Cyberattacks are carried out with malicious intent, and have the potential to compromise the power supply system and render the grid insecure. They can result in equipment maloperation and damage, and may even have a cascading effect leading to a grid blackout. Cyberattacks are staged using the tactics and techniques of initial access, execution, persistence, privilege escalation, defence evasion, command and control, and exfiltration. Once access is gained through privilege escalation, control of information technology (IT) networks and operations of operational technology (OT) systems are hacked into in order to gain access to sensitive operational data, which can be used for malicious purposes.
Identifying risks
In order to mitigate cyberattacks, it is necessary to identify system vulnerabilities and formulate a risk assessment methodology that can help identify all possible entry points for cybersecurity breaches. Multiple testing schemes should be incorporated to check for vulnerabilities. Moreover, using the numerous test bed systems available in the market, a comprehensive analysis of the possible impact of cyberattacks can be done. These test beds use real-time simulation models and intentionally create pseudo cyberattacks to observe the repercussions.
All segments of the power sector are at equal risk of cyberattacks. In the generation segment, a cyberattack poses the risk of compromising valve and plant control, trip protection systems, and fuel stock management. Similarly, the transmission segment is exposed to the risks of supervisory control and data acquisition (SCADA) systems being hacked into, as well as cross-site requests forgery attacks. The distribution segment is vulnerable to situations wherein an attacker switches off millions of smart meters simultaneously from a remote location, risking security misconfiguration and sensitive data exposure, and compromising function-level access control.
An often-ignored aspect of the power sector, which is also vulnerable to cyberattacks, is the telemetry infrastructure, which comprises telemetry systems that connect with the control systems and SCADA architecture of various components in a smart grid. Power system telemetry is highly susceptible to malicious network attacks. Once attacked, the master system is hacked. The slave devices can then be forced to erase critical data.
Based on the analysis of probable threats, utilities need to devise alleviation strategies. Proper security measures and attack-resistant smart grid infrastructure need to be developed and tested. In order to frame resistant and resilient cyber infrastructure, risk evaluation is a crucial process. The Government of India has been proactive in providing support and setting up bodies that can formulate roadmaps for cybersecurity infrastructure.
Upcoming technologies for grid security
Broadly, there are two major aspects of cybersecurity for all segments of the power sector – data security and network security. With the advent of internet of things (IoT) in power, both of these have been exposed to greater risks of unauthorised access and theft. Newer technologies can come be helpful in handling this vulnerability.
Data loss prevention technologies can be used to prevent sensitive data exfiltration across the cloud and the web using software-as-a-service platforms. These can be coupled with extensive predefined policy libraries for emergencies; and cloud access security broker software, which can perform shadow IT reporting and blocking, conduct in-line inspection, and application programming interface inspection. Such technologies can be used to protect a broad range of devices that use IoT from data theft and unauthorised access.
Network security is highly dependent on firewalls, and these are vulnerable to cyberattacks. New-generation firewalls that use internet protocol (IP) packet fragmentation or transmission control protocol segmentation offer better security against cyberattacks. Further, firewalls that are capable of control for false-positive testing, and web filtering for Quick User Datagram Protocol Internet Connections based on HTTP/3, can improve reliability and stability. Software-defined wide area networks, zero-trust network access application connectors, or generic routing encapsulation and IPsec can be used for site connectivity and access authenticity, providing a secure network.
CERT-In
The Government of India has established the Indian Computer Emergency Response Team (CERT-In) for early warning of, and quick response to, cybersecurity incidents. The team also collaborates with various entities at the national and international levels for information sharing on mitigation of cyber threats. CERT-In regularly issues advisories on safeguarding computer systems, and publishes security guidelines that are widely circulated for compliance.
All central government ministries and departments, as well as state and union territory governments have been advised to conduct cybersecurity audits of their entire cyber infrastructure at regular intervals through CERT-In-empanelled auditors. These audits can help identify security gaps and take appropriate corrective steps.
CERT-In extends support to entities in conducting cybersecurity mock drills and assessing cyberattack preparedness by studying organisational reports on cybersecurity controls, architecture, vulnerability management and network security.
