CYBERSECURITY THREATS FOR THE POWER SECTOR - PART 1



"If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it." - Tim Cook - CEO, Apple


INTRODUCTION


To measure the development of a nation, electricity consumption is an important tool. The entire Nation’s transport, communications, fuel, and government services are dependent on electricity supply. Hence power systems are extremely vital for the nation.


The power sector is a critical infrastructure whose shutting down due to a cyber-attack could cause severe disruptions to business operations. It could lead to suspension of operations and could cause huge financial losses for every minute lost due to a power failure. Hence it is necessary to secure power systems and insulate them from cyber-attacks. The Central Electric Authority (CEA) of India, recognizing the need to secure the nation’s power sector, issued a set of cyber security guidelines which was released in 2021.


KEY OBJECTIVES FOR ISSUING THE GUIDELINES:

  1. Creating a Cyber Security Awareness

  2. Strengthening the regulatory framework

  3. Protection and resilience of critical information infrastructure

  4. Reducing cyber supply chain risks

  5. Information sharing and co-operation

Within the text of this article ‘Responsible Entity’ will mean all the stakeholders.


Applicability


All responsible entities as well as system integrators, equipment manufacturers, suppliers/vendors, service providers, and IT Hardware and Software Original Equipment manufacturers (OEMs) are engaged in the Indian power system.


We are covering 6 articles issued by the government and the remaining 8 articles will be covered in our upcoming blog next week.


Highlights


ARTICLE 1: Cyber Security Policy

  • Internet-facing systems and Operational technology must be isolated from each other.

  • Only one Information Technology (IT) system can face the internet however isolated from Operational Technology (OT) zones and kept in a separate room under the control of the Chief Information Security Officer (CISO).

  • A whitelisted device should be scanned for malware after that proceed to uploading and downloading. For all such activities, logs should be maintained for at least 6 months so that investigative agencies can conduct a forensic analysis if required.

  • Ministry of power’s list of trusted sources will be used to source equipment for critical infrastructure.

  • For each firewall, a list of whitelisted addresses is maintained by CISO and each firewall will allow access to the whitelisted address only.

  • POWERTEL, in the Telecom business is the only Telecom Service Provider in the Country having PAN India overhead Optic fiber network using Optical Ground Wire on power transmission lines, which is to be used for communication between OT equipment/systems.

The responsible entity should be ISO/IEC 27001 certified. (include sector-specificity controls as per ISO/IEC 27019). The responsible entity should have a Cyber Security Policy, to be reviewed annually by a subject expert for any changes only if approved by the Board of directors (BOD). The responsible entity should have a sufficient annual budget for cyber security posture enhanced over the coming years. Cybersecurity issues should be taken in board meetings every 3 months


ARTICLE 2: Responsible entity shall appoint a CISO


ARTICLE 3: Identification of Critical Information Infrastructure (CII)


Responsible entities shall get their critical infrastructure information identified by submitting details of Critical business processes and underlying information infrastructure along with a mapped impact and risk profile to the National Critical Information Infrastructure Protection Centre (NCIIPC) and get their CII identified in consultation with NCIIPC.


ARTICLE 4: Electronic Security Perimeter


The Electronic Security Perimeter and access point to the perimeter should be identified and located by the responsible entity. Critical systems should be in the Electronic Security Perimeter. Cyber vulnerability assessment of every electronic access point to the electronic security perimeter should be done at least once in 6 months or if any change in security architecture.


ARTICLE 5: Cyber Security Requirements


The responsible entity shall have an ISD (Information Security Division) headed by a CISO working 24*7. A sufficient number of engineers should man it having completed a valid course on cybersecurity of the power sector from the training institute designed by Central Electricity Authority (CEA). It should have an Intrusion Detection System and Intrusion prevention system to identify an anomaly in both IT and OT systems. Indian Computer Emergency Response Team (CERT-In) is shared with incident response and targeted malware samples. Only ports and services required for normal operations are enabled. Software is updated with digitally signed Original Equipment Manufacturer (OEM) validation patches only. Maintains cyber logs and cyber forensic records of an incident for at least 90 days.


ARTICLE 6: Cyber Risk Assessments and Mitigation Plan


Cyber Risk Assessment and mitigation plan should explain the matrix for assessing both IT and OT environment, cyber risk, and the criteria for risk acceptance criteria. Every quarter the plan should be reviewed.


CONCLUSION


Is your organization equipped with the aforementioned guidelines issued by the government to secure your companies power systems? Are your power systems secure?


Get your Risk Assessment done without delay. Speak with our experts.


Gorisco has wide range of experts who have various solutions at their disposal to help organizations mitigate the risk.


At Gorisco, our motto is 'Embedding Resilience' and we are committed to make the organizations and their workforce resilient. Reach out to us if you have any queries, clarifications or need any support on your initiatives.


To read our other blogs, click here. More importantly, let us know if you liked them or not through your comments.