As per industry experts, there are three high-level smart grid security objectives: availability, integrity and confidentiality. The use of information is of utmost importance in a smart grid network. This is because a loss of availability leads to disruption of access to information, which may further undermine power delivery. At the same time, a loss of integrity results in unauthorised modification or destruction of information and can further induce incorrect decision-making regarding power management. Also, confidentiality is necessary to prevent unauthorised disclosure of information that is not open to the public and individuals. Although considered to be least critical for system reliability by many experts, confidentiality is now gaining more importance, particularly in systems that involve interactions with customers.
Cyberattacks and cyber intrusion attempts in the power sector are carried out either to compromise the power supply system or to render grid operations insecure. Such compromises may result in equipment damages, mal-operation of equipment or even in a cascading grid brownout/blackout. Through social engineering techniques, it is also possible for an insider or outsider to jump into the artificial air gap created by firewalls between any information technology (IT) and operational technology (OT) system.
Recent initiatives to mitigate cyberattacks
The power ministry, on its part, has set up six computer emergency response teams (CERTs) for grid operation, thermal, hydropower, electricity distribution, transmission and renewable energy. In addition, India has a National Cyber Coordination Centre (NCCC). Cybersecurity mock drills in coordination with CERT-In are also conducted regularly in utilities, as per the ministry. Meanwhile, in 2021, the power ministry and the Central Electricity Authority (CEA) released guidelines for cybersecurity in the power sector for the first time. The guidelines were prepared after intensive deliberations with stakeholders and inputs from expert agencies in the field of cybersecurity, such as CERT-In, NCIIPC, NSCS and IIT-Kanpur, and subsequent deliberations in the Ministry of Power.
The guidelines lay down a cyber assurance framework, focusing on strengthening the regulatory framework as well as for putting in place mechanisms for early warning of security threats. The guidelines also focus on vulnerability management and response to security threats, and secure remote operations and services, among others. These norms are applicable to all relevant entities as well as system integrators, including suppliers/ vendors as well as IT hardware and software OEMs engaged in the power supply system. As per the guidelines, a product will have to be tested for malware/hardware trojans before deployment for use in the power supply system network. The guidelines mandate ICT-based procurement from identified “trusted sources” and “trusted products”. Further, products imported from prior reference countries would need to undergo type testing.
These guidelines are mandatory requirements that need to be met by all stakeholders. They lay emphasis on establishing cyber hygiene, training all IT and OT personnel on cybersecurity, and designating cybersecurity training institutes and cyber testing labs in the country. The CEA is also working on cybersecurity regulations. The cybersecurity guidelines are a precursor to the same.
The way forward
The Indian cybersecurity industry nearly doubled in size amidst the pandemic, with revenues from cybersecurity products and services growing from $5.04 billion in 2019 to $9.85 billion in 2021. According to data provided by the Data Security Council of India (DSCI), the growth was led by factors such as increased regulatory attention to data and privacy as well as growing boardroom awareness around cyberthreats. This trend is expected to accelerate further, given the new realities created by the Covid-19 pandemic, with the migration of communications, operations and data to the cloud and remote operations.
Enhancing the cyber resilience of power systems is thus becoming a key priority for all stakeholders. Four of India’s five regional centres that help oversee the crucial electricity load management function faced cyberattacks in recent months, according to a written response to Parliament by the power minister in July 2021. These were the Southern Regional Load Despatch Centre (SRLDC), the Western Regional Load Despatch Centre (WRLDC), the Northern Regional Load Despatch Centre (NRLDC) and the North Eastern Regional Load Despatch Centre (NERLDC) of the Power System Operation Corporation (POSOCO), besides NTPC Kudgi and Telangana State Transco. Necessary isolation and other protective measures were taken by these organisations.
Net, net, the need of the hour is to develop comprehensive frameworks that can tackle cyberthreats and provide architectural as well as analytical countermeasures for the prevention of such attacks. Outdated and vulnerable software, inadequate network segregation, and insufficient logging and monitoring are some of the challenges that need to be addressed. Designing security awareness and training programmes that comply with local, state and national policy and regulatory frameworks can also go a long way in providing support to the overall smart grid security infrastructure.