The renewable energy sector – in fact, the entire power ecosystem – is increasingly becoming more digitised and smarter. With distributed renewable energy projects, electric vehicles and advanced power systems being integrated into the grid, various assets are becoming interlinked. Further, operations and maintenance is moving towards automation and digitalisation for faster, smarter and more efficient services. As these renewable power projects become more connected via the internet, they become more susceptible to cyberthreats. After all, anything that is connected to the internet can be hacked. Such cyberattacks can have severe impacts on the project. First, there can be a loss of energy generation and revenue. Second, costly equipment and assets can be damaged. Third, information can be leaked or used otherwise to cause harm. Fourth, the health and safety of employees can be put at risk.
Some recent incidents
This threat not only exists in theory. There have been actual incidents from around the globe, including in India, of power systems being hacked with malicious intent. For instance, in July 2021, four out of India’s five regional load despatch centres witnessed cyberattacks. These organisations are critical for the country’s grid operations, as they help oversee the electricity load management functions. Similar attacks have also occurred at NTPC Kudgi and the Telangana State Transco. In another incident, there was a power grid failure in Mumbai and surrounding areas on October 12, 2020, which brought the entire city to a halt for a few hours. There have been different reports on the role of hackers in this incident, and this continues to be an ongoing debate. While some groups called it a cyberattack by a foreign hacker, Union Power Minister Raj Kumar Singh said in a written reply to the Rajya Sabha (dated July 20, 2021) that “no conclusive evidence was observed to attribute the Mumbai Grid incident of October 12, 2020 to a cyberattack”.
Prior to this, in 2019, Nuclear Power Corporation of India Limited reported a cyberattack on the Kudankulam nuclear power plant in Tamil Nadu. This was conveyed by the Indian Computer Emergency Response Team (CERT-In). On a global level, a massive cyberattack on Ukraine’s power grid in December of 2015 reportedly left more than 200,000 consumers without power for up to six hours in some areas. Further, according to S&P Global Market Intelligence, in November 2021, cyberattacks that compromised IT systems and data were reported by wind turbine manufacturer Vestas and the Colorado utility Delta Montrose Electric Association. Such instances are becoming quite common and need to be urgently addressed to protect these vital assets for the country.
Steps taken
Sectoral Computer Emergency Response Teams (CERTs) have been established by the Ministry of Power for various sectors in the power ecosystem to identify the cyberattack vulnerabilities in these areas. Moreover, according to the power minister, alerts and advisories are regularly issued and mock drills and trainings are conducted for key organisations on cybersecurity. Further, all power utilities have been asked to come onboard the Cyber Swachhta Kendra and implement the Cyber Crises Management Plan for handling such attacks.
Going a step further, in October 2021, the Central Electricity Authority released the guidelines for cybersecurity in the power sector for the first time. These guidelines must be adhered to by all power sector utilities and are applicable to all entities that are engaged in the Indian power supply system. They lay down a cyber assurance framework that strengthens the regulatory framework; put in place mechanisms for early warning against security threats, vulnerability management and response to security threats; and secure remote operations and services, among other things. The guidelines mandate information and communications technology-based procurement from identified trusted sources and products, failing which there should be testing for malware/hardware trojans before deployment in the power supply system network.
In January 2022, the automatic generation control (AGC) was launched and dedicated to the nation by the power minister. The AGC, being operated by Power System Operation Corporation Limited, sends signals to power plants every four seconds to maintain frequency. It also helps maintain the reliability of India’s power system.
In conclusion, while a few steps have been taken at the government level, much more needs to be done on an organisational level. Cyberspace is rapidly becoming the new battleground, with threats that can harm the critical infrastructure of nations. Thus, cybersecurity needs to assume prime importance in all power projects, with preparation of detailed roadmaps, incorporation of proper security measures and training of manpower on safe practices.
By Khushboo Goyal