DMZ (IDMZ) or Level 3 networks.

 These partnerships bring specialized expertise and operational efficiency, but they also introduce one of the largest attack surfaces in any critical infrastructure environment.

In OT, your security posture is no longer defined only by your own controls, it's also determined by the security of every third party that connects to your industrial environment. A compromised vendor can quickly become the entry point into your plant.

The Core Risks of OT Outsourcing

Unlike IT, where an outsourcing incident might mean data loss or application downtime, failures in OT can mean equipment damage, environmental impact, production outages, or even loss of life. Here are six of the most common risks:

1. Persistent Remote Access

Vendors often need remote connectivity for diagnostics and maintenance. The real risk is usually not the vendor itself but the compromise of the vendor's own corporate environment. If an attacker steals a vendor engineer's credentials, they may inherit that same trusted access into your industrial network. If remote sessions terminate directly into the Control Network instead of an Industrial DMZ, attackers can gain direct access to critical systems.

2. Compromised Engineering Workstations

Vendor engineers typically use portable engineering laptops. If these devices connect to the plant network while remaining connected to Wi-Fi, VPN, or cellular, they unintentionally bridge secure OT environments with external networks, bypassing the segmentation you built.

3. Software & Firmware Supply Chain Attacks

Every firmware upgrade, PLC logic change, or software update carries an element of trust. If a vendor's software repository or development environment is compromised, as demonstrated by SolarWinds or NotPetya, malicious code can be introduced directly into industrial control systems.

4. Cloud Telemetry & Intellectual Property Exposure

Predictive maintenance platforms collect enormous amounts of operational data: process values, production trends, equipment performance, and operational behavior. Even when configured as one-way traffic, if that data is compromised, attackers gain insight into proprietary manufacturing processes and critical production assets, more than enough for a reconnaissance phase.

5. Loss of Internal Knowledge

Excessive dependence on external vendors gradually erodes internal engineering expertise. When experienced contractors leave or are unavailable during an emergency, the organization becomes dependent on vendor availability, directly affecting recovery time and operational resilience.

6. Fourth-Party Risk

Many organizations carefully assess their direct vendors but overlook who those vendors rely on. Without proper governance, subcontractors can gain access to sensitive systems without ever being evaluated by the asset owner, an unmanaged, additional layer of supply chain risk.

How to Mitigate These Risks

The following checklist helps reduce both cyber and operational risk associated with third-party access to industrial environments.

1. Secure Remote Access (mitigates: Persistent Remote Access Risk)

✅ Route all vendor remote connections through an Industrial DMZ (IDMZ) using dedicated jump servers.

✅ Never allow direct VPN connectivity into Level 2 or Level 3 industrial networks.

✅ Implement Just-In-Time (JIT) remote access with automatic expiration.

✅ Require Multi-Factor Authentication (MFA) for every remote session.

✅ Record and monitor all privileged vendor activity using a Privileged Access Management (PAM) solution.

2. Secure Vendor Engineering Devices (mitigates: Compromised Engineering Workstations)

✅ Require vendor laptops to be managed through corporate MDM or equivalent endpoint management.

✅ Prevent simultaneous Ethernet, Wi-Fi, VPN, Bluetooth, or cellular connectivity (dual-homing).

✅ Scan all laptops and removable media through a dedicated "Sheep Dip" station before connecting to plant assets.

✅ Protect switch ports using 802.1X, Sticky MAC, or equivalent network access controls.

3. Protect Industrial Data (mitigates: Cloud Telemetry & Data Exposure)

✅ Share only the minimum operational data required.

✅ Remove or anonymize sensitive production information whenever possible.

✅ Encrypt all telemetry using TLS 1.3 with Mutual TLS (mTLS).

✅ Verify that vendors maintain recognized certifications such as ISO 27001 or SOC 2 Type II, with evidence.

4. Preserve Internal Capability (mitigates: Vendor Dependency)

✅ Require complete engineering documentation before project closure.

✅ Include formal knowledge transfer and hands-on training for plant personnel.

✅ Define clear Recovery Time Objectives (RTOs) and response SLAs within vendor contracts.

