MC Explains: India’s guidelines on cyber security in the power sector

Cyberattacks can be in the form of spyware, malware, network hacking of the grid, or any power utility.

In 2022, the Indian Computer Emergency Response Team (CERT-in), the national nodal agency for responding to computer security incidents, handled 13,91,457 incidents across various sectors of the country, according to its latest annual report. The types of incidents handled included website intrusion and malware propagation, malicious code, phishing, distributed denial of service attacks, website defacements, unauthorised network scanning/probing activities, ransomware attacks, data breaches, and vulnerable services. Accordingly, remedial measures for handling incidents were suggested and implemented in coordination with relevant stakeholders, the annual report stated.

Known cases so far

In 2022, Tata Power, India’s largest power generation company, confirmed that it had been hit by a cyberattack on its information technology (IT) infrastructure, impacting some of its IT systems. No further details of the attack were shared by the company, though.

In 2020, Mumbai faced one of its biggest power outages in decades, which halted essential services like water supply, public transport, and internet connectivity. Work at hospitals was also affected in the thick of the COVID-19 pandemic. Essential operations were supported by backup power. Though the issue was resolved in two hours, some parts experienced power cuts for as long as 18 hours. A New York Times report later said the incident was due to a cyberattack by a group of Chinese government-sponsored hackers.

In 2021, 10 Indian power sector assets, including Mumbai port and Tamil Nadu’s VO Chidambaranar port, were attacked by a hacker group with China links, a US-based company reported. In April 2022, India’s Minister for Power, RK Singh, confirmed that the national power grid had faced cyberattacks.

What do we have in the guidelines?

The Grid Code now mandates regular cyber security audits by all users — National Load Despatch Centre (NLDC), Regional Load Despatch Centres (RLDCs), State Load Despatch Centres (SLDCs), Central Transmission Utilities (CTUs), State Transmission Utilities (STUs), power exchanges, Qualified Coordinating Agencies (QCAs) and State Nodal Agencies (SNAs).

It also mentions the mechanism for reporting any case of a cyberattack. “All entities shall immediately report to the appropriate government agencies in accordance with the Information Technology Act, 2000, as amended from time to time, and the CEA (Cyber Security in Power Sector) Guidelines, 2021, in case of any cyberattack. NLDC, RLDCs, SLDCs, RPCs, and the Commission shall also be informed by such entities in case of any instance of cyberattack,” read the latest Grid Code issued on May 29.

The power sector wing of CERT-in needs to form a Cyber Security Coordination Forum with members from all concerned utilities and other statutory agencies to coordinate and deliberate on the cyber security challenges and gaps at the appropriate level. A sub-committee of the same is to be formed at the regional level.

The CEA (Cyber Security in Power Sector) Guidelines, 2021, state that responsible entities must secure cyber assets through updates, patching, testing, configuration security, and additional controls.

It has mandated power utilities to include specified cyber security clauses in procurement bids, source-critical systems from trusted sources, and have products cyber-tested if no trusted source is available.

Experts speak

Joyce Rodriguez, Partner, Deloitte India, told Moneycontrol that the modernisation of systems and technology, together with the increased number of suppliers in the ecosystem, has further augmented the cyber risk in the country’s power sector.

“The power sector, seen as the nation’s critical infrastructure, is increasingly being targeted with ransomware attacks and advanced persistent threats (APT)-style attacks by cyber criminals and state-sponsored hacktivists. Organisations or the government alone cannot prevent cyberattacks on critical infrastructure in the power sector. The answer lies in collaboration between the government and the private sector to jointly protect the nation’s infrastructure with integrated threat management,” she said.

“Exchanging threat intel in a timely manner, collaborating and sharing best practices through protected platforms, and conducting joint exercises/drills are some of the ways to jointly protect the power infrastructure in India,” Rodriguez said.

The International Energy Agency (IEA) says that power utilities need to include cybersecurity as a core element of their business strategy. “The responsibility for securing power systems does not rest exclusively with power utilities. Policymakers play a central role in enhancing the cyber security of power systems, along with regulators and equipment providers. Without a strategic approach towards ensuring cyber skills, power system stakeholders may not be able to effectively cope with future attacks,” it stated in a recent paper.

The IEA said publicly available information on significant cybersecurity incidents is limited due to under-reporting and a lack of detection. However, there is increasing evidence that cyberattacks on utilities have been growing rapidly since 2018, reaching “alarmingly high levels” in 2022 following Russia’s invasion of Ukraine.

“Recent cyberattacks in the electricity sector have disabled remote controls for wind farms, disrupted prepaid metres due to unavailable IT systems, and led to recurrent data breaches involving client names, addresses, bank account information, and phone numbers. Worldwide, the average cost of a data breach hit a new record high in 2022, reaching $4.72 million in the energy sector," it said.