A Growing Threat

Power utilities pay increasing attention to cybersecurity

The threat of cybercrime is impacting every sector across the world. The power sector is equally at risk of cy­ber­attacks due to increasing digitalisation. Developments such as data interconnectivity, sensorisation and the inc­re­ased attack surface of utilities are breeding grounds for such attacks. As a result, the Indian cybersecurity industry nearly doubled in size amidst the pandemic, with revenues from cybersecurity products and services growing from $5.04 billion in 2019 to $9.85 billion in 2021. According to data provided by the Data Security Council of India, the growth was led by factors such as in­creased regulatory attention to data and privacy as well as growing boardroom awa­reness about cyberthreats. This tre­nd is expected to accelerate further, given the new realities created by the Covid-19 pandemic with the migration of communications, operations and da­ta to the cloud and remote operations.

In October 2021, India’s Central Electri­city Authority (CEA) released guidelines for cybersecurity in the power sector for the first time. The guidelines have to be adhered to by all power sector utilities. They include norms for laying down a cyber assurance framework; strengthening the regulatory framework; putting in place mechanisms for early warnings, vulnerability management and response to security threats; and securing remote operations and services, among others. The norms are applicable to all responsible entities as well as system integrators, equipment manufacturers, suppliers/vendors, service providers, and in­for­mation technology (IT) hardware and software original equipment manufacturers (OEMs) engaged in the Indian po­wer supply system. The guidelines mandate information and communications technology-based procurement from id­entified and trusted sources, failing which the product would have to be tes­ted for malware/hardware trojans be­fore deployment in the power supply system network.

New and emerging solutions

The biggest threat is the insider threat, as data proliferation mostly takes place due to insiders. To overcome this threat, an organisation must develop a practice of background checks for not only visitors and vendors, but for employees of the organisation itself. The new CEA regulations mandate that a new employee’s background must be checked and a bo­nd must be signed whereby the em­ploy­ee will be held responsible for any data leakage or damage to the system or any threat arising because of the employee.

Over time, the domains of physical security and cybersecurity have become interrelated. The idea of cyber-physical se­curity has thus gained prominence, due to the need for physical access and boundary disciplines. If there is no physical security, even the best cybersecurity would be of no use. A classic example of this is the practice of placing a laser gui­de against tools, since it is not possible to define the type of instrument an atta­cker is carrying unless they are physically checked. This way, the entire process of the operation of the instrument can be captured, and the vulnerability can be detected.

Another issue arises from operating legacy systems. Legacy systems were not designed for cybersecurity, so we cannot harden them to ensure the most secure operation. They can be secured only to a limited extent. Hence, there is a need to phase out such legacy systems, instead of risking operations. Here, management has to take a call, as cyberattacks may entail losses amounting to crores of rupees.

Further, while the life of an operating system is 25-35 years, IT software has a life of just seven to ten years, as such technologies change rapidly. This makes legacy systems redundant with huge costs for replacing them or upgrading them to the latest version. This gap in a utility’s contractual agreement with an OEM needs to be plugged. Moreover, to ensure that the product procured is cyber-secu­r­ed, utilities should document it in the bid document itself. Fur­ther, utilities ne­ed to mention if they ha­ve been attack­ed, so that the Indian Co­m­puter Emer­gen­cy Response Team (CERT-In) can play an active role in limiting damages to other utilities. The en­tire attack sce­na­rio should be analysed, for which for­ensic expertise should be developed in our country. Another solution is to app­oint chief information security officers for both generation, and transmission and distribution (T&D), so that continuity is maintained between these two sides. Further, they should back each other up during emergencies, and ensure a proper inflow of information.

Some other solutions include cross-functional management of IT and ope­ra­­tional technology (OT) teams, rather than having them work in isolation, for better results. Utilities need to go be­yond classical antivirus and rule-based methodologies, and artificial intelligence- and ma­ch­i­­ne learning-based network metho­do­logies could be useful. Training for both IT security personnel and users should be ensured, and operations on legacy systems, which are not designed for cybersecurity, need to be phased out.

Utilities should register with the Cyber Swachhta Kendra (CSK), which publishes alerts regarding suspected vulnerabilities several times a month and also presents a monthly situational awareness report. As of July 2021, out of 194 unique organisations registered on the CSK, 41 pertain to thermal generation and 65 pertain to discoms.

Issues and concerns

When it comes to providing reliable and authenticated data, the major concern is collecting the data from machines with no intervention or manipulation in the process. Another concern is that there is little awareness regarding cybersecurity tests. Utilities are not aware of what tests need to be conducted, so they do not include their cybersecurity requireme­nts in the bid document. This means that the utility does not know whether the equipment it is buying is cyber-secu­re or not. Further challenges include ex­pansive geographies and distributed management, which make it difficult to control such attacks. Moreover, there are no labs that can certify compliance with IEC 20243 for software and IEC 62443 for OT protection.

The way forward

We lack a cyber-secure ecosystem. It is being developed, but will still take some time to fully mature. Till then, maintenance of cyber hygiene should be prioritised. This can be achieved by being ISO 21001 certified, and performing regular system audits and BRPG testing to check if new vulnerabilities have been introduced during operations. This can en­sure that the system is kept healthy at all times. The National Cyber Coordina­tion Centre, part of the Ministry of IT, has come out with a threat support canvas and is encouraging designated utilities to take part. Through this, metadata at the organisational level will be matched with that at the national level to ensure that any threat can be perceived externally and passed on to the organisation.

Utilities should get their systems audited regularly, and once audited, they sh­ould plug the non-affirmative areas. Any mi­nu­te abnormality should be flagged and investigated. OEMs and industry ex­perts should be consulted on the measures to be taken, as any potential sabotage can take the shape of a big cyberattack.

Going forward, a response is needed in terms of people, processes and technology, followed by partnership between the government and utilities. Training is key, not only for IT security personnel but also for users. IT and OT teams sh­ou­ld not work in isolation, but as cross-functional teams.

The CEA is currently developing a cybersecurity test bed for the power sector at the Central Power Research Institute, Be­­­ngaluru. It is encouraging industry pe­­­o­­ple to come up with facilities that can be leveraged for commercial purpo­ses. Every power sector utility should have some sort cyber-testing facility, for which adequate infrastructure needs to developed, going ahead.

Based on a discussion with Sanjay Prasad, Chief Information Officer, CESC Power Group, and M.A.K.P. Singh, Chief Engineer, IT, Central Electricity Authority, at a Power Line conference


Enter your email address