With utilities digitising their critical infrastructure through advanced technology applications, they are adding multiple internet protocol gateways and other data delivery elements to their networks, making them more susceptible to cyberattacks. Designing and framing cybersecurity measures have thus become vital.
Although the need for cybersecurity is well established, there are many challenges associated with it. These include obsolescence of existing technology, limited coordination between information technology and operational technology verticals as well as the fast and constantly evolving nature of security risks. Moreover, there is limited awareness about cybersecurity practices. Cybersecurity tends to be neglected during the fundamental design phase. Given that mobile and wireless technologies are ubiquitous with heterogeneous systems and multiple interfaces, it is quite challenging to keep up with the ever-evolving standards, technologies, services, applications and the increasing complexity of systems.
Other challenges include use of public networks to lower costs, increasing the vulnerability of grids to cyberattacks. Such attacks may be classified into three categories: attacks by component, by protocol and by topology. An attack by component is when field components like remote terminal units are attacked through remote access. An attack by protocol can entail communication protocols available in the public domain to reverse engineer the data acquisition protocols and exploit them. Meanwhile, an attack by topology is when network topology vulnerability is exploited, such as denial-of-service attack.
Although cyberthreat is associated with all aspects of the smart grid domain including smart grid devices, the chief concern pertains to communication technologies that are at the heart of the smart grid. Communication systems that are integral for implementing various smart grid applications include supervisory control and data acquisition (SCADA); teleprotection; geographic information system (GIS); outage management systems (OMS); commercial and billing applications; and enterprise applications like SAP’s customer relationship management (SAP CRM), bank communications management (SAP BCM), enterprise resource planning (SAP ERP) and email. Applications such as advanced metering infrastructure (AMI), automated demand response (ADR) and advanced distributed management system (ADMS), which are the core components of smart grids, require information to be communicated on a real-time basis. Any failure in ensuring an effective communication system will have a severe impact on reliability and services, thus cybersecurity is crucial for the survival of smart grids.
Globally, many security compliance standards and technologies have been developed to address cybersecurity issues. The International Electrotechnical Commission has prescribed standards for electrical, electronic and related technologies. In addition, critical information protection standards (CIPS) have been prescribed by the North American Electric Reliability Corporation (NERC). CIP standards were submitted by NERC in August 2006, which replaced NERC’s voluntary industry UA 1,200 guidelines. As per CIP standards, it is mandatory to document and review all procedures/policies every year.
US-based National Institute of Standards and Technology (NIST) has also established guidelines for smart grid cybersecurity. NIST’s cybersecurity working group addresses issues pertaining to smart grid reliability, physical security of all its components, impact of coordinated cyberphysical attacks and privacy of customers. Meanwhile, the International Council on Large Electric Systems’ working group has defined security standards for the next generation of energy management systems and related real-time grid and market systems. In view of the need for cybersecurity measures, the Indian Smart Grid Forum has also formed a working group, which specifically focuses on security issues. Further, a working group under the Bureau of Indian Standards has been formed for working on developing security standards for India. In addition, in line with the National Cyber Security Policy, 2013, the Ministry of Power has created sectoral computer emergency response teams (CERTs) to mitigate cybersecurity threats in power systems. The four sectoral CERTs are CERT (transmission), CERT (thermal), CERT (hydro) and CERT (distribution).
Apart from adopting strong cybersecurity measures, effective network segmentation can reduce the extent to which an adversary may access the network by restricting communication between networks. Similar results can also be achieved by following strict role-based access control, which grants or denies access to resources based on their job functions. This can be done through active directory, which implements role-based user access control through group policies, or application whitelisting that permits the execution of only explicitly allowed (or whitelisted) software while blocking the execution of everything else. These measures eliminate the execution of unknown executables, including malware. In order to operationalise information security, regular review meetings should be conducted to identify new risks, mitigate them and discuss incidents or lapses that have occurred.