Laxmikant Singh Rathore, Director (Cybersecurity), Central Electricity Authority in an exclusive conversation with APAC News Network – CXO News highlights the cybersecurity challenges for power utilities and the OT vulnerabilities confronting discomstoday.
How critical is the cybersecurity challenge for power utilities today and what are the measures undertaken by CEA to mitigate these challenges?
The power Sector is the backbone for growth of industries, social life & economics of the country and it is one of the most critical sectors. Today’s power sector is growing fast & is adopting more and more digitization and decentralization to make system for ecient and reliable. Solution for digitization and decentralization are modern applications driven by AI/ML.
This has brought to forefront the security of the critical infrastructure against cyber-attacks. Actors having latest tools and technology are increasingly targeting critical infrastructure like power sector with their Advance Persistence Threat (APT), thus making power plant operations and grid operation more challenging.
To mitigate these cyber security challenges some of the major steps taken by Ministry of Power/Central Electricity Authority.
- CEA has issued “CEA (Cyber Security in Power Sector) Guidelines 2021” in Oct 2021
- Ministry of Power has notified CSIRT-Power, which is act as extended arm of CERT-In, which has been dedicatedly work on Cyber security for Power sector.
- MoP has also created 6(six) sectoral CERTs namely Thermal, Hydro, Transmission, Grid Operation, RE and Distribution for ensuring cyber security in Indian Power Sector.
- Capacity building exercises in collaboration with academia, industry, premier cyber security organizations of India.
- CEA is coming out with Cyber Security Regulations, Model Contractual Clauses and Trusted Vendor Scheme in Power Sector.
- Cyber Security clauses has been incorporated in IEGC 2023.
What has been the update from the power utilities on conformance with the cybersecurity guidelines that was issued by CEA in 2021?
Cyber Security preparedness helps in evaluating the current security posture and provides guidance to the Utility for enhancing its resilience against likely cyber-attacks. As a strategy to eectively counter cyber-attack and mitigate cyber security risks, Power Sector utility shall have defense in depth for its cyber security. CEA has come up with Cyber Security in Power Sector) Guidelines in October 2021, since many cyber security directives and guidelines existed in Indian scenario, but none of them were power sector specific.
After the issuance of CEA cyber Security guidelines 2021, the basic cyber security framework of power sector utilities has enhanced such as appointment of CISO & Alternate CISO, onboarding on CSK of CERT-In, regular cyber security audit by CERT-In empaneled auditors, Cyber security trainings, ISO 27001 certification etc.
While IT security has standardized in most utilities to some extent, how critical is the challenge on the OT side for most discoms?
In more recent years, the pace and scope of the digitalization of the power systems have grown due to the confluence of favorable market developments and technology advancements. Increased focus on digital solutions provides a large opportunity for the Indian distribution sector to adopt various technologies, systems, and applications to approach current business problems including their financial and operational effectiveness.
OT systems adopted in power distribution utilities such as Smart Metering / Advanced Metering Infrastructure, SCADA (Supervisory Control & Data Acquisition System), OMS (Outage Management System), DMS (Distribution Management System), ADMS (Advanced Distribution Management System), Network Analysis System, Auto Demand Response (ADR) System and Work Force Management System.
Challenges of OT in Discoms
There are some practical challenges in OT side of Discomsutilities.
- Proprietary Technologies& Interoperability challenges
- Technology integration
- Legacy systems / System upgradation and maintenance
- Capacity building & change management
- Lack of standardization
- Handling large volume of data
- Implementation of asset analytics
What will be the measurable parameters or criteria that the power utilities need to follow after the introduction of the trusted vendor scheme?
Eective cyber supply chain risk management ensures, as much as possible, the secure supply of products and services for systems throughout their lifetime. This includes their design, manufacture, delivery, maintenance, decommissioning and disposal. As such, cyber supply chain risk management forms a significant component of any organization’s overall cyber security strategy.
To mitigate supply chain risks, MoP is coming up with a trusted vendor system. The criteria for power utilities after implementation of trusted vendor system as per the CEA (Cyber Security in Power Sector) Guidelines, 2021 are:
Article 1(a)(vi) Cyber Security Policy
‘All ICT based equipment/system deployed in infrastructure/system mandatorily CII are sourced from the list of the “Trusted Sources” as and when drawn by MoP/CEA.’
Article 9(b) Cyber Supply Chain Risk Management
‘The Responsible Entity shall ensure that all the Communicable Intelligent Equipment’s and the Service Level Agreements (SLAs) for their Critical Systems shall be sourced from the list of the “Trusted Sources” as and when drawn by MoP/CEA.
How will you assess the threat landscape for the power sector and what are the challenges in incident response that the power utilities are facing?
Cybersecurity is a growing global concern. Threat landscape for the power sector includes interconnected technological systems, introduction of IoT devices etc. which also increases vulnerabilities through data breaches, supply chain attacks etc.
The focus of the Incident Response process is to eradicate the problem as quickly as possible, while gathering actionable intelligence, to restore business functions, improve detection, and prevent reoccurrence. The Incident Response covers how to respond to specific situations for stakeholders to ensure an effective and effcient response. The Incident Response includes Detection, Containment Eradication, Recovery, Forensic & Recovery. Some of the major challenges in IR are availability of cyber security experts, deployment of tools to identify the event timely before it becomes an incident happens etc.
How can the setting up of the CSIRT Power enhance the cyber resilience of this sector?
Computer Security Incident Response Team (CSIRT) is a team that performs, coordinates and supports the response to cyber security incidents. It’s an organizational set up and the capability that provides services and extend support to its constituent utilities for preventing, detecting, handling, and responding to cyber security incidents, in accordance with its mission. CSIRTs mostly provide three types of services classified as Responding Services, Predictive Services and Safety Quality Management Services. Having a dedicated CSIRT at Sector level like for Power shall not only help to mitigate and prevent major incidents, but would also help to protect Critical Information Infrastructures (CIIs) and deliver services eectively within the
Power Sector.
CSIRT-Power will provide a conduit for consistent, coherent messaging and provide all stakeholders in Power Sector a single trusted source of information. In addition, the CSIRT-Power will encourage cyber security conversations and develop international cooperation on cyber security issues in power sector through CERT-In as well as with the other Ministries and
Departments.
The key benefits of centralized CSIRT for power sector will be:
a) Centralized coordination for cyber security issues related to the IT as well as OT systems in the power sector.
b) Centralized and specialized handling of and response to
cyber security incidents there-in.
c) Expertise at hand to support and assist the power sector utilities to quickly recover from cyber security incidents and enhance cyber security posture based on the learning from incidents handled.
d) Regular Inputs/ guidance on cyber security for decision making authority.
e) Keeping track of development in the field of cyber security in the power sector nationally as well as internationally.
f) Stimulating cooperation (awareness building) among all stakeholders.
Discussion about this post