The Information Technology [IT] Act, 2008 defines cybersecurity as the protection of information, equipment, devices, computers, computer resources, communication devices and information stored therein from unauthorised access. Over the years, the risk of cyberattacks across various segments of the power sector has increased. This is due to the increasing complexity of the system; new customer touchpoints in utilities; the introduction of smart grid infrastructure such as advanced metering and demand-side management; and the increase in interconnections and integration, among others.
Impact of cyberattacks on the power sector
A cyberattack on a generation plant can lead to a shutdown of the whole plant and a power outage. However, cyberattacks at a plant may not necessarily lead to disruption at multiple plants. Through grid operations and planning, disruption at other plants can be avoided.
On the other hand, the power transmission network, which is spread across the country, entails the deployment of supervisory control and data acquisition (SCADA) systems, as a result of which there is a need for its efficient monitoring and control. This is because any attack on the SCADA system or the energy management system will jeopardise the control system of the grid and compromise the reliability of the power system. For instance, cyberattacks on substation automation systems can damage the equipment at substations and threaten the operating personnel’s safety. While the impact of such an incident would be localised, it might be severe depending on the criticality of the node.
On the distribution front, IT penetration in control and operation is relatively low. It is concentrated in management information systems, metering and billing. Therefore, cyber incidents in the distribution segment may not affect grid operations. However, operations of the distribution system are increasingly being centralised and any cyber incident at the central location can cause power supply failure.
Computer Emergency Response Team-India (CERT-In)
The IT Act, 2000 and the Amendment Act, 2008 appointed the Computer Emergency Response Team-India (CERT-In) as the national nodal agency for cybersecurity in the country. CERT-In is responsible for the collection, analysis and dissemination of information on cyber incidents; forecasts and alerts of cybersecurity incidents; emergency measures for handling cybersecurity incidents; and coordination of cyber incident response activities. It is also responsible for issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response, and reporting of cyber incidents.
One of the functions of CERT-In is to develop and implement a sectoral crisis management plan (CMP) in line with the national CMP. One of the basic threats listed under CERT-In is large-scale defacement and semantic attacks on websites wherein a defacer breaks into a web server and alters the content of the hosted website. Attackers change the content of a web page subtly, so that the alteration is not immediately apparent. As a result, false information is disseminated.
Another major threat is large-scale spam attacks and spoofing. Spamming is the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages. Spam mail may also contain viruses, worms and other types of malicious software that are used to infect IT systems. Meanwhile, spoofing is an attack aimed at identity thefts, in which one person or program successfully masquerades as another by falsifying data. Further, phishing is an attack aimed at stealing confidential data or sensitive information such as usernames, passwords and credit card details that can lead to online frauds. Meanwhile, vishing is a combination of “voice” and “phishing”. It is the practice of using social engineering over telephone systems, most often using features facilitated by voice over internet protocol, to gain access to personal and financial information from the public for the purpose of a financial reward. The other modes of attacks include denial-of-service attacks and distributed denial-of-service attacks, domain name server attacks, application-level attacks, infrastructure attacks, router-level attacks, high energy radio frequency attacks and cyber espionage.
Standards and guidelines can be used to identify problems and reduce the vulnerabilities of an information and communication technology system deployed in the power sector to reduce cybersecurity concerns. Some of the relevant international standards for the power sector are IEC 62351 Parts 1 to 7 at the product and application levels; NERC CIP 002 through 009 at the organisation and regulatory levels; and NIST Guide to Industrial Control Systems Security 800-82.
Meanwhile, on the national front, the Department of Information Technology, Ministry of Communication and Information Technology, has prepared a CMP for countering cyberattacks and cyber terrorism, and preventing large-scale disruption in the functioning of critical information systems of public and private sector resources and services. Further, in December 2010, the Ministry of Power constituted CERT-Thermal with NTPC Limited as its nodal agency, CERT-Hydro with NHPC Limited and CERT-Transmission with Power Grid Corporation of India Limited (Powergrid) to take the necessary actions for the prevention of cyberattacks on utilities under their jurisdiction. These nodal agencies were directed to prepare CMPs for their respective segments.
Cybersecurity aspect of grid failure
The Central Electricity Authority (CEA) constituted five subcommittees to enquire into grid disturbances in the northern region on July 30, 2012 and in northern, eastern and north-eastern regions on July 31, 2012. One of the subcommittees was constituted to look into the cybersecurity aspect of grid disturbances. The subcommittee focused on examining the role of IT intervention in power sector operations; measures taken by various stakeholders to counter any possible cyberattack in their system; and communication facilities available to various stakeholders.
Based on inputs provided by stakeholders, the committee concluded that no abnormal cyber event was observed prior to and during grid disturbances on both occasions. Further, it noted that adequate steps have already been taken by various organisations including Powergrid, NTPC, NHPC and POSOCO to prevent cyber-attacks. It also gathered that regular cyber vulnerability tests as per the CMP of CERT-In were already being conducted.
However, considering the latest developments in SCADA and system automation, CERT-Thermal, CERT-Hydro and CERT-Transmission need to expedite the preparation of sectoral CMPs in line with the CMP prepared by CERT-In. Further, there is a need to maintain an efficient communication network with uninterrupted power supply and proper battery backup so that in case of a total power failure, the supervisory commands and control channels do not fail.
Measures for prevention of cyberattacks
Ensuring physical security is one of the primary ways to prevent cyberattacks. Vulnerable areas like control centres should be notified as restricted, only allowing authorised persons to enter. The control room and computer room doors should be equipped with access security systems for protection against intrusion and surveillance should be undertaken for integrity checks.
Further, there is a need for formal identification and notification of critical cyber assets for major power station control rooms, load despatch centres, substations (above 400 kV), HVDC stations (above 500 MW) and generating plants. Risk assessment and vulnerability studies need to be undertaken in each area of responsibility. Another critical aspect is the deployment of secure products at various centres. These include the deployment of various network security products like firewalls, IDS/IPS, VPN, IPSec and central logging servers in line with the CERT-In guidelines. Besides, to protect the IT framework and information security, utilities must develop a CMP and undertake periodic mock drills initiated by CERT-In.
To conclude, there is a need for the harmonisation of various standards and guidelines on cybersecurity of power systems in India. The formulation and enactment of the Cyber Security Policy for the Indian power sector must be in sync with Computer Emergency Response Teams for transmission, thermal and hydro. Further, power utilities must stay connected with the nodal agencies to get the necessary assistance for cybersecurity.
Based on a presentation by Hemant Pandey, Director, CEA, at a recent Power Line conference