With increased adoption of smart technologies in the country’s power sector, the need for cybersecurity has become paramount. To this end, the central government has been undertaking a number of initiatives to address the growing cybersecurity concerns, especially with regard to critical infrastructure.
Power Line takes a look at some of these initiatives…
For the power sector specifically, one of the early steps towards cybersecurity has been the setting up of sectoral computer emergency response teams (CERTs) by the Ministry of Power (MoP) in line with National Cyber Security Policy 2013. The setting up of the Indian Computer Emergency Response Team (CERT-In) following the Information Technology Act, 2000 was one of the initial steps towards addressing the cybersecurity concerns. The organisation deals with all aspects of cybersecurity, ranging from standards and guidance to compliance monitoring and incident response.
Separate CERTs have been set up for thermal, hydro, transmission and distribution segments to coordinate with power utilities. While NTPC Limited is the nodal agency for CERT-Thermal, NHPC Limited is for CERT-Hydro, Power Grid Corporation of India Limited for CERT-Transmission and Central Electricity Authority (CEA)(Distribution planning and development division) is for CERT-Distribution. The nodal agencies are responsible for the crisis management plans of their respective segments.
Recently, the government has set up a central level coordination agency for these sectoral CERTs, called the Information Sharing and Analysis Center. The agency will be responsible for sharing and analysing various cybersecurity incidents in the power sector and providing a common platform for the four sectoral CERTs. Further, the Government of India through the National Critical Information Infrastructure Protection Centre (NCIIPC) has been taking steps to create awareness among power utilities and other key stakeholders regarding the threats from cyberattacks and suggest precautions. NCIIPC has also been tasked with identifying important and vulnerable critical information infrastructure.
In addition, two groups have been set up by the Bureau of Indian Standards (BIS) with the objective of enhancing the standards for cybersecurity for power utilities. The first BIS group is working on the second part of Indian Standard 16335, which pertains to the security requirements of power systems. It will consider the cybersecurity manual issued by the India Smart Grid Forum (ISGF) as its reference document. Part one of the Indian Standard 16335 was published in 2015, and specifies the requirements for identification and protection of all critical assets involved in generation, transmission, distribution and trading. The second group at BIS is currently studying IEC-62443, a series of standards that define procedures for implementing electronically secure Industrial Automation and Control Systems, issued by the International Electrotechnical Commission. The BIS group is exploring the adoption of IEC-62443 as an Indian standard. The regulations are expected to be issued by August 2018.
Taking cognisance of the need for cybersecurity measures, the ISGF has also formed a working group to focus on the security issues. In 2016, ISGF in association with NCIIPC had prepared an Indian manual on cybersecurity for power systems.
There has been a significant rise in cyberattacks in the recent years that can take power out of the grid. The cyberattacks on the Ukraine grid in 2015 and 2016, which penetrated the electricity distribution control centre, causing power outages and sabotaging distribution equipment, have brought the gravity of the situation to the forefront.
In a recent report, CEA has pointed out that there is a lack of security in the smart grid systems and that a mechanism for information sharing on cybersecurity incidents need to be developed. Further, given the vulnerabilities in the operations of the power system devices, developing a multiple-threat intrusion detection system is extremely important. Therefore, relevant stakeholders of smart grid have been advised to identify critical infrastructure and use end-to-end encryption for data security by the MoP.
Given that utilities are digitising their critical infrastructure with advanced technology applications and adding more internet protocol gateways, and other data delivery elements to their networks, data is becoming more susceptible to cyberattacks. Therefore, having proper cybersecurity measures in place is crucial for them. The government has taken cognisance of these issues and its efforts are expected to pave the way for a more secure and modern power grid.