Based on the directions of the National Security Council Secretariat, the Indian Railways updated the operations manual of a system that deals with distributing the power supply of trains to address cyber security vulnerabilities in it.
Last month, the Indian Railways updated the "Technical specification for Supervisory Control and Data Acquisition System for 25V Single Phase 50Hz AC Traction Power Supply". SCADA systems by Indian Railways, monitor and control the traction power distribution, which is the network that supplies power for electric trains to operate.
In the 'reason' section of the January 2023 update, the Indian Railways noted, "Cyber security provisions included as per the directives of the National Security Council Secretariat (NSCS), Government of India to address cyber security vulnerabilities present in it." Moneycontrol has reviewed the document.
This update comes at a time when 19 ransomware attacks were recorded against various government organisations in 2022, which is almost three times those in the previous year.
Last year, the All India Institute of Medical Sciences (AIIMS) was also hit by a ransomware attack that rendered its centralised records inaccessible.
This cyber security directive is also in line with the trend of the Indian government issuing multiple such directions for various government bodies, after the AIIMS ransomware attack.
The publication has reached out to the Research Designs and Standards Organisation of the Indian Railways for further queries on the matter, and the article will be updated when a response is received.
Change passwords oftenThe January 2023 update of the SCADA technical requirement document said that passwords being used in the remote terminal unit (RTU) and remote control centre (RCC) should be changed periodically, once in six months.
The document has also said that policies have to be laid down for changing or modifying any firmware or configuration of the controllers in RTUs and RCCs.
Special concentration has been given to the maintenance of logs, which are records that record changes in databases. "Proper encryption methods shall be used to secure log data," the SCADA technical specification document read.
"The management of log data and its security must be assigned to an individual," another such directive read.
"There shall be different user authorisation levels for accessing logs and data," it added.
For shift changes of personnel, Indian Railways asked Zonal Railways to ensure strict login and logout from computer systems.
"The system should provide at least three security levels for access for different functions with strong passwords having an upper case, lower case, numerals, and special characters. The login shall be name wise and the session shall auto-logout after a predefined time," another directive read.
Not just the Indian Railways, SCADA systems are employed all over the world to monitor and control plants or equipment in sectors such as telecommunications, water, gas, energy, and transportation.
Last year, United Kingdom water supplier, Thames Water, suffered a disruption in its services after a threat actor breached the company's SCADA systems.
In 2022, the United States also warned that advanced persistent threat (APT) actors were targeting SCADA devices and systems, and urged industries to change passwords to such systems.
"The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network," the 2022 US government advisory read.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
