Over the years, we have witnessed the growing interconnectedness of operational technology (OT) and information technology (IT), the emergence of bidirectional power supply, the deployment of smart meters, and the growing use of microgrid and energy storage solutions. The aim of such smart solutions is to improve the reliability and efficiency of the electrical grid, lower the costs of distribution and generation, and allow for real-time monitoring of the grid. There has been a greater push for the adoption of such smart solutions post-Covid. However, with the increased adoption of these technologies in the country’s power sector, the need for cybersecurity has become paramount.
A cyber-attacker may have the objective of gaining access to information; inflicting a loss, either physical or economic; degrading the performance of a system or a service; causing intentional delay; obtaining unethical gains; or propagating terrorism or anti-government activity. The stages of an information security incident may include active and passive modes. These stages range from reconnaissance using conventional methods in addition to cyber methods to discover vulnerable areas, assets, people and processes, to gaining physical or cyber access, intrusion, malware insertion, exploitation, and clearing of symptoms or log details.
A compromise in physical security or a failure of business processes can lead to a cybersecurity incident that can impact essential businesses such as the power sector tremendously. Hence, in addition to adopting the right technology solution, creating awareness and incorporating cybersecurity measures right from the project design stage are essential to have robust and secure grids.
The Government of India, through the National Critical Information Infrastructure Protection Centre (NCIIPC), which is provided for in the Information Technology Act, 2000 (Amendment 2008), has been taking steps to create awareness among power utilities and other key stakeholders regarding the threat of cyberattacks and suggest precautions. NCIIPC has also been tasked with identifying important and vulnerable critical information infrastructure. Further, the act provided for the setting up of the Computer Emergency Response Team – India (CERT -In) to address cybersecurity concerns.
For the power sector, specifically, one of the early steps towards cybersecurity was the setting up of sectoral CERTs in line with the National Cyber Security Policy, 2013. Separate CERTs have been set up for the thermal, hydro, transmission and distribution segments, to coordinate with power utilities. While NTPC Limited is the nodal agency for CERT-Thermal, NHPC Limited is that for CERT-Hydro, Power Grid Corporation of India Limited for CERT-Transmission, and the Central Electricity Authority (CEA) (Distribution Planning and Development Division) for CERT-Distribution. The nodal agencies are responsible for the crisis management plans of their respective segments. The National Cyber Security Policy, 2013 is being replaced by the National Cyber Security Policy, 2020 with an increased emphasis on audits and quality of audits.
As for the role of CEA in cybersecurity, it has officiated the position of chief engineer (IT) as chief information security officer of the Ministry of Power, and has integrated all entities at the central, state and private sector levels. The CEA has devised a platform called the information sharing and analysis centre (ISAC). The CEA also undertakes reviews of regulations and incorporates suitable provisions with respect to cybersecurity in the power sector from time to time. Further, it formulates testing standards and procedures for cybersecurity compliance in the power sector, besides working ontechnical and policy matters.
Other provisions include enterprise risk management under Section 134 of the Companies Act 2013; Clause 4.6.5 of the Central Electricity Regulatory Commission (CERC) Indian Electricity Grid Code (IEGC), 2010; a new chapter in the draft IEGC 2020; and the CERC (Communication System for inter-State transmission of electricity) Regulations, 2017. There are provisions for compliance under the IT Act, Clause 85, which provides for due diligence requirements. Further, all critical business processes and operations are required to be certified forISO27001. However, very few organisations are currently certified for ISO 27001.ISO27019 also provides for additional controls for energy sector utilities. In addition to this, the Personal Data Protection Bill, 2019 is with the Joint Parliamentary Committee, which provides for a Data Protection Authority of India and a Non-Personal Data Protection Authority.
Some of the essential requirements for security processes include the nomination of a CISO, the formation of an information security department, and the implementation of an information security management system. There is a need to identify information assets, undertake risk assessment and formulate a mitigation plan. There should be vulnerability assessment and penetration testing. Utilities should comply with CERT-In and NCIIPC advisories, and undertake incident management and response as per their requirements.
With regard to supply chain risk management, contractual provisions for cybersecurity should be built in, laying down security architecture, technical specifications, quality controls, and original equipment manufacturer (OEM) support for security life cycle and patch management, besides having non-disclosure agreements and providing remote support. In addition, due diligence should be done by the OEMs.
That said, some of the hurdles faced by power utilities in ensuring robust cybersecurity include the lack of leadership, a CISO role, an information security team and a security culture. With respect to processes, major hurdles include the tasks of risk assessment, business process integration, incident response and the OT-IT conflict. At the governance level, there is a lack of awareness about cybersecurity in IT and OT networks. On the technical front, outdated OT systems, vulnerable software, inadequate network segregation between IT and OT, lack of system hardening, weak access control, and insufficient logging and monitoring pose significant challenges.
Technologically, difficulty in capturing digital footprints, anomaly detection, and risk co-relation poses impediments. Further, state actor threats, lack of preparedness, and the Make in India initiative vis-à-vis the global supply chain also pose issues. Currently, cybersecurity is not considered a part of the fundamental design phase. It is usually provided by vendors at later stages to fix system vulnerabilities. There is also a lack of business continuity plans, third-party management and incident response planning.
The way forward
The key principle areas for security improvement include management review, policy and certification; supply chain security; network security; incident response or crisis management; software stack security of operating systems and applications; people security through training and sensitisation; and perimeter or physical access security.
A minimum programme for cybersecurity should include the implementation of ISO27001 through a focused internal team with management-mandated leadership, and ensure that a CISO is in position. Creating awareness among utility staff and promoting in-house skill sets are essential steps for ensuring a safe and secure electric grid. Risk assessment-focused asset management should be undertaken, along with internal audits and process reviews. Incident response and crisis management should be given utmost priority, besides undertaking supply chain risk management. Such efforts are expected to pave the way for a more secure and modern power grid. n
Based on a presentation by Anand Shankar, Senior General Manager, Information System, Power Grid Corporation of India, at a recent Power Line conference