The Information Technology (IT) Act, 2008 defines cybersecurity as the protection of information, equipment, devices, computers, computer resources, communication devices and information stored therein from unauthorised access. Over the years, the risk of cyberattacks across various segments of the power sector has increased. This is due to the increasing complexity of the system; new customer touchpoints in utilities; the introduction of smart grid infrastructure such as advanced metering and demand-side management; and the increase in interconnections and integration, among others.
Impact of cyberattacks on the power sector
A cyberattack on a generation plant can lead to a shutdown of the whole plant and a power outage. However, cyberattacks at a plant may not necessarily lead to disruption at multiple plants. An attack on the supervisory control and data acquisition (SCADA) system or the energy management system of the power transmission network can jeopardise the control system of the grid and compromise the reliability of the power system. For instance, cyberattacks on substation automation systems can damage the equipment at substations and threaten the operating personnel’s safety.
On the distribution front, IT penetration in control and operation is relatively low. However, operations of the distribution system are increasingly being centralised and any cyber incident at the central location can cause power supply failure.
Computer Emergency Response Team-India
The IT Act, 2000 and the Amendment Act, 2008 appointed the Computer Emergency Response Team-India (CERT-In) as the national nodal agency for cybersecurity in the country. One of the functions of CERT-In is to develop and implement a sectoral crisis management plan (CMP) in line with the national CMP. One of the basic threats listed under CERT-In is large-scale defacement and semantic attacks on websites wherein a defacer breaks into a web server and alters the content of the hosted website.
Another major threat is large-scale spam attacks and spoofing. Spamming is the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages. Meanwhile, spoofing is an attack aimed at identity thefts, in which one person or program successfully masquerades as another by falsifying data. The other modes of attacks include denial-of-service attacks and distributed denial-of-service attacks, domain name server attacks, application-level attacks, infrastructure attacks, router-level attacks, high energy radio frequency attacks and cyber espionage.
Some of the relevant international standards for the power sector are IEC 62351 Parts 1 to 7 at the product and application levels; NERC CIP 002 through 009 at the organisation and regulatory levels; and NIST Guide to Industrial Control Systems Security 800-82.
Meanwhile, on the national front, the Department of Information Technology, Ministry of Communication and Information Technology, has prepared a CMP for countering cyberattacks and cyber terrorism, and preventing large-scale disruption in the functioning of critical information systems of public and private sector resources and services.
Measures for prevention of cyberattacks
Ensuring physical security is one of the primary ways to prevent cyberattacks. Vulnerable areas like control centres should be notified as restricted, only allowing authorised persons to enter. The control room and computer room doors should be equipped with access security systems for protection against intrusion and surveillance should be undertaken for integrity checks.
Further, there is a need for formal identification and notification of critical cyber assets for major power station control rooms, load despatch centres, substations (above 400 kV), HVDC stations (above 500 MW) and generating plants. Risk assessment and vulnerability studies need to be undertaken in each area of responsibility. Another critical aspect is the deployment of secure products at various centres. These include the deployment of various network security products like firewalls, IDS/IPS, VPN, IPSec and central logging servers in line with the CERT-In guidelines. Besides, to protect the IT framework and information security, utilities must develop a CMP and undertake periodic mock drills initiated by CERT-In.
To conclude, there is a need for the harmonisation of various standards and guidelines on cybersecurity of power systems in India. The formulation and enactment of the Cyber Security Policy for the Indian power sector must be in sync with CERT-In Response Teams for transmission, thermal and hydro. Further, power utilities must stay connected with the nodal agency to get the necessary assistance for cybersecurity.