Globally, the power industry has been the target of an increasing number of cyber-attacks which actually threaten to cripple the sector. Is the Indian power industry capable of handling such intrusive attacks? Or is it in a state of denial?
The developed world has woken up to the threat of cyber-attacks against the energy sector. Of course, this is a no-brainer: no single sector controls the complete economy in the all-encompassing way that the energy industry does. Ergo, it is obvious that intruders with malicious intent would look at targeting power infrastructure as a successful attack can cripple not just a power utility, but even an entire nation.
According to Candid Wueest, Threat Researcher, Symantec, "In the first half of 2013, the energy sector was the fifth most targeted sector worldwide, experiencing 7.6 per cent of all cyber-attacks. So, it's not surprising that in May 2013, the US Department of Homeland Security warned of a rising tide of attacks aimed at sabotaging processes at energy companies." When Symantec monitored cyber-attacks globally between July 2012 to June 2013, it calculated an average of 74 daily attacks across the globe. Of these, nine attacks per day targeted the energy sector. With 16.3 per cent of all attacks, the energy sector was the second most targeted vertical in the second half of 2012. In the first half of 2013, the energy sector accounted for 7.6 per cent of all attacks. And the situation is getting worse. The US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) says that 59 per cent of all the cyber-incidents that were reported to the entity originate from the energy sector. The UK alone loses an estimated $664 million annually from attacks on its energy sector.
ABI Research says in a report: "The cyber-protection of critical infrastructure has become the most immediate primary concern for nation states. The public revelation of wide-spread state-sponsored cyber-espionage presages an era of information and cyber warfare on a global scale between countries, political groups, hacktivists, organized crime syndicates, and civilian society - in short, to anyone with access to an Internet-connected device. The focus on cyber-security is becoming imperative. While some industries have had highly advanced cyber-defence and security mechanisms in place for some time (i.e. the financial sector), others are severely lacking and only just starting to implement measures (i.e. energy)." ABI estimates that by end-2013, cyber-security spending on critical infrastructure would have hit $46 billion globally.
There have been many Hollywood potboilers that have revolved around an apocalyptic end-of-days scenario where the bad guys manage to hack into the systems of a nuclear plant (or power grid) and threaten to end civilization as we know it. These plots could well be a case of cinema imitating reality. When talks, economic sanctions and other pressure failed, the US and Israel unleashed the Stuxnet worm on Iran, specifically targeting Tehran's nuclear plant. Stuxnet broke Iran's nuclear centrifuges by targeting nuclear control hardware which controlled the spin rate of these machines. But what this incident demonstrates is that breaking into a nuclear plant's control system is not a very difficult task-Stuxnet spread through infected thumb drives used by maintenance workers.
The Indian response
The developed world has a mature threat-response hierarchy which ensures that many attacks are warded off-a number of US power utilities have a Chief Information Security Officer in place. "Indian utilities in most cases have a CIO doubling up as a CISO. This is a key risk as the reviewee is the reviewer here, hence the ability to have an independent view of the security posture gets compromised," says Sivarama Krishnan, Executive Director - IT Risks & Controls, PwC India.
The American Industrial Control Systems Cyber Emergency Response Team, ICS-CERT, "works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors." It issues regular alerts to critical infrastructure providers on threats, advisories and even publishes an ICS-CERT newsletter for personnel actively engaged in the protection of critical infrastructure assets.
India has still not been able to decide the entity that should be in charge of providing critical cyber-security to its key infrastructure assets. There has been a major turf war going on between the Computer Emergency Response Team-India (CERT-IN), controlled by the Ministry of Communications and Information Technology, and the National Technical Research Organisation (NTRO). According to reports, NTRO has finally been designated as the official entity which will take care of cyber-security for oil & gas, power grids and nuclear installations, among other critical infrastructure assets.
The country really cannot afford the kind of delay that is taking place in appointing a cyber-watchdog. In fact, India came up with a 'National Cyber Security Policy' only in 2013. Among other lofty objectives, the Policy envisages the setting up of a 24x7 National Critical Information Infrastructure Protection Centre, and creating a workforce of 500,000 professionals in cyber-security in the next 5 years through capacity building, skill development and training, and the establishment of a 24x7 National Level Computer Emergency Response Team (the nodal entity). As of today, all this is a work in progress and one can only hope that the new government will take some action.
'We have multiple levels of protection to rule out cyber-attacks' - Devtosh Chaturvedi, MD, Feedback Energy Distribution Company Pvt. Ltd, speaks on the best practices that his company adopts to ward off cyber-attacks.
Securing SCADA systems and Programmable Logic Controllers (PLCs)
We do not use SCADA systems as we deal with LT distribution network. Our relevant points are Distribution Transformers and consumer meters where we are using AMR (Automatic Meter Reading) - MDAS (Meter Data acquisition system) technology. Since data collection and communication is unidirectional (from meter to server), we have installed the back-end software on our secured servers with appropriate protection from cyber-attacks.
Measuring current risk level as far as cyber-threats are concerned
At the gateway level, firewalls, anti-spam and anti-virus tools are deployed to monitor cyber-attacks on a real-time basis. Most of the threats are eliminated at this level itself. Further, there are multiple levels of protection to rule out any cyber-attacks.
Eliminating unnecessary interconnectivity between sensitive data and insecure networks
The sensitive data is not accessible through insecure networks. In case sensitive data is required to be accessed from networks outside the office infrastructure, then access is only provided through application-protection software and there are no chances of data leakage in this case.
Severe Events & Power Utilities
Sajai Singh, Partner, J. Sagar Associates, lays down some guidelines and explores some international best practices for dealing with emergency situations.
According to the report of the Cyber-Attack Task Force commissioned by the North American Electric Reliability Corporation ('NERC'), the foundation assumption for a successful cyber-attack that results in a blackout in several regions is that two events need to occur:
1) Situational awareness needs to have been compromised; and
2) there must be a bulk power system event or instability
While we don't have a comparable provision in India, the NERC Report does a good job of explaining various aspects of what can happen when a 'Severe Event' occurs.
The term 'Severe Event' has been defined as: An emergency situation so catastrophic that complete restoration of electric service is not possible. The BPS [bulk power system, consisting of generation, transmission, and distribution facilities] is operated at a reduced state of reliability and supply for months or possibly years through the New Normal period.
The NERC Task Force recommends that the first priority for system planners will be to establish communication with essential staff and recover essential planning facilities, information systems, and data needed to begin work. Once this is done, the immediate priority will be to support system operators in their efforts to restore the BPS and supply electricity to customers to the extent possible on a prioritised basis. The initial surviving system will likely be in an 'unstudied' state. Therefore, real time assessments will need to be performed and step-by-step restoration procedures confirmed by studies before control actions are taken. If there is widespread damage to the system, system planning studies may need to consider using temporary configurations such as partially restored substations. Studies may include operation with less than normal margins, contingencies that may cause loss of load, reconsideration of breaker fault ratings, and reconsideration of transformer overloads.