Hacker Invasion

Increasing digitalisation makes power assets prone to cyberattacks

The renewable energy sector – in fact, the entire power ecosystem – is in­creasingly becoming more digitised and smarter. With distributed renewable energy projects, electric vehicles and advanced power systems being integrated into the grid, various assets are becoming interlinked. Further, operations and ma­in­tenance is moving towards auto­mation and digitalisation for faster, sma­rter and more efficient services. As these re­new­able power projects become more conn­ec­ted via the internet, they become more susceptible to cyberthreats. After all, anything that is connected to the internet can be hacked. Such cyberattacks can have severe impacts on the project. First, there can be a loss of energy generation and revenue. Second, costly equipment and ass­ets can be damaged. Third, information can be leaked or used otherwise to cause harm. Fourth, the health and safety of em­ployees can be put at risk.

Some recent incidents

This threat not only exists in theory. Th­e­re have been actual incidents from around the globe, including in India, of power systems being hacked with malicious intent. For instance, in July 2021, four out of India’s five regional load des­pat­ch centres witnessed cyberattacks. These organisations are critical for the country’s grid operations, as they help oversee the electricity load management functions. Similar attacks have also occurred at NTPC Kudgi and the Telangana State Transco. In another incident, there was a power grid failure in Mumbai and surrounding areas on October 12, 2020, which brought the entire city to a halt for a few hours. There have been different reports on the role of hackers in this incident, and this continues to be an ongoing debate. While some groups called it a cyberattack by a foreign hacker, Union Power Minister Raj Kumar Singh said in a written reply to the Rajya Sabha (dated July 20, 2021) that “no conclusive evidence was observed to attribute the Mumbai Grid incident of October 12, 2020 to a cyberattack”.

Prior to this, in 2019, Nuclear Power Cor­poration of India Limited reported a cyberattack on the Kudankulam nuclear power plant in Tamil Nadu. This was conveyed by the Indian Computer Emergency Respon­se Team (CERT-In). On a global level, a massive cyberattack on Ukraine’s power grid in December of 2015 reportedly left more than 200,000 consumers without power for up to six hours in some areas. Further, according to S&P Global Market Intelligence, in Novem­ber 2021, cyberattacks that compromised IT systems and data were reported by wind turbine manufacturer Vestas and the Colorado utility Delta Montrose Electric As­sociation. Such instances are becoming quite common and need to be urgently addressed to protect these vital assets for the country.

Steps taken

Sectoral Com­p­u­­ter Emergency Response Teams (CERTs) have been established by the Mi­nistry of Power for various sectors in the po­wer ecosystem to identify the cyberattack vulnerabilities in these areas. More­over, according to the power minister, aler­ts and advisories are regularly issued and mock drills and trainings are conducted for key organisations on cybersecurity. Further, all power utilities have been asked to come onboard the Cyber Swachhta Kendra and implement the Cyber Crises Management Plan for handling such attacks.

Going a step further, in October 2021, the Central Electricity Authority released the guidelines for cybersecurity in the power sector for the first time. These guidelines must be adhered to by all power sector utilities and are applicable to all entities that are engaged in the Indian power supply system. They lay down a cyber assurance framework that strengthens the regulatory framework; put in place mechanisms for early warning against security threats, vulnerability management and re­s­ponse to security threats; and secure remote operations and services, among other things. The guidelines mandate in­for­mation and communications technology-based procurement from identified tr­usted sources and products, failing which there should be testing for malware/hardware trojans before deployment in the po­wer supply system network.

In January 2022, the automatic generation control (AGC) was launched and de­dicated to the nation by the power minister. The AGC, being operated by Power Sys­tem Operation Corporation Limited, sends signals to power plants every four seconds to maintain frequency. It also helps maintain the reliability of India’s power system.

In conclusion, while a few steps have been taken at the government level, much more needs to be done on an orga­ni­sa­tional le­v­el. Cyberspace is rapi­dly be­co­ming the new battleground, with threats that can harm the critical infrastructure of nations. Thus, cybersecurity needs to assume pri­me importance in all power projects, with preparation of detailed roadmaps, incorporation of proper security measures and training of manpower on safe practices.

By Khushboo Goyal


Enter your email address