IT penetration in the power sector is increasing with the introduction of the Restructured Accelerated Power Development and Reforms Programme and smart grid initiatives by the government. The bidirectional exchange of data has opened up a number of energy access points and paths in the network. Automated systems are being used for grid management, outage management, distribution automation and metering infrastructure. This has increased the participation level of consumers, suppliers, grid managers and generators in the power network. However, with the increased use of technology, the power system is being exposed to cyber attacks. Failure to address cyber security concerns can pose a high level of risk to the country’s power network.
Identifying data users is a key issue. To increase access to power stations, enterprises have moved to the single sign-on process. However, this has led to an increase in system vulnerabilities. Further, with growing automation of systems, the flow of data has increased, making it difficult for operators to identify important information.
Cyber attacks on a generation plant can lead to an outage of power generation. The power transmission system, which connects geographically scattered generation plants to consumers, also depends heavily on information and communication technologies (ICT) for efficient monitoring and controlling of data. An attack on the supervisory control and data acquisition system or the energy management system can jeopardise the entire data communication network of the grid. A coordinated cyber attack at critical grid nodes (substations) can also cause disruptions in the integrated operation of the power system. These attacks on substation automation systems can damage the installed equipment.
IT penetration in the Indian distribution sector for control and operation is relatively low. Currently, it is only concentrated in management information systems, and the metering and billing segment. But with the centralisation of distribution systems, the exposure to cyber threats is increasing. For instance, manipulation of data by consumers through automated meter reading affects not only the reliability of the system but also the revenue potential of the state distribution agencies.
Framework in India
A well-established framework of standards and guidelines is required to identify problems and reduce the vulnerabilities in the ICT system deployed for the power sector. In this regard, the Information Technology Act was introduced in 2000, and was later amended in 2008. Under the IT Act, 2008, the Ministry of Information Technology has defined cyber security as “protecting information, equipment, devices, computers, computer resources, communication devices and the information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction”.
In January 2004, the Ministry of Power (MoP) set up the Indian Computer Emergency Response Team (CERT-IN) for the collection, analysis and dissemination of information on cyber incidents, forecasting and creating prevention alerts, undertaking emergency measures, coordinating cyber incident response activities, and issuing guidelines, advisories, vulnerability notes and white papers related to information security practices, procedures, prevention, response and reporting of cyber attacks.
The Department of Information Technology has prepared a crisis management plan for countering cyber attacks and preventing large-scale disruption in the functioning of critical information systems of various governmental and private organisations. CERT-IN has shared this plan with the key players and asked them to prepare sector-specific cyber management plans.
In December 2010, the MoP created three crisis management groups under CERT-IN to look after cyber security for different segments. These are:
- CERT-Thermal (nodal agency: NTPC)
- CERT-Hydro (nodal agency: NHPC)
- CERT-Transmission (nodal agency: Power Grid Corporation of India)
Crisis management plans for the thermal and hydro segments have already been prepared by the respective nodal agencies. These agencies carry out cyber security audits in their organisations and participate in mock drills conducted by CERT-IN. A crisis management plan for the transmission segment is under preparation.
Compliance with information security management practices as per international standards has been mandated for government and critical sectors. CERT-IN also assists these sectors in meeting the standards for cyber security. Globally, many security compliance standards and technologies have been developed to address cyber security issues. The International Electrotechnical Commission (IEC) has prescribed standards for electrical, electronic and other technologies. Some of these standards are relevant in the Indian context. These include IEC 62351 Parts 1 to 7 for power system control operations and IEC TC 57 WG15 security standards, Critical Information Protection standards set by the US-based North American Electric Reliability Corporation, the National Institute of Standards and Technology (NIST) Guide to Industrial Control Systems Security 800-82, the NIST Guide to Smart Grid Cyber Security NISTIR-7628, and the Center for Protection of National Infrastructure guidelines. The Sectional Committee LITD-10 of the Bureau of Indian Standards and the Central Power Research Institute is preparing guidelines for a cyber security framework, issues and standards. The LITD-10 is based on IEC 62351-1 to 62351-7 standards. Separate documents for each specification of IEC 62351 have already been issued by the committee.
In July 2013, the Guidelines for Protection of National Critical Information Infrastructure were released by the Government of India. These guidelines were prepared by the National Critical Information Infrastructure Protection Centre, which functions as a specialised unit under the National Technical Research Organisation to protect the country’s digitised information from cyber attacks. Initially, the guidelines were prepared for only those departments that were vulnerable to cyber attacks such as external affairs, power and telecommunications.
A year after the major national grid collapse in July 2012, the Department of Information Technology released the National Cyber Security Policy 2013, which aims at facilitating the creation of a secure data computing environment, enabling adequate trust as well as confidence in electronic transactions and guiding stakeholders on cyber security management. It outlines a roadmap to create a framework for a comprehensive and collaborative response to deal with the issue of cyber security at all levels within the country. The strategies mentioned in the policy include the creation of a secure cyber ecosystem, an effective IT product assurance framework, cyber security awareness and a mechanism for vulnerability management; strengthening of the regulatory framework; providing e-governance services; protection of critical information infrastructure; promotion of research and development in cyber security; reduction in supply chain risks; human resource management; developing effective public-private partnerships and information sharing among the various stakeholders. The department has also proposed to prioritise policy implementation.
Meanwhile, the Indian Smart Grid Task Force has formed the Working Group-5 Physical Cyber Security, Standards and Spectrum, specifically to deal with problems related to cyber security. It is also working closely with working groups of the Indian Smart Grid Forum for developing smart grid cyber security mechanisms, risk mitigation measures, and regulatory as well as policy measures for cyber security. The working group has finalised the detailed terms of reference, and is in the process of developing solutions to meet these objectives.
Recommendations
Identification of critical infrastructure assets vulnerable to cyber attacks, like major power stations, load despatch centres, extra high voltage substations, high voltage direct current stations, generation plants and distribution grid feeders, should be prioritised. As per the requirements of these critical systems, the existing communication network should be upgraded. All remote terminal units and communication equipment should be supplied uninterruptible power and provided with proper battery backup to prevent data loss in case of a total power failure.
The IT industry is growing rapidly and therefore, for effective data management the relevant agencies need to be equipped with the required tools to deal with potential threats. Sector-wise cyber management plans should be prepared and updated regularly. All stakeholders need to play an active role in fighting cyber threats. Power organisations should keep track of abnormal events and report these to the sectoral CERTs or CERT-IN. A cyber audit should be conducted at critical plants and substations in order to detect malware targeting industrial control systems.
Further, to ensure smooth operation of the grid system, it is important that all power generation units and distribution stations are connected to a reliable telecom network. The network should be built using a multiprotocol label switching system, which is simple, cost-effective and reliable. In remote places, where connectivity is a problem, the stations can use dedicated optic fibre cable from the nearest node with an effective communication network.
The cyber security management system in India is still evolving and requires active participation from the government to set up and implement a reliable roadmap.
Based on a presentation by R.K. Verma, Chief Engineer, Central Electricity Authority, at a Power Line conference
