Safety Check: Cybersecurity concerns, challenges and solutions

Cyberattacks are carried out with ma­licious intent, and have the po­tential to compromise the power supply system and render the grid insecure. They can result in equipment maloperation and damage, and may even have a cascading effect leading to a grid blackout. Cyberattacks are staged using the tactics and techniques of initial acc­ess, execution, persistence, privilege es­calation, defence evasion, command and control, and exfiltration. Once acc­ess is gained through privilege escalation, control of information technology (IT) networks and operations of operational technology (OT) systems are ha­ck­ed into in order to gain access to sensitive operational data, which can be used for malicious purposes.

Identifying risks

In order to mitigate cyberattacks, it is ne­cessary to identify system vulnerabilities and formulate a risk assessment methodology that can help identify all possible entry points for cybersecurity breaches. Multiple testing schemes sh­ou­ld be in­cor­porated to check for vulne­rabilities. Moreover, using the numerous test bed systems available in the market, a comprehensive analysis of the possible im­pact of cyberattacks can be done. These test beds use real-time simulation models and intentionally create pseudo cy­berattacks to observe the repercussions.

All segments of the power sector are at equal risk of cyberattacks. In the generation segment, a cyberattack poses the risk of compromising valve and plant co­ntrol, trip protection systems, and fuel stock management. Similarly, the transmission segment is exposed to the risks of supervisory control and data acquisition (SCADA) systems being ha­cked into, as well as cross-site requests forgery attacks. The distribution segme­nt is vulnerable to situations wherein an attacker switches off millions of smart meters simultaneously from a remote location, risking se­curity misconfiguration and sensitive da­ta exposure, and compromising function-level access control.

An often-ignored aspect of the power sector, which is also vulnerable to cyberattacks, is the telemetry infrastructure, whi­ch comprises telemetry systems that connect with the control systems and SCADA architecture of various components in a smart grid. Power system telemetry is highly susceptible to malicious network attacks. Once attacked, the master syst­em is hacked. The slave devices can then be forced to erase critical data.

Based on the analysis of probable threats, uti­lities need to devise alleviation strategies. Proper security measures and att­ack-resistant smart grid infrastructure ne­ed to be developed and tested. In or­der to frame resistant and resilient cyber infrastructure, risk evaluation is a crucial process. The Government of India has be­en proactive in providing support and se­tting up bodies that can formulate ro­ad­maps for cybersecurity infrastructure.

Upcoming technologies for grid security

Broadly, there are two major aspects of cybersecurity for all segments of the power sector – data security and network security. With the advent of internet of things (IoT) in power, both of these have been exposed to greater risks of unauthorised access and theft. Newer technologies can come be helpful in handling this vulnerability.

Data loss prevention technologies can be used to prevent sensitive data exfilt­ration across the cloud and the web us­ing software-as-a-service platforms. The­se can be coupled with extensive pre­defined policy libraries for emer­gen­cies; and cloud access security broker software, which can perform shadow IT reporting and blocking, conduct in-line inspection, and application progra­mming interface inspection. Such technologies can be used to protect a broad range of devices that use IoT from data theft and unauthorised access.

Network security is highly dependent on firewalls, and these are vulnerable to cyberattacks. New-generation firewalls that use internet protocol (IP) packet fra­g­mentation or transmission control protocol segmentation offer better security against cyberattacks. Further, fi­re­walls that are capable of control for fal­se-positive testing, and web filtering for Quick User Datagram Protocol Inter­net Connections based on HTTP/3, can im­prove reliability and stability. Soft­ware-defined wide area networks, zero-trust network access application conn­ectors, or generic routing encapsulation and IPsec can be used for site connectivity and access authenticity, providing a secure network.


The Government of India has established the Indian Computer Emergency Respo­n­se Team (CERT-In) for early warning of, and quick response to, cybersecurity incidents. The team also collaborates with various entities at the national and international levels for information sharing on mitigation of cyber threats. CERT-In regularly issues advisories on safeguarding computer systems, and publishes security guidelines that are widely circulated for compliance.

All central government ministries and departments, as well as state and union territory governments have been advis­ed to conduct cybersecurity audits of their entire cyber infrastructure at regular intervals through CERT-In-empanelled auditors. These audits can help id­entify security gaps and take appropriate corrective steps.

