IN THE wake of the Wannacry ransomware attacks last year, the Central Electricity Authority (CEA) has warned of threats to smart grid systems in the country and an “urgent” need to develop a cyber security framework to address security needs in the country’s power sector.
The Wannacry ransomware attack in May 2017 had affected computers and systems in 150 countries, including India after which, the Ministry of Power had tasked the CEA — the apex policy advisory body in the electricity sector — with constituting a committee to discuss various issues including “cyber security issues in the power sector”. The CEA submitted its report on July 19, 2017.
The CEA’s warning comes in the backdrop of a December 23, 2015 incident, when hackers successfully attacked information systems of three prominent power distribution companies in Ukraine, disrupting the electricity supply to approximately 250,000 Ukranians. A similar small-scale attack occurred in Ukraine’s capital, Kiev in December 2016 and led to a power outage for about an hour. Ukraine had blamed the attacks on Russian hackers.
A smart grid — any power network used to supply electricity to consumers via two-way digital communication — is more vulnerable to cyber attacks. “Unfortunately, sophisticated cyber attacks on advanced metering infrastructures (smart grids) are a clear and present danger. The most devastating scenario involves a computer worm that traverses advanced metering infrastructures and permanently disables millions of smart meters,” said a study published in International Journal of Infrastructure Protection in September last year. Hackers constantly scan cyber space to detect vulnerable systems that can be exploited to breach networks, particularly if it can lead to an opening to effect a cascading impact on a larger supporting infrastructure like the country’s power grid.
In light of such systemic vulnerabilities, the atomic power sector – unlike the conventional power sector – has undertaken measures to thwart such attacks. According to government officials, the Indian nuclear establishment’s plant control systems and electronic systems are designed and developed in-house using “custom built hardware and software” that are subjected to regulatory verification and validation, thereby making it relatively immune to cyber security threats. Also, critical infrastructure of Indian nuclear establishment is isolated from the Internet.
The Department of Atomic Energy (DAE) also has specialist groups like Computer and Information Security Advisory Group (CISAG) and Task force for Instrumentation and control security (TAFICS) to look after cyber security/information security of DAE units, which includes all of the country’s 22 reactor units.
The CEA has recommended new “testing standards” for power utilities, the creation of a “test bed” at Central Power Research Institute (CPRI), modified procurement guidelines for equipment used in power utilities and security audits of all Supervisory Control and Data Acquisition (SCADA) systems and Energy Management Systems (EMS).
“Though India in past few years has developed technical standards for evaluating cyber security/ cyber-attacks, there is a perceived lack of security built into the smart grid systems. Further, the mechanism for information sharing on cyber security incidents need to be developed. Given the vulnerabilities in the operations of the power system devices, including present practices followed, developing a multiple-threat intrusion detection system is the need of the hour,” stated the CEA report, titled ‘Cyber Security in Power System’.
“Cyber and physical security threats pose a significant and growing challenge to electric utilities. Unlike traditional threats to electric grid reliability, such as extreme weather, cyber threats are less predictable and therefore more difficult to anticipate and address. This calls for an urgent need to develop a cyber security framework and regulatory response to address the specific security needs of the power sector in India,” the CEA’s report stated.
After submitting this report, the CEA, on August 11 last year, also gave the Power Ministry a presentation on cyber security. Through its report, the CEA informed the Power ministry that two subcommittees at the Bureau of Indian Standards (BIS) have been working on “draft standards” to enhance cyber security.
“One group is working on the manual on cyber security of power systems so auditing of organisations (power utilities) based on the standard can be achieved. The second group aims to bring in draft IEC 62443, which are specifications as part of the standard wherein the compliance requirements for products of Industrial Control Systems is being dealt with,” the CEA’s report stated.
State-run PSUs Power Grid Corporation of India Limited (PGCIL), NTPC Ltd, which is India’s largest power generator, the Power Ministry and the Bureau of Indian Standards did not respond to queries sent by The Indian Express.
One chapter of the CEA’s report specifically analyses whether it is possible to limit tendering to only domestic firms for better cyber security since India is bound by international treaty commitments. The report recommended a “modification” in procurement guidelines for equipment used in power utilities. According to a senior government official, the Power Ministry is likely to amend the regulations that will introduce multiple checks for all imported power equipments.
“Widespread connection of smart control mechanism for power equipment, smart appliances and other energy control devices will increase digital complexity and shall invite more attack points, and therefore require more intensive cyber security protection…Considering that cyber security risks are evolving, and cyber-security is not a point in time activity, it needs to be further reviewed and enhanced from time-to-time,” the CEA’s report stated.
Expressing concern, the CEA added that it was necessary that the country’s security establishment “have complete information about the mechanism of protecting critical infrastructure like power sector, its crisis management plan and command structure and procedures to follow in case of an emergency due to cyber security threat”.