The power sector is facing a range of challenges, including generation shortages, transmission congestion and power quality issues. While many of these can be mitigated through appropriate measures, a new and significant issue has emerged in the post-Covid era – cybersecurity threats. These threats are particularly concerning for information technology (IT) and operational technology (OT) systems that are critical to the functioning of the power sector.
The Central Electricity Authority (CEA), under the guidance of the Indian Computer Emergency Response Team (CERT-In), is actively working to make the entire power sector more cyber-resilient. In 2021, the CEA introduced comprehensive cybersecurity guidelines aimed at addressing all facets of cybersecurity within this vital industry. These efforts focus not only on protecting physical infrastructure but also on strengthening cyber defences to ensure the reliability and security of power systems nationwide.
More recently, in August 2024, the CEA notified the draft CEA (Cyber Security Regulations for the power sector) Regulations, 2024. The scope of these regulations includes all responsible entities, regional power committees, appropriate commissions, governments and associated organisations in the power sector, including training institutes and vendors. The regulations outline the responsibilities of the Computer Security Incident Response Team (CSIRT)-Power, which includes developing a cyber security framework, responding to incidents, and coordinating with other cybersecurity bodies like CERT-In and the National Critical Information Infrastructure Protection Centre. The regulations also stipulate that entities must establish an information security division dedicated to cybersecurity, which will be responsible for various tasks such as implementing measures for critical infrastructure protection, reviewing policies and conducting security assessments. The draft regulations also propose that vendors provide documented and tested procedures and a recovery plan for the restoration of the system from potential cyber crisis scenarios. Vendors must ensure that security patches and updates are made available for all system components, supplied by them throughout
the entire contractually stipulated operating time.
CSIRT-Power was inaugurated in September 2024. The facility was established to defend power systems from the ever-evolving landscape of cyber threats. The Ministry of Power, as part of its 100-day initiatives, following the National Cyber Security Policy, 2013, and in collaboration with CERT-In, initiated the creation of CSIRT-Power. Equipped with advanced infrastructure, cutting-edge cybersecurity tools and key resources, CSIRT-Power is now well-prepared to tackle emerging threats in the power sector. It has a dedicated team of experts, which coordinates incident response, establishes a strong cybersecurity framework, and implements crucial measures to enhance overall preparedness and resilience.
Needs and requirements for power utilities
When discussing cybersecurity in the power sector, it is essential to recognise that the issue extends beyond the distribution sector; it affects all parts of the power industry. Industries whose core businesses are not centred around IT or security often face heightened risks from cyber attackers. These sectors may not be as aware of cybersecurity threats, and as a result, they tend to underinvest in protecting their infrastructure. This ignorance makes these organisations more vulnerable to attacks, as threat actors can exploit these weaknesses, potentially compromising business operations and damaging an organisation’s reputation.
To mitigate these risks, CERT-In, as the apex body responsible for responding to cybersecurity incidents, has adopted a proactive approach. The organisation is not solely reliant on threat intelligence from corporate sources; instead, it generates its own indigenous threat intelligence through national projects such as the National Critical Communications Centre (NCCC) and honeypot.
Additionally, CERT-In uses the Cyber Swachhta Kendra (CSK) portal to disseminate important information about emerging threats to organisations and end users, including citizens. For instance, many users have encountered alerts through CSK, warning them about bot infections and guiding them to download tools to remove these threats from their devices.
One of the most crucial assets in the power sector is information. When threat actors infiltrate an organisation’s infrastructure, they typically map the entire system to identify which servers or systems hold sensitive data. Once located, this information is often compromised or exfiltrated. Systems that are particularly vulnerable include public-facing servers, financial servers that store tariff and other sensitive financial information, and backup servers.
Today’s cyber attackers employ increasingly sophisticated techniques to infiltrate systems. These methods are designed to leave minimal traces, making it difficult to detect their presence using traditional threat intelligence tools such as antivirus programs or perimeter security devices.
