Subscriber Login

Policy Review

India’s Cybersecurity Concerns: Government takes steps to secure the grid [free access]

March 12, 2018

Recent months have witnessed an exponential increase in cyber attacks on critical infrastructure across the globe. The famous cyber attacks on the Ukraine grid in 2015 and 2016, which penetrated the electricity distribution control centre, causing power outages and sabotaging distribution equipment, have highlighted the gravity of the situation. With the increasing adoption of smart technologies, the need for cybersecurity has become paramount.

 

Further, as grid operations become increasingly automated and are connected to the Internet or other computer networks incorporating two-way communications, they also become more vulnerable to cyber attacks. In line, utilities, governmental organisations and regulators, and regional associations across the world are undertaking initiatives and measures to protect their critical infrastructure, including electric grids, from cyber attacks. In 2017, the European Commission published a report on cyber security that put forward actions that needed to be taken to prevent cyber attacks and manage risks for energy infrastructure. The US already has a cybersecurity strategy in place, which prescribes mandatory standards through the North American Electric Reliability Corporation (NERC), the Federal Energy Regulatory Commission (FERC)-designated electric reliability organisation.

 

India witnessed more than 27,000 cybersecurity threat incidents in the first half of 2017. The number of cyber attacks in the country has growth steady from over 44,600 in 2014 to over 50,300 in 2016. To combat growing cyber attacks, India’s central government has been undertaking several initiatives, especially with regard to critical infrastructure.

 

Key initiatives

For the power sector specifically, one of the early steps towards cybersecurity has been the setting up of sectoral computer emergency response teams (CERTs) by the Ministry of Power (MoP) in line with the National Cyber Security Policy 2013. The setting up of the Indian Computer Emergency Response Team (CERT-In) following the Information Technology Act, 2000, was one of the initial steps towards addressing cybersecurity concerns. The organisation deals with all aspects of cybersecurity, ranging from standards and guidance to compliance monitoring and incident response.

 

Separate CERTs have been set up for the thermal, hydro, transmission and distribution segments to coordinate with power utilities. While NTPC Limited is the nodal agency for CERT-Thermal, NHPC Limited is the agency for CERT-Hydro, Power Grid Corporation of India Limited is the agency for CERT-Transmission and Central Electricity Authority (CEA)(distribution planning and development division) is the agency for CERT-Distribution. The nodal agencies are responsible for the crisis management plans of their respective segments.

 

Recently, the government set up a central-level coordination agency for these sectoral CERTs, called the Information Sharing and Analysis Centre. The agency will be responsible for sharing and analysing various cybersecurity incidents in the power sector and providing a common platform for the four sectoral CERTs. Further, the Government of India through the National Critical Information Infrastructure Protection Centre (NCIIPC) has been taking steps to create awareness among power utilities and other key stakeholders regarding the threats from cyber attacks and suggest precautions. NCIIPC has also been tasked with identifying important and vulnerable critical information infrastructure. 

 

In addition, the Bureau of Indian Standards (BIS) has set up two groups with the objective of enhancing the standards for cybersecurity for power utilities. The first BIS group is working on the second part of Indian Standard 16335, which pertains to the security requirements of power systems. It will consider the cybersecurity manual issued by the India Smart Grid Forum (ISGF) as its reference document. Part one of the Indian Standard 16335 was published in 2015, and specifies the requirements for identification and protection of all critical assets involved in generation, transmission, distribution and trading. The second group at BIS is currently studying IEC-62443, a series of standards that define procedures for implementing electronically secure Industrial Automation and Control Systems, issued by the International Electrotechnical Commission. The BIS group is exploring the adoption of IEC-62443 as an Indian standard. The regulations are expected to be issued by August 2018. 

 

Recognising the need for cybersecurity measures, ISGF has also formed a working group to focus on security issues. In 2016, ISGF in association with NCIIPC had prepared an Indian manual on cybersecurity for power systems.

 

Conclusion

There has been a significant rise in cyber attacks in recent years. In a recent report, CEA has pointed out that smart grid systems currently lack security and that a mechanism for information sharing on cybersecurity incidents needs to be developed. Further, given the vulnerabilities in the operation of the power system devices, developing a multiple-threat intrusion detection system is extremely important. Therefore, the Ministry of Power has advised relevant stakeholders of the smart grid to identify critical infrastructure and use end-to-end encryption for data security.

 

Given that utilities are digitising their critical infrastructure with advanced technology applications and adding more Internet protocol gateways and other data delivery elements to their networks, data is becoming more susceptible to cyber attacks. Therefore, having proper cybersecurity measures in place is crucial for them. The government has taken cognisance of these issues and its efforts are expected to pave the way for a more secure and modern power grid.