With growing digitalisation and the emergence of smart grid technology in the power sector, the risk of cybersecurity breaches in transmission and distribution (T&D) networks has increased manifold. Enhanced automation in the T&D segment through phasor measurement units and wide area monitoring systems, supervisory control and data acquisition (SCADA), asset management, other systems and the integration of various information technology and operational technology (IT-OT) systems have made the power system more susceptible to cyberattacks. Any attack on the network could give access to the system and to critical data from a remote area, thus posing a threat to the security of the national grid.
Policy and regulatory provisions
Cybersecurity in the country is covered under different acts and statutes, one of the first being the Information Technology Act, 2000 (IT Act). This act, amended in 2008, is the primary law in India dealing with cybercrimes and e-commerce. In January 2014, the National Critical Information Infrastructure Protection Centre (NCIIPC) was created by the central government under section 70A of the IT Act. The NCIIPC has released guidelines for the protection of critical infrastructure and the framework for the evaluation of cybersecurity.
The IT Act recognises the Indian Computer Emergency Response Team (CERT-In) as the national nodal agency for cybersecurity in the country. In order to ensure cybersecurity in power systems, four sectoral CERTs – CERT (Transmission), CERT (Thermal), CERT (Hydro) and CERT (Distribution) have been formed. CERT-In is responsible for the collection, analysis and dissemination of the information on cyberattack incidents, forecasts and alerts on cybersecurity breach, emergency measures for handling such incidents and coordination of the response activities.
It is also responsible for issuing guidelines, advisories, vulnerability notes and white papers related to the information security practices, procedures, prevention, response and reporting of the cyberattack incidents. In order to maintain cybersecurity, the central government has directed all utilities to identify a nodal senior executive as its chief information security officer to lead the process of strengthening organisational systems for cybersecurity and implement an information security management system. As per Rule 12(1)(a) of IT Rules 2013, it is mandatory to report specific cybersecurity incidents to CERT-In.
In addition, under the IT Act, the central government recommends all organisations to implement ISO: 27001 as the recommended information security management system for legal compliance. The Indian Standard – IS-16335:2015 also specifies the requirement for identification and protection of critical assets for all entities involved in the generation, transmission, distribution and trading of electric power.
Other important provisions regarding cybersecurity are present in the Central Electricity Regulatory Commission’s (CERC) regulations on grid code and communication systems. The Indian Electricity Grid Code’s Clause 4.6.5 states that all utilities shall have cybersecurity framework to identify the critical cyber assets and protect them so as to support reliable operation of the grid.
Further, as per the CERC’s Communication System for Interstate Transmission of Electricity Regulations, 2016, the CEA is required to formulate and notify technical standards, cybersecurity requirements, protocol for the communication system for power sector within the country, including grid integration with that of the neighbouring countries. As per the regulations, the communication infrastructure should be planned, designed and executed to address the network security needs as per standards specified by the CEA. In addition, the Indian Smart Grid Forum has also prepared a framework for laying down procedures for securing the smart grid from cyberattacks.
Areas vulnerable to cyberattacks
There are a number of avenues for cyberattacks in the T&D network. One of these is the hardware layer. The layer is embedded with components such as programmable logic controllers and remote terminal units that operate the software required for communication and control. Another avenue is the firmware layer that is in between the hardware and the software, including data and instructions to control the hardware. The software layer comprises the power control systems that include a variety of software platforms and applications. The vulnerabilities in this layer range from simple coding errors to poor implementation of access control mechanisms. In addition, vulnerabilities can be introduced into the power control system network in different ways such as firewalls, modems, fieldbus network, communications systems and routers, remote access points, and protocols and control network. Further, as all the layers and components of the grid interact with each other for power system operations, a threat to any part of the grid can affect the operations of the whole system.
The key vulnerable areas in the power generation segment include large projects such as the ultra mega power projects and renewable energy parks, while protection systems and communication backbone are particularly vulnerable in the transmission system. SCADA and smart meters comprise the vulnerable areas in systems’ operations and distribution segments respectively.
Strategies for mitigating cyberthreats
In order to minimise the chances and impact of a cyberattack on the distribution network, utilities are adopting a number of safety measures and risk mitigating strategies. One of the most common measures to mitigate cyber threats is application whitelisting through which the malware uploaded by adversaries is detected. Apart from this, configuration and patch management also lower the risk of cyberattacks, as unpatched systems are more prone to attacks. Reducing the attack surface area is also effective in managing the network. Network segmentation, isolation of the internet connection sharing network from an untrusted network and turning off unused ports/ services are some effective strategies to lower the risks of cyberattacks.
Another key focus area for lowering cyberthreat is managing authentication. The implementation of multi-factor authentication, separate authentication for separate zones and providing privileged access are essential. In order to minimise the impact of cyberattacks, it is essential to undertake active monitoring, quick detection and fast response, and the execution of defence. Apart from this, the physical security of the system and network is essential. Vulnerable areas like control centres should be notified as restricted, only allowing authorised people to enter. The control room and computer room doors should be equipped with access security systems for protection against intrusion, and surveillance should be undertaken for integrity checks.
Further, in order to prevent cyberattacks, it is essential to undertake vulnerability assessment to categorise the devices in terms of high risk and general vulnerabilities. The vulnerability assessment needs to include attacks from insiders, attacks on computers that control and monitor devices, attacks on the SCADA network, and programming of malware into the control system devices. In addition, asset mapping of all critical infrastructure equipment and periodic monitoring of the equipment for cybersecurity compliance is essential. Besides, preparing a framework for the testing of equipment and auditing is crucial.
Apart from this, it is important to ensure that network equipment does not pose a threat to cybersecurity. One of the key requirements for this is that bidding documents for the procurement of equipment are framed to encourage only those firms manufacturing equipment in India to participate in the bidding. Besides, equipment suppliers should provide a certification stating that the equipment is safe to connect. The equipment must be tested for 100 per cent reliability against any vulnerability from malware and cyberattacks. Recently, the domestic electrical industry raised concerns about the contracts awarded to Chinese firms for the installation of SCADA for power distribution. The manufacturers expressed their concern that this would provide control to foreign companies over the sector.
One of the key challenges facing cybersecurity implementation is managing the evolving nature of cyberattacks. No single security measure itself is foolproof as vulnerabilities and weaknesses could be identified at any time. In order to reduce these risks, implementing multiple protections in series avoids a single point of failure. The cybersecurity solution should be able to minimise the attack surface, detect possible attacks and respond in an appropriate manner to minimise the impact. The technology on its own is insufficient to provide robust protection to utilities. Cybersecurity policies and processes must be implemented by the utilities to be able to assess and mitigate the risks and respond to incidents in the best possible way.
To sum up, implementing solutions around cyber security has to be a continuous process. It is not only important to protect a system from the current vulnerabilities, but is also equally important to have mechanisms (technical and process) in place, to quickly detect and effectively react to any incidents and isolate security breaches.
Based on presentations by Vijay Menghani, Chief Engineer (IT and Legal), CEA; and Vijayan S.R., Technology Manager, Smart Grids and Cybersecurity, ABB