The Ministry of Power created six sectoral CERTs for the thermal, hydro, transmission, grid operation, renewable energy and distribution segments to ensure cybersecurity in the power sector. Each sectoral CERT has a subsector-specific model called the Cyber Crisis Management Plan to counter cyberattacks and cyberterrorism. This is also shared with their constituent utilities.
CEA’s cybersecurity guidelines
In October 2021, India’s Central Electricity Authority (CEA) released guidelines for cybersecurity in the power sector for the first time. The guidelines have to be adhered to by all power sector utilities. They include norms for a cyber-assurance framework, strengthening the regulatory framework, putting in place mechanisms for early warnings, vulnerability management, response to security threats, and securing remote operations and services, among others.
Notably, in September 2022, the CEA amended the guidelines to address the issue of the frequency of OT audits for compliance by all entities in Clause 2.3. Article 14(b) of the CEA (Cyber Security in Power Sector) Guidelines, 2021 has been amended and states that the responsible entity shall, through a CERT-In-empanelled cybersecurity OT auditor, get its IT system audited at least once every six months, and their OT system audited at least once in a year.
Cybersecurity policy: The cardinal principles laid down under the CEA’s guidelines, to be strictly adhered to by responsible entities while framing a cybersecurity policy, include OT system needs, to be isolated from any internet-facing IT system. Downloading and uploading of any data from their internet-facing IT systems are to be done only through an identifiable whitelisted device, followed by scanning for malware and maintaining digital logs for such activities. A list of whitelisted IP addresses for each firewall is to be maintained by the chief information security officer (CISO), and communication between OT systems is to be done through a secure channel, preferably that of POWERTEL, through a fibre optic cable.
As per the guidelines, the process of access management for all cyber assets owned is to be detailed in the cybersecurity policy. State-of-the-art cybersecurity technologies are to be leveraged across multiple layers to mitigate cybersecurity risks. Besides this, the guidelines state that the cybersecurity policy is to be reviewed annually by a subject matter expert, and any desired changes must be incorporated after obtaining due approval from the board of directors.
Appointment of CISO: According to the CEA guidelines, entities should have an information security division (ISD), headed by the CISO. The entity has to mandatorily appoint a CISO, who shall conform to the qualifications laid down by the Quality Council of India. In their absence, the work of the CISO shall be looked upon by an alternate CISO. The roles and responsibilities of the CISO shall be as laid down by CERT-In.
Identification of critical information infrastructure: An entity should submit the details of its cyber assets to the National Critical Information Infrastructure Protection Centre (NCIIPC) through its sectoral CERT, within 30 days of the date of their commissioning in the system. Details of critical business processes and the underlying information infrastructure, along with the mapped impact and risk profile, need to be submitted to the NCIIPC. CIIs need to be examined for changes annually.
Cybersecurity requirements: Some of the key cybersecurity requirements stipulated in the guidelines are:
- The entities need to ensure that the ISD is functional on a 24x7x365 basis and is adequately manned by qualified engineers. The ISD needs to deploy an intrusion detection system and an intrusion prevention system capable of identifying behavioural anomalies in IT and OT systems. The software needs to share reports on incident responses and targeted malware samples with CERT-In, and update their firmware and software with digitally-signed OEM-validated patches.
- The factory acceptance test and site acceptance test must include comprehensive cybersecurity tests of the equipment and systems to be delivered at the site.
- The entities should routinely audit and test the security properties of the critical systems, and act promptly against vulnerabilities identified through testing.
- The entities should design secure architecture for control systems, which is appropriate for their process control environments.
Conclusion
With the increasing digitalisation of the power system, utilities need to significantly strengthen their cybersecurity frameworks to maintain safe operations. For this, it is crucial for utilities to opt for strong and secure password-protected systems, secure firewalls, intrusion detection and intrusion prevention systems, regular backups of data, vulnerability assessment and penetration testing. A robust cybersecurity policy, manpower training and regular review meetings to check for system vulnerabilities are also paramount.