Cyber Security for Digital Utilities

The sixth plenary session was on Cyber Security for Digital Utilities. The session was moderated by Faruk Kazi, Chair, ISGF WG on Digital Architecture and Cyber Security, and Professor, VJTI, Mumbai. The session included addresses and presentations by Andrew Ginter, Vice President – Industrial Security, Waterfall Security Solutions; Sunandan Banerjee, Principal Consultant-Government and PSU, SonicWall; Aamir Hussain, IT, Tata Power–DDL; Elad Shaviv, Chief Executive Officer, Israeli Smart Energy Association; Shaleen Khetarpaul, BSES Rajadhani Power Limited; Vijayan SR, Hub Digitalization Lead – Grid Automation, Hitachi ABB Power Grids; Mandar Patil, Manager – Solutions Architect, Amazon Web Services; Lalit Kumar, General Manager-IT Security, BYPL and Kishore Narang, Founder, Narnix.

Ginter spoke about ransomware attacks on the industrial control system and operational technology in the supply chain during 2020 and the key lessons learnt from these attacks. He discussed cloud/industrial IoT ransomware attacks, wherein poorly defended IIoT vendors are compromised and the attacker gains control of the firmware update process. Further, the attacker forces the firmware to thousands of devices, whether they enabled auto updates or not, which cripples hundreds of sites. In conclusion, he discussed the use of unidirectional hardware, which prevents targeted ransomware, remote exploitation and other attacks. It is useful for strengthening the cybersecurity infrastructure.

Andrew Ginter, Vice President-Industrial Security, Waterfall Security Solutions

Banerjee began his address by noting that while global malware attacks have witnessed a dip, new and measured attacks pivoted the cyber war in the first half of 2020. He also highlighted the need for multi-layered protection. He noted that his organisation witnessed 120,910 unprecedented attacks. Further, 23 per cent of malware used non-standard ports, and there were 2,036 phishing attacks and 11,811 malware attacks per customer, he noted.

Sunandan Banerjee, Principal Consultant-Government & PSU, SonicWall

Hussain spoke about the challenges faced by utilities in the cybersecurity domain, which include outdated and vulnerable software, inadequate network segregation, and insufficient logging and monitoring. He further discussed various sources of vulnerability in the power sector, namely the network and communication infrastructure, smart meters and IoT devices, remote access and mobile devices, and third-party services. He also elucidated the practices adopted by Tata Power-DDL for enhancing cybersecurity. These include the implementation of the information security management system for IT and OT infrastructure, identification of critical business assets, risks and mitigation measures (such as backup of critical data at pre-defined interval), and implementation of a 24×7 security operation centre.

Shaviv began his presentation highlighting the three main goals to be achieved in the security model – availability, integrity and confidentiality. But there is always a trade-off. Two more objectives are safety and reliability. He mentioned the need for an open environment, remote accessibility and safety in using smart/intelligent devices. On the whole, physical, digital and network security have to be well embedded into the design and network from the planning phase and the mindset should be switched from “reactive” to “proactive”.

According to Khetrepaul, there are cyberthreats to microgrids as well due to distributed control of flexible assets and increased penetration of monitoring and control. The threat vectors are the lack of secure product design, supply chain risks, lack of awareness and limited skilled manpower. The three important pillars of cybersecurity are availability, integrity and confidentiality. The risk assessment should be done by identifying assets, then threats and liabilities, analysing and reassuring those threats, and finally mitigation and review.

Shaleen Khetarpaul, BSES Rajadhani Power Limited

Patil talked about how it is important to improve security because there are a lot of endpoints. With identity access, insider threat can be eliminated. He highlighted that AWS-enabled customer and partner solutions such as IT transformation, OT transformation, energy supply transformation and customer engagement are empowering utilities. It is also offering cloud services such as database and storage. AWS has prepared a shared responsibility model with over 50 global compliance certificates and accreditations for providing cybersecurity to digital utilities.

Vijayan S.R. mentioned that modern SCADA systems offer possibilities for remote operation and monitoring, data and information exchange at different levels, IP-based communication etc. Also, some benefits of industrial control systems are safe environment, high availability of 99.9-99.999 per cent, and a long lifetime of 15-30 years. Also, cybersecurity can be achieved by layering communication networks physically and/or logically to improve network security. A defense-in-depth approach improves the overall system security.

Lalit Kumar talked about how utilities are moving towards modernisation by converging their OT and IT. Further, security can be maintained not only at the technology level but also through people and processes. With respect to people, emergency drills, physical security, training and awareness, authorisation and authentication can be helpful. For processes, the management system, government frameworks, audit regimes and vendor/third-party contract follow-ups should be looked into. The cybersecurity steps include network security (monitoring behavioural change in network traffic), malware protection, monitoring, incident management user awareness and information risk management.

Lalit Kumar, General Manager-IT Security, BYPL

N.Kishore talked about the importance of secure cyberspace assurance, or a trustworthy cyber-ecosystem, to ensure the security and resilience of internet within the country and enhance cybersecurity capabilities. He added that managing risks start with identifying assets and risks. Further, there are many overlapping standards given the different vendor “camps” and different global, regional and national SDOs. A national imperative for cybersecurity is to have an accountable and integrated national cybersecurity apparatus. A National Trust Centre to undertake security testing and evaluation will also help.