According to industry data, in 2017, there was an overall increase of 13 per cent in reported system vulnerabilities across software and hardware systems in India. For industrial control systems, there was a 29 per cent increase in vulnerabilities during the year. Today, public and private sector players are generating power through not only thermal or hydro sources but also renewable sources, including plants distributed across various geographies. Assets have become interconnected and systems such as remote monitoring are being used by utilities to manage and operate their plants. With these developments, cybersecurity has become a major focus area.
Over the years, several communication and technology protocols and standards have been set up. On May 22, 2018, the National Critical Information Infrastructure Protection Centre notified rules for information security practices and procedures for protected systems. However, very few protected systems have been identified and among the few, no system has been identified from the energy sector. The protocol specific to the power sector is the ISAC-Power (ISAC [Information Sharing and Analysis Centre for Power Sector]), which acts as the common platform across the four sectoral Computer Emergency Response Teams (CERTs) under the Ministry of Power – CERT (transmission), CERT (thermal), CERT (hydro) and CERT (distribution). CERT is responsible for the collection, analysis and dissemination of information on cyberattack incidents, forecasts and alerts on cybersecurity breaches, emergency measures for handling such incidents and coordination of response activities. Under the protocol, the central government has directed all utilities to identify a nodal senior executive as its chief information security officer to lead the process of strengthening organisational systems with regard to cybersecurity and implement an information security management system. As per Rule 12(1) (a) of the IT Rules, 2013, it is mandatory to report specific cybersecurity incidents to the Indian Computer Emergency Response Team (CERT-In). Meanwhile, NITI Aayog recently issued a draft discussion paper on artificial intelligence (AI) and the Ministry of Electronics and Information Technology set up a committee on the same.
Issues and concerns
The entire digitalised system is vulnerable to cyberattacks because, in an interconnected system, the potential areas of attack increase and there are multiple points of entry. Cyberattacks could lead to hours, a day, or a week of disruption. Stage I intrusions are those designed to gain information. Stage II attacks could result in a temporary loss of power, physical damage to equipment, or other types of scenarios. If an assailant wants to progress to a Stage II attack, it has to steal information specific to the industrial environment during the Stage I intrusion. Information collection, the use of tools such as big data analytics and AI, the legality of ethical hacking, social profiling, social media targeting, insider threat and shadow IT are some of the major areas of focus. Social profiling of personnel is very important in identifying leaks and vulnerabilities.
There are five core functions in managing cybersecurity: identify, protect, detect, respond, and recover. The identify function assists in developing an organisational understanding of cybersecurity risks to systems, people, assets, data and capabilities. The protect function outlines appropriate safeguards to ensure delivery of critical infrastructure services. The detect function defines appropriate activities to identify the occurrence of a cybersecurity event. The respond function includes activities to prevent a cybersecurity incident. Last, the recover function identifies appropriate activities to maintain plans for resilience and restore any capabilities or services impaired due to the cybersecurity incident. To ascertain the specific set of security requirements in plant operations, the differences between traditional information technology, and power and automation technology need to be identified. The digital platform is transforming every aspect of the industry because of which cybersecurity is gaining even more importance. It is important to ensure that implementing cybersecurity solutions is a continuous process. Cybersecurity needs to be about not just compliance but also improvement of reliability and availability. Moreover, each power plant faces uniquely different challenges related to the security of their cyber assets. A comprehensive strategy that plugs the security gaps for the plant, is therefore, crucial for secure and uninterrupted operations.