While the introduction of information and communication technology (ICT) into the power sector has improved the efficiency and reliability of systems, it has also made them more vulnerable to cyberattacks. The introduction of smart grids has made real-time data more readily available but an attack on smart meters and smart appliances can not only lead to commercial losses but also breach individual consumers’ privacy.
Areas such as grid supervisory control and data acquisition (SCADA) systems, outage and distribution management systems of discoms, advanced metering infrastructure, and IT-enabled metering, billing and consumer portals are the most prone to cyber attacks.
Impact of cyber attacks
The impact of cyber attacks varies across the generation, transmission and distribution segments. In the case of generation, an entire power plant can be forced to shut down if exposed to a cyberattack. The control systems of the plant can also be compromised, putting the safety of the concerned personnel in jeopardy. However, an attack on one generation plant can be brought under control quickly as it does not affect other grid-connected generation plants. Hence, grid stability can be managed through contingency planning.
In the case of transmission systems, any attack on the SCADA and energy management systems can jeopardise the controlling and monitoring of the grid, which in turn affects the reliability of the entire power system. A coordinated cyber incident aimed at critical grid nodes or substations can cause disruptions in integrated grid operations. Moreover, cyber attacks on substation automation systems can cause damage to equipment and compromise the safety of its operating personnel. However, the severity of the impact in terms of its impact on grid stability is contingent on the criticality of the node under attack.
In the case of distribution, the impact of a cyber incident might not affect the stability of the grid since IT penetration in the distribution sector is relatively low and limited to metering, billing and management information system applications. However, with the increasing centralisation of distribution systems, the severity of cyber attacks could increase. If a cyberattack takes place at a strategic central location, there could be a complete power supply failure. Any tampering with the advanced metering infrastructure could also result in wrong reporting, thereby leading to faulty decision-making.
The Information Technology Act, 2000, and the Amendment Act, 2008, designated the Indian Computer Emergency Response Team (CERT-In), constituted in January 2004, as the nodal agency for responding to computer security incidents. The organisation, which is housed under the Department of Information Technology, Ministry of Communications and Information Technology, has prepared a crisis management plan (CMP) for countering cyberterrorism and cyber attacks in order to prevent large-scale disruption in the functioning of critical information systems of the public and private sectors.
Cyberthreats listed in the CMP include large-scale defacement and semantic attacks on websites, malicious code attacks (virus, worms, trojans or boot nets), large-scale spam attacks, large-scale spoofing, phishing attacks, vishing attacks, infrastructure attacks, compound attacks, router-level attacks, high energy radio frequency attacks, cyber espionage, and unauthorised access.
Taking a cue from this national-level organisation, the Ministry of Power constituted three separate CERTs for the power sector in December 2010: CERT-Thermal with NTPC Limited as its nodal agency, CERT-Hydro with NHPC Limited as its nodal agency, and CERT-Transmission with Power Grid Corporation of India Limited as its nodal agency, to take the necessary action for preventing cyber attacks on utilities under their jurisdiction. State utilities have also been asked to prepare their own CMPs and coordinate with nodal agencies for initiating the necessary actions.
In addition, guidelines for the cybersecurity framework and related issues and standards are being prepared by the Bureau of Indian Standards in association with the Central Power Research Institute to help identify problems and reduce vulnerabilities in ICT systems.
The India Smart Grid Task Force has been set up by the Government of India under the leadership of Sam Pitroda. It constitutes five working groups, one of which deals with cybersecurity and its standards and spectrum. Similarly, the India Smart Grid Forum has 10 working groups, one of which focuses exclusively on cybersecurity.
Apart from these, certain short-term measures can help avoid such situations with immediate effect. Increasing the security around vulnerable areas by deploying personnel of the Central Industrial Security Force or other government-approved security agencies is one such measure. The identification of assets which are most prone to such attacks like power station control rooms, extra high voltage substations, generation plants, and distribution grid feeders is also critical. Apart from this, the deployment of secure network architecture for control centres, various network security products like firewalls, intrusion detection systems, intrusion prevention systems, virtual private networks, IPsec and central logging servers, CCTV cameras, and biometric scanning also works towards the immediate prevention of such cyber attacks.
Future road map
Given the criticality of the situation, the harmonisation of various standards and guidelines on cybersecurity for power systems assumes paramount significance. There is a need for formulating and enacting a cybersecurity policy for the power sector in synchronisation with the CERT. State transmission and distribution utilities need to strengthen communication networks by laying optical fibre cables. Utilities also need to devise mitigation strategies for countering physical attacks and special agencies for training personnel about the aspects of cybersecurity need to be identified. Most importantly, vendors specialising in cybersecurity systems compliant with international and national standards need to be identified and put on the map.
Even though grid failures detected as of now have not shown any connection with cyber-attacks, the latest developments in SCADA and systems automation warrant the need for the preparation of sector-based CMPs in line with the CMP prepared by CERT-In, considering the specific threats to systems. Remote thermal units and communication equipment should have an uninterrupted power supply with full battery backup so that supervisory commands and control channels do not fail in case of a total power failure.
With the increasing penetration of new technologies in the power sector by way of smart grids, smart meters, SCADA systems, etc., across all its segments, the threat of cyber attacks has become more prominent than ever. Thus, requisite measures for improving cybersecurity are needed to avoid any disruption in services, safeguard the grid and provide reliable power.
Based on a presentation by Ravindra Kumar Verma, Chief Engineer, Central Electricity Authority, at a recent Power Line conference