Cyberattacks are carried out with maÂlicious intent, and have the poÂtential to compromise the power supply system and render the grid insecure. They can result in equipment maloperation and damage, and may even have a cascading effect leading to a grid blackout. Cyberattacks are staged using the tactics and techniques of initial accÂess, execution, persistence, privilege esÂcalation, defence evasion, command and control, and exfiltration. Once accÂess is gained through privilege escalation, control of information technology (IT) networks and operations of operational technology (OT) systems are haÂckÂed into in order to gain access to sensitive operational data, which can be used for malicious purposes.
Identifying risks
In order to mitigate cyberattacks, it is neÂcessary to identify system vulnerabilities and formulate a risk assessment methodology that can help identify all possible entry points for cybersecurity breaches. Multiple testing schemes shÂouÂld be inÂcorÂporated to check for vulneÂrabilities. Moreover, using the numerous test bed systems available in the market, a comprehensive analysis of the possible imÂpact of cyberattacks can be done. These test beds use real-time simulation models and intentionally create pseudo cyÂberattacks to observe the repercussions.
All segments of the power sector are at equal risk of cyberattacks. In the generation segment, a cyberattack poses the risk of compromising valve and plant coÂntrol, trip protection systems, and fuel stock management. Similarly, the transmission segment is exposed to the risks of supervisory control and data acquisition (SCADA) systems being haÂcked into, as well as cross-site requests forgery attacks. The distribution segmeÂnt is vulnerable to situations wherein an attacker switches off millions of smart meters simultaneously from a remote location, risking seÂcurity misconfiguration and sensitive daÂta exposure, and compromising function-level access control.
An often-ignored aspect of the power sector, which is also vulnerable to cyberattacks, is the telemetry infrastructure, whiÂch comprises telemetry systems that connect with the control systems and SCADA architecture of various components in a smart grid. Power system telemetry is highly susceptible to malicious network attacks. Once attacked, the master systÂem is hacked. The slave devices can then be forced to erase critical data.
Based on the analysis of probable threats, utiÂlities need to devise alleviation strategies. Proper security measures and attÂack-resistant smart grid infrastructure neÂed to be developed and tested. In orÂder to frame resistant and resilient cyber infrastructure, risk evaluation is a crucial process. The Government of India has beÂen proactive in providing support and seÂtting up bodies that can formulate roÂadÂmaps for cybersecurity infrastructure.
Upcoming technologies for grid security
Broadly, there are two major aspects of cybersecurity for all segments of the power sector – data security and network security. With the advent of internet of things (IoT) in power, both of these have been exposed to greater risks of unauthorised access and theft. Newer technologies can come be helpful in handling this vulnerability.
Data loss prevention technologies can be used to prevent sensitive data exfiltÂration across the cloud and the web usÂing software-as-a-service platforms. TheÂse can be coupled with extensive preÂdefined policy libraries for emerÂgenÂcies; and cloud access security broker software, which can perform shadow IT reporting and blocking, conduct in-line inspection, and application prograÂmming interface inspection. Such technologies can be used to protect a broad range of devices that use IoT from data theft and unauthorised access.
Network security is highly dependent on firewalls, and these are vulnerable to cyberattacks. New-generation firewalls that use internet protocol (IP) packet fraÂgÂmentation or transmission control protocol segmentation offer better security against cyberattacks. Further, fiÂreÂwalls that are capable of control for falÂse-positive testing, and web filtering for Quick User Datagram Protocol InterÂnet Connections based on HTTP/3, can imÂprove reliability and stability. SoftÂware-defined wide area networks, zero-trust network access application connÂectors, or generic routing encapsulation and IPsec can be used for site connectivity and access authenticity, providing a secure network.
CERT-In
The Government of India has established the Indian Computer Emergency RespoÂnÂse Team (CERT-In) for early warning of, and quick response to, cybersecurity incidents. The team also collaborates with various entities at the national and international levels for information sharing on mitigation of cyber threats. CERT-In regularly issues advisories on safeguarding computer systems, and publishes security guidelines that are widely circulated for compliance.
All central government ministries and departments, as well as state and union territory governments have been advisÂed to conduct cybersecurity audits of their entire cyber infrastructure at regular intervals through CERT-In-empanelled auditors. These audits can help idÂentify security gaps and take appropriate corrective steps.
CERT-In extends support to entities in conducting cybersecurity mock drills and assessing cyberattack preparedness by studying organisational reports on cybersecurity controls, architecture, vulnerability management and network security.