5. Control Fourth-Party Risk (mitigates: Unauthorized Subcontracting)

✅ Require written approval before any subcontractor is engaged.

✅ Ensure all subcontractors meet the same cybersecurity, compliance, and personnel screening requirements as the primary vendor.

✅ Maintain an approved list of authorized subcontractors.

A note on trust: in security, there is unfortunately no place for "trust." Technical controls are only effective when they are continuously verified.

Identity & Access Management

•    Issue accounts only to named vendor personnel.

•    Prohibit shared or generic vendor accounts.

•    Apply least-privilege access and Just-In-Time provisioning.

Right to Audit

•    Include contractual rights to audit vendor personnel, remote access logs, engineering changes, and system activity.

•    Periodically verify that only approved personnel are accessing critical infrastructure.

•    Review vendor compliance against contractual cybersecurity requirements.

Third-party vendors are an essential part of modern industrial operations, but every connection they establish extends your attack surface. Effective Third-Party Risk Management isn't about eliminating vendors, it's about making sure every connection, every engineer, every device, and every software update is secure, verified, monitored, and controlled before it reaches your critical infrastructure.


References & Sources

This article was developed through an extensive review of academic journals, peer-reviewed research papers, technical reports, industry publications, and professional guidance covering operational technology (OT), industrial control systems (ICS), smart grids, and critical infrastructure protection.

Key reference material includes:

1.     https://www.reuters.com/world/india/files-relating-indias-largest-nuclear-power-plant-kudankulam-exposed-data-breach-2026-07-15/

2.     https://www.channelnewsasia.com/business/exclusive-files-relating-indias-largest-nuclear-power-plant-kudankulam-exposed-in-data-breach-6255651

3.     https://www.govinfosecurity.com/breach-exposes-files-linked-to-indias-largest-nuclear-plant-a-32256

4.     https://moderndiplomacy.eu/2026/07/15/files-linked-to-indias-largest-nuclear-plant-exposed-in-data-breach/

5.     https://www.thehindu.com/news/national/kudankulam-nuclear-plant-data-breach-triggers-absolute-commotion-among-projects-top-brass-sources/article71226328.ece

6.     https://www.ndtv.com/india-news/kudankulam-nuclear-power-plant-data-breach-npcil-reaction-11775903

7.     https://www.reuters.com/business/media-telecom/apple-iphone-18-pro-supplier-list-parts-photos-exposed-tata-data-leak-2026-06-29/

8.     https://www.thehindu.com/sci-tech/technology/india-investigating-tata-data-leak-that-exposed-apple-iphone-secrets/article71181699.ece

9.     https://www.reuters.com/business/media-telecom/indias-tata-electronics-hit-by-cyber-breach-claiming-expose-apple-tesla-trade-2026-06-22/

10.  https://techcrunch.com/2026/06/22/tata-electronics-a-major-tech-supplier-to-apple-and-tesla-confirms-data-breach/


Disclaimer

This article is intended solely for educational and awareness purposes. It consolidates information from multiple publicly available academic and technical sources together with the author's professional experience in industrial cybersecurity and critical infrastructure protection. While every effort has been made to ensure technical accuracy, some concepts have been simplified to improve readability for a broader audience. Readers should consult OT cybersecurity professionals, vendor documentation, and authoritative guidance before making engineering, operational, or security decisions.


AI Assistance Disclosure

To improve readability, grammar, sentence structure, and overall clarity, AI writing tools were used as an editorial assistant. The technical concepts, interpretation, structure, and final technical review were performed by the author. AI was not used as a primary source of technical information or research.


About Author:

 Abu Saleh Md. Zakaria
B.S. Computer Science, University of Pune, India
Security Researcher — Protecting Critical Infrastructure (Smart Grids, Water, Aviation, Telecom, Banking)
SANS GIAC x4 · CCIE (Security) · PCNSE · SABSA · ISO 27001 LA/LI · ASIS PSP
Google Scholar: 300+ Citations

LinkedIn: linkedin.com/in/asmz

If you found this article useful, give it a thumbs up, it motivates us to write more. If you have questions or want to share your thoughts, we'd love to hear from you.
Feel free to email at sec[dot]asmz[at]gmail[dot]com.