A Growing Threat

Power utilities pay increasing attention to cybersecurity

The threat of cybercrimes is alarming ev­ery sector across the world. In 2020, ab­out $6 trillion worth of losses due to cybercrimes were reported globally. The power sector is equally at risk of cyberattacks due to increasing digitalisation. Developments such as data interconnectivity, sensorisation and the increased attack surface of utilities are breeding grounds for such attacks. For instance, recently, 30 substations of three discoms in Ukraine were affected by cyberattacks. In 2020, India’s position on the global cybersecurity index has improved from 49 to 10, implying that there is perceptible visibility of people trying to take action on the ground, both at the organisational and the governmental level. However, following the pandemic last year, global threats and actors have multiplied several-fold.

In October 2021, India’s Central Electricity Au­thority (CEA) released guidelines for cybersecurity in the power sector for the first time. The guidelines have to be adhered to by all power sector utilities. They include norms for laying do­wn a cyber assurance framework; strengthening the regulatory framework; putting in place mechanisms for early warnings, vulnerability management and response to security threats; and securing remote operations and services, among others. The norms are applicable to all res­­ponsible entities as well as system integrators, equipment manufacturers, suppliers/vendors, service pro­viders, and information technology (IT) hardware and software original equipment manufacturers (OEMs) engaged in the Indian power supply system. The guidelines mandate information and communications technology-based procurement from identified and trus­ted sources, failing which the product would have to be tested for malware/hardware trojans before deployment in the power supply system network.

New and emerging solutions

The biggest threat is the insider threat, as data proliferation mostly takes place due to insiders. To overcome this threat, an organisation must develop a practice of background checks for not only visitors and vendors, but for employees of the organisation itself. The new CEA regulations mandate that a new employee’s background must be checked and a bond must be signed whe­re­by the employee will be held responsible for any data leakage or damage to the system or any threat arising because of the employee.

Over time, the domains of physical security and cybersecurity have become interrelated. The idea of cyber-physical security has thus gained prominence, due to the need for physical access and boundary disciplines. If there is no physical security, even the best cybersecurity would be of no use. A classic example of this is the practice of placing a laser guide against tools, since it is not possible to define the type of instrument an attacker is carrying unless they are physically checked. This way, the entire process of the operation of the instrument can be captured, and the vulnerability can be detected.

Another issue arises from operating legacy systems. Legacy systems were not designed for cybersecurity, so we cannot harden them to en­sure the most secure operation. They can be sec­ured only to a limited extent. Hence, there is a need to phase out such legacy systems, ins­tead of risking operations. Here, management has to take a call, as cyberattacks may entail losses amounting to crores of rupees.

Further, while the life of an operating system is 25-35 years, IT software has a life of just 7-10 years, as such technologies change rapidly. This makes legacy systems redundant with hu­ge costs for replacing them or upgrading them to the latest version. This gap in a utility’s contractual agreement with a OEM needs to be plugged. Moreover, in order to ensure that the product procured is cyber-secured, utilities sho­uld document it in the bid document itself. Fur­ther, utilities need to mention if they have been attacked, so that the Indian Computer Em­er­gen­cy Response Team (CERT-In) can play an active role in limiting damages to other utilities. The entire attack scenario should be analysed, for which forensic expertise should be developed in our country. Another solution is to app­oint chief information security officers (CISOs) for both generation, and transmission and distribution (T&D), so that continuity is maintained bet­ween these two sides. Further, they should back each other up during emergencies, and ensure a proper inflow of information.

Some other solutions include cross-functional management of IT and operational technology (OT) teams, rather than having them work in isolation, for better results. Utilities need to go be­yond classical antivirus and rule-based methodologies, and artificial intelligence- and machine learning-based network methodologies could be useful. Training for both IT security personnel and users should be ensured, and operations on legacy systems, which are not designed for cy­ber­security, need to be phased out.

Utilities should register with the Cyber Swachhta Kendra (CSK), which publishes alerts regarding suspected vulnerabilities several times a month and also presents a monthly situational awareness report. As of July 2021, out of 194 unique organisations registered on the CSK, 41 pertain to thermal generation and 65 pertain to discoms.

Issues and concerns

When it comes to providing reliable and authenticated data, the major concern is collecting the data from machines with no intervention or ma­nipulation in the process. Another concern is that there is little awareness regarding cybersecurity tests. Utilities are not aware of what tests need to be conducted, so they do not in­clude their cybersecurity requirements in the bid document. This means that the utility does not know whether the equipment it is buying is cyber-secure or not. Further challenges include expansive geographies and distributed management, which make it difficult to control such attacks. Moreover, there are no labs that can certify compliance with IEC 20243 for software and IEC 62443 for OT protection.

The way forward

We lack a cyber-secure ecosystem. It is being de­ve­loped, but will still take some time to fully mature. Till then, maintenance of cyber hygiene should be prioritised. This can be achieved by being ISO 21001-certified, and performing regular system audits and BRPG testing to check if new vulnerabilities have been introduced during operations. This can ensure that the system is kept healthy at all times. The National Cyber Co­o­rdination Centre, part of the Ministry of IT, has come out with a threat support canvas and is en­couraging designated utilities to take part. Th­rough this, metadata at the organisational level will be matched with that at the national level to ensure that any threat can be perceived externally and passed on to the organisation.

Utilities should get their systems audited regularly, and once audited, they should plug the non-affirmative areas. Any minute abnormality should be flagged and investigated. OEMs and industry experts should be consulted on the me­a­sures to be taken, as any potential sabotage can take the shape of a big cyberattack.

Going forward, a response is needed in terms of people, processes and technology, followed by partnership between the government and utilities. Training is key, not only for IT security personnel but also for users. IT and OT teams should not work in isolation, but as cross-functional teams.

The CEA is currently developing a cybersecurity test bed for the power sector at the Central Power Research Institute, Bengaluru. It is encouraging industry people to come up with facilities that can be leveraged for commercial purposes. Every power sector utility should have some sort cyber-testing facility, for which adequate infrastructure needs to developed, going ahead.

Based on a discussion with Sanjay Prasad, Chief Information Officer, CESC Power Group, and M.A.K.P. Singh, Chief Engineer, IT, Central Electricity Authority, at a recent Smart Utilities conference