Securing the Grid: Taking steps to prevent cyberattacks

Taking steps to prevent cyberattacks

As per industry experts, there are three high-level smart grid security objectives: availability, in­te­grity and confidentiality. The use of information is of ut­most importance in a smart grid network. This is because a loss of availability leads to disruption of access to information, which may further un­der­mine power de­livery. At the same time, a loss of integrity results in unauthorised modification or destruction of information and can further induce in­correct decision-making regarding pow­er management. Also, confidentiality is necessary to prevent unauthorised disclosure of information that is not open to the public and individuals. Although considered to be least critical for system reliability by many experts, confidentiality is now gaining more im­portance, particularly in systems that involve in­teractions with customers.

Cyberattacks and cyber intrusion atte­m­p­ts in the power sector are carried out either to compromise the power supply system or to render grid operations insecure. Such compromises may result in equipment damages, mal-operation of eq­uipment or even in a cascading grid bro­wnout/blackout. Th­rough social engineering techniques, it is also possible for an insider or outsider to jump into the

ar­ti­ficial air gap created by firewalls bet­ween any information technology (IT) and operational technology (OT) system.

Recent initiatives to mitigate cyberattacks

The power ministry, on its part, has set up six computer emergency response te­a­ms (CERTs) for grid operation, thermal, hy­dropower, electricity dis­tribution, tra­n­s­mission and renewable en­ergy. In ad­di­­tion, India has a National Cyber Co­o­rdi­nation Centre (NCCC). Cyber­secu­rity  mock  drills  in  coordination  with  CERT-In  are  also conducted regularly  in  utilities, as per the mi­nistry. Meanwhile, in 2021, the power ministry and the Ce­n­tral Electricity Autho­rity (CEA) re­lea­sed guidelines for cybersecurity in the power sector for the first time. The guidelines were prepared after in­tensive deliberations with stakeholders and inputs from expert agencies in the field of cybersecurity, such as CERT-In, NCIIPC, NSCS and IIT-Kanpur, and subsequent deliberations in the Ministry of Power.

The guidelines lay down a cyber assurance framework, focusing on strengthening the regulatory framework as well as for putting in place mechanisms for early warning of security threats. The guideli­nes also focus on vulnerability management and response to security th­reats, and secure remote operations and servi­ces, among others. These norms are app­licable to all relevant entities as well as system integrators, including suppliers/ vendors as well as IT hardware and software OEMs en­gaged in the power supply system. As per the guidelines, a product will have to be tested for malware/hardware trojans before deployment for use in the power supply system network. The guidelines mandate ICT-based procurement from identified “trusted sources” and “trusted products”. Fur­ther, products imported from prior reference co­untries would need to undergo type testing.

These guidelines are mandatory requ­ire­ments that need to be met by all stakeholders. They lay emphasis on establishing cyber hygiene, training all IT and OT personnel on cybersecurity, and designating cybersecurity training ins­ti­tutes and cyber testing labs in the country. The CEA is also working on cybersecurity regulations. The cybersecurity guidelines are a precursor to the same.

The way forward

The Indian cybersecurity industry nea­rly doubled in size amidst the pandemic, with revenues from cybersecurity products and services growing from $5.04 billion in 2019 to $9.85 billion in 2021. According to data provided by the Data Security Council of India (DSCI), the growth was led by factors such as inc­reased regulatory attention to data and privacy as well as growing boardroom awareness around cyberthreats. This trend is expected to accelerate further, gi­ven the new realities created by the Covid-19 pandemic, with the migration of communications, operations and da­ta to the cloud and remote operations.

Enhancing the cyber resilience of power systems is thus becoming a key priority for all stakeholders. Four of India’s five regional centres that help oversee the crucial electricity load management fun­ction faced cyberattacks in recent months, ac­­cording to a written res­po­nse to Parliament by the power minister in July 2021. These were the So­­­ut­hern  Re­gio­nal  Load  Despatch  Centre  (SRLDC),  the Wes­te­rn Re­gio­nal  Load  Despatch Ce­­ntre  (WRLDC),  the No­­r­thern  Regio­n­al  Load  De­spatch  Centre (NRLDC)  and  the North  Ea­s­tern  Regional  Lo­ad  De­­s­­patch  Centre (NERLDC)  of  the Po­w­er  Sy­stem Operation  Corporation  (POSOCO),  besides NTPC  Kudgi  and  Te­la­­ng­ana  State  Transco. Necessary is­o­lation and ot­h­­er protecti­ve measures were taken  by  these  organisations.

Net, net, the need of the hour is to de­ve­lop comprehensive frameworks that can tackle cyber­threats and provide architectural as well as analytical countermeasures for the prevention of such attacks. Outdated and vulnerable software, inadequate network segregation, and insufficient logging and monitoring are some of the challenges that need to be addressed.  Designing security awareness and training program­mes that comply with local, state and national policy and regulatory frameworks can also go a long way in providing support to the overall smart grid security infrastructure.