NPCIL: No sensitive data breach at Kudankulam Nuclear Power Project
Synopsis
Key Takeaways
The Nuclear Power Corporation of India Limited (NPCIL) on 16 July firmly denied any breach of sensitive data at the Kudankulam Nuclear Power Project (KKNPP) in Tamil Nadu, stating that information reportedly circulating in the public domain relates solely to conventional infrastructure and has no bearing on nuclear safety or nuclear security systems. The clarification follows reports of a cyber incident involving systems linked to a project contractor.
What NPCIL Said
Prateek Agarwal, Executive Director (Corporate Communications) at NPCIL, issued a formal statement clarifying the nature of the exposed data. According to the statement, the engineering, procurement, and construction contract for the project's common service facilities — referred to as the Balance of Plant (BoP) package — was awarded to Reliance Infrastructure Limited through a public tender process.
NPCIL stated that the scope of this contract covers conventional service facilities of the kind typically found in thermal power plants and other process industries. The corporation was categorical: these systems are not related to nuclear safety or nuclear security.
How the Contractor Drawings Were Created
As part of the public tendering process, NPCIL had shared indicative drawings and technical specifications with bidders. Based on these inputs, Reliance Infrastructure prepared detailed engineering drawings in consultation with original equipment manufacturers. NPCIL reviewed and accepted these designs only after verifying that they met all prescribed technical specifications.
Reliance Infrastructure had secured the BoP contract in 2018 for infrastructure works related to Kudankulam Units 3 and 4, which are currently under construction.
Cyber Incident Under Investigation
Reports had emerged that engineering project files linked to KKNPP were accessed following a cyber incident involving infrastructure associated with the contractor. NPCIL reiterated that the documents in question pertain only to conventional Balance of Plant facilities and do not concern reactor operations, nuclear safety systems, or any sensitive security infrastructure.
Investigations into the reported cyber incident are being jointly carried out by NPCIL and the Indian Computer Emergency Response Team (CERT-In). No timeline for the completion of the probe has been indicated.
About Kudankulam Nuclear Power Project
Kudankulam currently operates two 1,000 MW Russian-designed VVER reactors. Four additional units are under construction. Once all units are commissioned, the project is expected to become India's largest nuclear power park, with a total installed capacity of 6,000 MW. This is not the first time KKNPP has faced scrutiny over cyber security — in 2019, a separate malware incident at the plant drew national attention before authorities clarified that critical systems had not been compromised.