The Ministry of Power created six sectoral CERTs for the thermal, hydro, traÂnÂsÂmission, grid operation, renewable enÂergy and distribution segments to ensuÂre cybersecurity in the power sector. EaÂch sectoral CERT has a subsector-specific model called the Cyber Crisis MaÂnaÂgement Plan to counter cyberattacks and cyberterrorism. This is also shared with their constituent utilities.
CEA’s cybersecurity guidelines
In October 2021, India’s Central ElectriÂcity Authority (CEA) released guidelines for cybersecurity in the power sector for the first time. The guidelines have to be adhered to by all power sector utilities. They include norms for a cyber-assurance framework, strengthening the regulatory framework, putting in place mechanisms for early warnings, vulnerability management, response to security threats, and securing remote operations and services, among others.
Notably, in September 2022, the CEA amenÂdÂed the guidelines to address the issue of the frequency of OT audits for compliance by all entities in Clause 2.3. Article 14(b) of the CEA (Cyber Security in PoÂwer Sector) Guidelines, 2021 has been amended and states that the resÂpoÂnsible entity shall, through a CERT-In-empanelled cybersecurity OT auditor, get its IT system audited at least once every six months, and their OT system audited at least once in a year.
Cybersecurity policy: The cardinal principles laid down under the CEA’s guidelines, to be strictly adhered to by responsible entities while framing a cybersecurity policy, include OT system needs, to be isolated from any internet-facing IT system. Downloading and uploading of any data from their internet-facing IT systems are to be done only through an identifiable whitelisted device, followed by scanning for malware and maintaining digital logs for such activities. A list of whitelisted IP addresses for each firewall is to be maintained by the chief information security officer (CISO), and communication between OT systems is to be done through a secure channel, preferably that of POWERTEL, through a fibre optic cable.
As per the guidelines, the process of acÂcess management for all cyber assets owned is to be detailed in the cybersecurity policy. State-of-the-art cybersecurity technologies are to be leveraged across multiple layers to mitigate cybersecurity risks. Besides this, the guidelines state that the cybersecurity policy is to be reÂviÂewed annually by a subject matter exÂpert, and any desired changes must be incorporated after obtaining due appÂroval from the board of directors.
Appointment of CISO: According to the CEA guidelines, entities should have an information security division (ISD), headed by the CISO. The entity has to maÂÂnÂdatorily appoint a CISO, who shall conform to the qualifications laid down by the Quality Council of India. In their abÂsence, the work of the CISO shall be loÂÂoked upon by an alternate CISO. The roles and responsibilities of the CISO shall be as laid down by CERT-In.
Identification of critical information infrastructure: An entity should submit the details of its cyber assets to the NaÂtional Critical Information InfrastrucÂture Protection Centre (NCIIPC) through its sectoral CERT, within 30 days of the date of their commissioning in the system. Details of critical business processes and the underlying information infrastructure, along with the mapped imÂpact and risk profile, need to be submitted to the NCIIPC. CIIs need to be examined for changes annually.
Cybersecurity requirements: Some of the key cybersecurity requirements stipulated in the guidelines are:
- The entities need to ensure that the ISD is functional on a 24x7x365 basis and is adequately manned by qualified engineers. The ISD needs to deploy an intrusion detection system and an intrusion prevention system capable of identifying behavioural anomalies in IT and OT systems. The software neÂeÂds to share reports on incident reÂsponses and targeted malware sampÂles with CERT-In, and update their firmware and software with digitally-signed OEM-validated patches.
- The factory acceptance test and site acÂceptance test must include comprehensive cybersecurity tests of the equipment and systems to be delivered at the site.
- The entities should routinely audit and test the security properties of the critical systems, and act promptly agÂainst vulnerabilities identified throuÂgh testing.
- The entities should design secure arÂchitecture for control systems, which is appropriate for their process control environments.
Conclusion
With the increasing digitalisation of the power system, utilities need to significantly strengthen their cybersecurity frameworks to maintain safe operatiÂoÂns. For this, it is crucial for utilities to opt for strong and secure password-proÂtected systems, secure firewalls, inÂtrusion deÂtÂection and intrusion prevention systeÂms, regular backups of data, vulnerability assessment and penetration testing. A robust cybersecurity policy, manpower training and regular reÂview meetings to check for system vulnerabilities are also paramount.
