The electricity sector in India is starting to deploy smart grid technologies with the hope that they will play a central role in strengthening this sector so it can provide the clean, quality power the country needs to meet developmental, environmental, and political goals. Smart grids are equipped with information and communication technology (ICT) that helps to improve operational efficiency, but ICT also introduces cybersecurity vulnerabilities.
The Indian smart grid institutional and regulatory environment is weak and the problem is exacerbated by the extreme debt of electricity distribution companies. Due to insufficient regulation of information sharing and incomplete institutions to facilitate it, information on cyber attacks and equipment vulnerabilities is nearly non-existent. But we can infer from the international cybersecurity climate that the energy sector is a target of increasingly sophisticated attacks. Additionally, the national climate shows that India is generally unsecure in cyberspace.
The US Industrial Control Systems – Computer Emergency Response Team (US ICS-CERT) has published numerous reports on vulnerabilities in software and hardware that are used in India, including SCADA software. National cybersecurity standards for smart grids and regulation enforcing them are not in place. Beginning with a macro perspective, I examine cyber attacks on the energy sector globally in order to understand the weight of contemporary cybersecurity issues. Then I focus on India’s cyber landscape to illuminate what is at stake for the electricity sector and how the government and regulators can work to leverage smart grid technology with resilience in mind.
Cybersecurity Climate in India and Beyond
The energy sector faces threats of many types. Protecting consumer information and company data is one, and there have been many instances of attacks in the last five years meant to steal data. Attacks dubbed Night Dragon stole proprietary information from energy companies around the world. In 2012 project files from ICS company Telvent (now owned by Schneider Electric) were stolen. These project files had information on smart grid and oil pipeline control systems. Both attacks came from China, which has an aggressive offensive cyber policy aiming to accrue information on governments and private industry to maintain economic, political, and military advantages against potential adversaries. China’s actions pose direct threats to India’s goals for economic growth and international political and military clout.
The data breaches that result from such attacks can expose anything from consumer financial information to business plans and proprietary technology designs, but the most frightening cyber attacks can affect the safety and functionality of industrial operations, including those in critical infrastructure sectors. Critical infrastructures are those types of infrastructure that are fundamental to the operation of society; electricity infrastructure is in a way the most critical because all other types of critical infrastructure are dependent on it.
Cyber attacks that intend to disrupt or destroy critical infrastructure go after the control systems. Such systems are known as industrial control systems (ICS), they consist of software suites on central computers networked with sensors and machines of many kinds. They can automate manufacturing processes in factories, open valves in water pipelines, and collect information from electricity meters remotely. In the electricity sector ICSs are called supervisory control and data acquisition systems (SCADA).
Two attacks on energy control systems are worth noting – the infections of nuclear centrifuges in Iran in 2010 that were likely caused by the Stuxnet worm and the remote hacking of the Ukrainian electric grid in 2015. Stuxnet is a sophisticated computer worm that works its way through Windows operating systems and attacks programmable logic controllers, a hardware component in ICS. Stuxnet is the likely cause of nuclear centrifuge failures in Iran. Though its origin and intent have not been proven, the worm has now spread around the world, and India has been one of the most infected nations. It may have been responsible for solar panels failing on an Indian satellite in 2010.
The Ukrainian electrical attack occurred in December 2015 and consisted of coordinated hacks on three Ukrainian electricity distribution companies to shut down power to over 200,000 consumers. The attack took months to plan, as the hackers gained legitimate administrative credentials that allowed them to remotely access the SCADA systems controlling the grid. These attacks show how damaging cyber attacks can be.
Electricity Sector Vulnerabilities, Standards, and Regulations
India is stuck between an espionage driven China, and a Pakistan that is acting as a launch pad for terrorist attacks on Indian military instillations. In this atmosphere ICT deployments on critical infrastructure must be done with extreme care, but in the end, occasional ICT vulnerabilities are inevitable; therefore, the way to minimize risk is through information sharing and industry best practices.
The current institutional and regulatory environment puts the sector at risk. Institutions to support information sharing and attack mitigation are inadequate, as are regulations requiring information sharing and industry best practices in cybersecurity. Furthermore, utilities are not equipped to deal with cybersecurity and government agencies lack the capacity to monitor and enforce standards.
The apex institutions for power sector cybersecurity are largely invisible, raising doubts about their capabilities. In 2010 the Ministry of Power created three CERTs, one for hydropower, one for thermal power, and one for transmission assets. An information sharing and analysis center (ISAC) has been proposed to centralize information on cyber vulnerabilities and incidents in the sector, but the ISAC is not operational. The National Critical Information Infrastructure Protection Centre began important advisory functions in 2014, but its operations are also not well covered in the media. The available information indicates that these institutions lack personnel.
Standards and regulations are also incomplete. The Bureau of Indian Standards has created some standards for SCADA systems, but in order to create a mechanism for statutory control over the implementation of such standards state level electricity regulatory commissions need to pass smart grid regulations, or the Central Electricity Authority (CEA) must issue guidelines that will apply to utilities across the country. The Forum of Regulators issued model smart grid regulations that will allow state regulators to mandate standards, but adopting is not moving quickly. Similarly the Ministry of Power is looking over guidelines for critical information infrastructure in the power sector. Until these regulations are put in place cybersecurity will be guided by limited and very general guidelines such as the functional requirements for advanced metering infrastructure (AMI) put out by the CEA in August 2016.
Standards and regulations only guide utilities as they create a cybersecurity posture; most important is cybersecurity awareness throughout an organization and keeping a finger on the pulse of cyber risks and vulnerabilities. State utilities have been requested to create a chief information security officer position to act as a nodal officer with CERTs and ISAC, which will be a big step in the right direction. But it seems this has been nothing more than a standing recommendation.
Finally, the financial state of distribution companies is worth mentioning. Many electricity distribution companies are have trouble paying for the electricity that they supply. Cybersecurity is a matter of economics as much as anything else. Companies must be willing to consistently upgrade infrastructure, as well as maintain the staff to perform tasks like patching software and altering configurations on field equipment. If utility company leaders don’t give cybersecurity its proper importance, no amount of regulation will secure assets in this critical infrastructure sector.
As global cybersecurity threats pose daunting risks to the electricity sector, governments must do all they can to facilitate information sharing and best practices. In India, the processes are underway to create strong institutions for information sharing and attack mitigation through sectoral CERTs and ISACs but there is much left to do. The state of regulation is in the same position. As utilities deploy more ICT they will be the first line of defense against cyber attacks, but the government must lead the way. The next year will be telling as the government moves to finalize standards and institutions as utilities simultaneously roll out smart grid projects, hopefully while giving cybersecurity the importance it deserves.