The Ministry of Power has prepared a guideline for cyber security in the power sector. The guideline focuses on cyber security preparedness and the creation of a cyber secure ecosystem. All power sector utilities including generation utilities, distribution utilities, equipment manufacturers, will need to adhere to the guideline.
The guideline has been framed by the Central Electricity Authority (CEA), as per Section 3(10) of the “Central Electricity Authority (Technical Standards for Connectivity to the Grid) (Amendment) Regulations, 2019”. The CEA held deliberations with agencies such as the CERT-In, NCIIPC, NSCS (National Security Council Secretariat), IIT Kanpur, and the Ministry of Power.
The Ministry of Power has already created six sectoral Computer Emergency Response Teams. They are- Thermal, Hydro, Transmission, Grid Operation, RE, and Distribution. Each sectoral CERT has its own sub-sector-specific Cyber Crisis Management Plan.
Is this important?
Yes. The move is very important given the massive increase in cyber security incidents across the globe. Earlier, the Ministry of Home Affairs revealed that CERT-In had received 12 lakh cyber security incident reports. With regard to the Indian websites, it received 26,121 reports, including 59 relating to the Central and State governments.
Critical infrastructure, including power generation, is also at risk. During the confrontation with China on the border, a Chinese government-sponsored hacking group reportedly caused the Mumbai blackouts. Similar hacking groups have also targeted Air India, UIDAI, etc.
Developed nations like the U.S. are also facing similar issues. In the past few months, the USA has witnessed multiple cyberattacks including the Colonial Pipe hack, REvil ransomware at a United States nuclear weapons contractor, JBS hack, among others. The colonial pipeline attack can safely be termed as an attack on critical infrastructure as the U.S. had to declare a state of emergency in as many as 17 states.
The U.S. government has issued an online helpline to support ransomware victims. It has even issued guidance to investigate ransomware & terrorist attacks alike and introduced five bipartisan bills to protect critical infrastructure.
India is also formulating a new cyber security strategy.
Some Highlights of the Policy
Cardinal Principles: All responsible entities will have to hard isolate their OT (Operation Technology) systems from any internet-facing IT system. Only one of the IT systems can face the internet, but it should be under the control of the CISO and any downloading/ uploading shall be done only through a whitelisted device after scanning for any vulnerability/ malware.
Further, entities shall source equipment deployed in critical information infrastructure only from the list of “Trusted Sources” drawn by the Ministry of Power.
Cyber Security Policy and Standards: The responsible entity shall be ISO/ IEC 27001 certified (including sector-specific controls as per ISO/ IEC 27019). The entity shall have a Cyber Security Policy based on the guidelines issued by the NCIIPC, and review it annually. The policy should include access management details and mitigate risks. They can change the policy only after obtaining approval from the Board of Directors.
Electric Security Perimeter: The responsible entity shall identify and document the electronic security perimeter(s) and all access points to the perimeter(s), as per IEC 62443/ IS 16336. It should perform a vulnerability assessment of such access points and perimeters at least once every six months.
Intelligence Sharing: Responsible entities shall share reports on incident response and targeted malware samples with CERT-In. It shall also ensure that it has on-boarded Cyber Swacchta Kendra (CSK) of CERT-In if they have public IPs. It should timely act on advisories, guidelines, and directives of CERT-In, sectoral CERTs, NCIIPC, or CSK.
Cyber Security Training: The responsible entity shall establish a cyber security training program for personnel having access to their critical systems. It should include topics like user authentication and authorization, ISO standards, protection mechanisms, vulnerability assessment, monitoring logs, detecting attacks on SCADA and ICS systems, and incident response.
Other Steps by the government to enhance Cyber Security
- Cybersecurity alerts: CERT issues alerts and advisories regarding cyber threats/vulnerabilities and countermeasures.
- Guidelines for Chief Information Security Officers (CISOs): Govt. issued guidelines for CISOs defining their key roles and responsibilities for securing infrastructure.
- Cyber Security Audit: All government websites are audited before hosting and also after hosting on a regular basis.
- Security Auditors: The government has empanelled security auditing organisations to support and audit implementing of Information Security Best Practices.
- Cyber Crisis Management Plan (CCMP): Government has formulated CCMP for all ministries/departments of the central government, state government, and critical sector.
- Cyber Swachhta Kendra: Government has initiated Botnet Cleaning and Malware Analysis Centre, Cyber Swachhta Kendra. The Kendra provides free tools to detect and remove malware and botnets.
- National Cyber Coordination Centre (NCCC): Government has setup NCCC for generating situational awareness of existing and potential cyber security threats. Phase-I of NCCC is operational.
Here’s a copy of the guideline.