CERT-In extends support to entities in conducting cybersecurity mock drills and assessing cyberattack preparedness by studying organisational reports on cybersecurity controls, architecture, vulnerability management and network security.

The Ministry of Power created six sectoral CERTs for the thermal, hydro, tra­n­s­mission, grid operation, renewable en­ergy and distribution segments to ensu­re cybersecurity in the power sector. Ea­ch sectoral CERT has a subsector-specific model called the Cyber Crisis Ma­na­gement Plan to counter cyberattacks and cyberterrorism. This is also shared with their constituent utilities.

CEA’s cybersecurity guidelines

In October 2021, India’s Central Electri­city Authority (CEA) released guidelines for cybersecurity in the power sector for the first time. The guidelines have to be adhered to by all power sector utilities. They include norms for a cyber-assurance framework, strengthening the regulatory framework, putting in place mechanisms for early warnings, vulnerability management, response to security threats, and securing remote operations and services, among others.

Notably, in September 2022, the CEA amen­d­ed the guidelines to address the issue of the frequency of OT audits for compliance by all entities in Clause 2.3. Article 14(b) of the CEA (Cyber Security in Po­wer Sector) Guidelines, 2021 has been amended and states that the res­po­nsible entity shall, through a CERT-In-empanelled cybersecurity OT auditor, get its IT system audited at least once every six months, and their OT system audited at least once in a year.

Cybersecurity policy: The cardinal principles laid down under the CEA’s guidelines, to be strictly adhered to by responsible entities while framing a cybersecurity policy, include OT system needs, to be isolated from any internet-facing IT system. Downloading and uploading of any data from their internet-facing IT systems are to be done only through an identifiable whitelisted device, followed by scanning for malware and maintaining digital logs for such activities. A list of whitelisted IP addresses for each firewall is to be maintained by the chief information security officer (CISO), and communication between OT systems is to be done through a secure channel, preferably that of POWERTEL, through a fibre optic cable.

As per the guidelines, the process of ac­cess management for all cyber assets owned is to be detailed in the cybersecurity policy. State-of-the-art cybersecurity technologies are to be leveraged across multiple layers to mitigate cybersecurity risks. Besides this, the guidelines state that the cybersecurity policy is to be re­vi­ewed annually by a subject matter ex­pert, and any desired changes must be incorporated after obtaining due app­roval from the board of directors.

Appointment of CISO: According to the CEA guidelines, entities should have an information security division (ISD), headed by the CISO. The entity has to ma­­n­datorily appoint a CISO, who shall conform to the qualifications laid down by the Quality Council of India. In their ab­sence, the work of the CISO shall be lo­­oked upon by an alternate CISO. The roles and responsibilities of the CISO shall be as laid down by CERT-In.

Identification of critical information infrastructure: An entity should submit the details of its cyber assets to the Na­tional Critical Information Infrastruc­ture Protection Centre (NCIIPC) through its sectoral CERT, within 30 days of the date of their commissioning in the system. Details of critical business processes and the underlying information infrastructure, along with the mapped im­pact and risk profile, need to be submitted to the NCIIPC. CIIs need to be examined for changes annually.

Cybersecurity requirements: Some of the key cybersecurity requirements stipulated in the guidelines are:

  • The entities need to ensure that the ISD is functional on a 24x7x365 basis and is adequately manned by qualified engineers. The ISD needs to deploy an intrusion detection system and an intrusion prevention system capable of identifying behavioural anomalies in IT and OT systems. The software ne­e­ds to share reports on incident re­sponses and targeted malware samp­les with CERT-In, and update their firmware and software with digitally-signed OEM-validated patches.
  • The factory acceptance test and site ac­ceptance test must include comprehensive cybersecurity tests of the equipment and systems to be delivered at the site.
  • The entities should routinely audit and test the security properties of the critical systems, and act promptly ag­ainst vulnerabilities identified throu­gh testing.
  • The entities should design secure ar­chitecture for control systems, which is appropriate for their process control environments.


With the increasing digitalisation of the power system, utilities need to significantly strengthen their cybersecurity frameworks to maintain safe operati­o­ns. For this, it is crucial for utilities to opt for strong and secure password-pro­tected systems, secure firewalls, in­trusion de­t­ection and intrusion prevention syste­ms, regular backups of data, vulnerability assessment and penetration testing. A robust cybersecurity policy, manpower training and regular re­view meetings to check for system vulnerabilities are also paramount.