Quantifying the exact number of cybersecurity threats in the power sector is challenging, but the focus should be on assessing the severity of these threats and prioritising those that require immediate attention. CERT-In focuses on addressing high-severity threats on a daily basis. In collaboration with security agencies, CERT-In sends out alerts when a utility in the power sector is under attack. Upon receiving these alerts, the CEA, with guidance from CERT-In, initiates an incident response.
The first step in this process is to issue standard operating procedures (SOPs) to ensure immediate action is taken. On average, there are six to seven cybersecurity events per month. Fortunately, most of these events are manageable, and threat actors do not usually infiltrate critical power system infrastructure, such as supervisory control and data acquisition systems, distribution management systems (DMS), outage management systems, or advanced DMS, which are integral to discoms.
However, new challenges are emerging, particularly with the advancement of metering systems. The signals and sensors used in these systems are increasingly becoming potential targets. To counter these risks, it is essential to adopt security measures to protect not only physical infrastructure but also the growing cyber infrastructure within the discom sector.
When looking at the broader scope of cybersecurity incidents, including those reported through platforms like CSK and NCCC, the number of incidents can reach hundreds per day. However, high-risk incidents that require intensive intervention are relatively fewer, with an average of 1-2 significant events requiring immediate and detailed response actions each day.
TAT for identifying and rectifying cybersecurity incidents
The turnaround time (TAT) for identifying and rectifying cybersecurity incidents is a significant challenge in the power sector. According to CERT-In guidelines, organisations are required to report any detected incidents within six hours. However, for complex threats such as advanced persistent threats (APTs), the detection time can be as long as 200 days. Once an APT is detected, eradicating the threat and restoring affected systems can be a lengthy and resource-intensive process.
Moreover, threat actors often remain dormant in the system for extended periods, making it difficult to identify their presence until they initiate their attack. This delay in detection further complicates efforts to secure the infrastructure.
In cases where forensic investigation is necessary, CERT-In conducts a thorough analysis to understand the full scope of the breach. A final report is then prepared, which includes not only recommendations for the affected utility but also guidelines to prevent similar incidents in other power utilities in the future.
Measures to prevent cybersecurity incidents
Although it is theoretically possible for cyberattacks to disrupt the grid, the network is isolated from IT systems to mitigate such risks. However, certain business requirements necessitate connections between the two networks, creating a point of entry for attackers.
Fortunately, no cybersecurity incidents have yet impacted the grid network. To date, there have been no breaches in the OT network, and the grid remains secure. However, to further protect the OT and grid networks, it is crucial to invest in security devices specifically designed for the OT environment. Monitoring is a key element in detecting cybersecurity incidents. By deploying additional security devices and utilising security operations centres or security information and event management systems, potential threats can be detected early before they escalate into major disruptions.
Capacity building and sensitisation for utility employees
A critical part of cybersecurity resilience is ensuring that employees in the utilities sector are well-trained and aware of the threats they could face. For employees involved in IT and OT administration, it is important to conduct annual training sessions focused on securing their day-to-day activities and network operations. Additionally, raising awareness among all employees is crucial, as many cybersecurity incidents are caused by phishing and spear-phishing attacks.
These attacks often involve fraudulent emails that impersonate senior officials, prompting employees to click on malicious links or download attachments. This simple action can lead to system compromise. By educating employees on how to identify phishing attempts and encouraging best practices for email security, the risk of such incidents can be minimised.
Through ongoing training and awareness programmes, a stronger cybersecurity culture is being cultivated within the power sector, ensuring that employees are equipped to recognise and respond to emerging threats.
Conclusion
As the power sector continues to embrace digital transformation, the importance of strengthening cybersecurity measures cannot be overstated. While the sector faces a range of traditional challenges, the rise of cyber threats demands immediate attention and proactive strategies to safeguard critical infrastructure. By enhancing threat intelligence, increasing security investments and fostering a cybersecurity-aware culture within utilities, the sector can better mitigate risks and ensure continued, secure operations. It is essential to stay vigilant, continuously adapt to emerging threats, and implement comprehensive policies that protect both physical and cyber infrastructure.
Akanksha Chandrakar