Two groups at the Bureau of Indian Standards (BIS), which are currently working to review and enhance the cyber-security standards for power utilities, are likely to issue them within next six months.
The Central Electricity Authority (CEA) — the apex policy advisory body in the electricity sector — submitted its report to Ministry of Power titled ‘Cyber Security in Power System’ on July 19, 2017. In this report, it raised the red flag and communicated to the government on “a perceived lack of security built into the smart grid systems” of Indian power sector and “an urgent need to develop a cyber security framework and regulatory response to address the specific security needs of the power sector in India”. This CEA report mentioned the two groups at BIS that have been working to issue cyber security standards.
The BIS informed The Indian Express on Monday that the first group “is currently working on the part two of Indian Standard 16335 which would consider India Smart Grid Forum (ISGF) cyber security manual as reference document”. In 2015, the BIS published the part one of Indian Standard 16335 ‘Power control systems — Security Requirements’, which specified the requirements for identification and protection of all critical assets involved in generation, transmission, distribution and trading of power.
According to a senior government official, the BIS has been working on the part two of Indian Standard 16335 for more than 15 months. “We have studied the last year’s CEA report. We expect the BIS to issue the part two of this (16335) standard within next six months,” the official added.
The second group at the BIS is currently studying and exploring the adoption of IEC 62443, which has been issued by International Electrotechnical Commission, as an Indian standard. The senior government official quoted above told The Indian Express that the second group is likely to issue the adopted standard within next 6-7 months only. IEC-62443 is a series of standards that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS).
When the The Indian Express asked the BIS about the time by when the second group will issue the Indian Standard 62443, it stated: “The IEC 62443 series is already a published series of International standard. The second Subgroup work was to study and explore the adoption of IEC 62443 as Indian standard. This work is still in progress.”
“Though India in past few years has developed technical standards for evaluating cyber security/ cyber-attacks, there is a perceived lack of security built into the smart grid systems. Further, the mechanism for information sharing on cyber security incidents need to be developed. Given the vulnerabilities in the operations of the power system devices, including present practices followed, developing a multiple-threat intrusion detection system is the need of the hour,” the CEA stated in its report that was submitted on July 19 last year. When The Indian Express asked the BIS if the Ministry of Power has asked it to develop any additional standards after July 19 last year, the BIS replied in negative.
A smart grid — any power network used to supply electricity to consumers via two-way digital communication — is more vulnerable to cyber attacks. “Unfortunately, sophisticated cyber attacks on advanced metering infrastructures (smart grids) are a clear and present danger. The most devastating scenario involves a computer worm that traverses advanced metering infrastructures and permanently disables millions of smart meters,” said a study published in International Journal of Infrastructure Protection in September last year.
The CEA’s report came in the backdrop of a December 23, 2015 incident, when hackers successfully attacked information systems of three prominent power distribution companies in Ukraine, disrupting the electricity supply to approximately 250,000 Ukranians. A similar small-scale attack occurred in Ukraine’s capital, Kiev in December 2016 and led to a power outage for about an hour. Ukraine had blamed the attacks on Russian hackers. The Wannacry ransomware attack in May 2017 had affected computers and systems in 150 countries, including India after which, the Ministry of Power had tasked the CEA with constituting a committee to discuss various issues including “cyber security issues in the power sector”.