A report calling for the development of a cyber crisis management plan to counter any possible attempt to breach the power grids is gathering dust.
New Delhi: India’s power grids are “highly” susceptible to cyber attacks from neighbouring countries, official sources told The Sunday Guardian. They stated that urgent action was required to be taken to isolate the critical part of the control rooms so that they were kept out of the reach of the hackers.
The Indian power system, for planning and operational purposes, is divided into five regional grids, namely, Northern, Eastern, Western, North Eastern and Southern grids.
An example of how the repercussions of a cyber-hijack of the power grids would look like was seen on 30 and 31 July 2012, when a blackout engulfed the entire Northern region covering eight states—Delhi, Uttar Pradesh, Uttarakhand, Rajasthan, Punjab, Haryana, Himachal Pradesh and Jammu and Kashmir as well as the Union Territory of Chandigarh. Power could be restored only on the night of 31 July after a loss of approximately $100 million. The reason for the blackout, as per the inquiry done by Central Electricity Regulatory Commission, was “skewed load generation balance among the regions”.
In May 2019, the Central Electricity Regulatory Commission had constituted an expert committee to suggest a revamp of the decades-old guidelines related to the electricity grid. In its report submitted in January 2020, experts talked about the seriousness of cyber attacks on power grids by devoting an entire chapter to cyber security, which called for grid operators to install firewalls and other measures to avert a cyber attack, while also calling for developing a Cyber Crisis Management Plan which will include continuity plans, recovery plans, communication plans, cyber incident response plan, disaster recovery plan and priority resource and manpower allocation plan.
However, nothing has moved beyond the files as both operators and policymakers are yet to take the problem as seriously as they should.
“We only move when we are hit. We react, we do not like pre-empting. Not just electricity transmission, pipeline networks of oil companies, doors of many dams, apart from metro, airport, railways are targets of these hackers and once they get into the system, it will be massive chaos and catastrophe all around. We need to wake up to this now,” said an intelligence agency official.
According to him, China’s People’s Liberation Army (PLA) had a specialised unit comprising cyber “warriors” whose only job, during war, was to sabotage the critical infrastructure of the enemy country. In November 2014, the United States had charged five Chinese military officers—who were a part of PLA Unit 61398 based in Shanghai—of cyber attacks on US assets. Recent assessments by US agencies show that many similar units, in fact much more sophisticated, have been set up by China.
In December 2019, as part of the US National Defense Authorization Act 2020, the Securing Energy Infrastructure Act was enacted by the US government with the aim to establish a two-year pilot programme to identify security vulnerabilities of certain entities in the energy sector.
The bill was brought by US Senators to “remove vulnerabilities that could allow hackers to access the energy grid through holes in digital software systems”.
This pilot programme will examine ways to replace automated systems with low-tech redundancies, like manual procedures controlled by human operators, thereby thwarting even the “most sophisticated cyber-adversaries who, if they are intent on accessing the grid, would have to actually physically touch the equipment, thereby making cyber-attacks much more difficult”.
In effect, to secure its critical national infrastructure, especially power grids and to stop them from being manipulated or hacked, the US government is now going back to the tried and tested method of analogue and manual systems to operate these power grids. As a result of this, the control systems of the power grids will be isolated from the internet and for any foreign power to manipulate the system they would have to be present at the power grid site physically.
The Senators, who brought the bill, stated that their legislation was inspired in part by Ukraine’s experience in 2015, “when a sophisticated cyber-attack on that country’s power grid led to more than 225,000 people being left in the dark. The attack could have been worse if not for the fact that Ukraine relies on manual technology to operate its grid”.
However, the other more urgent reason for bringing such an Act, was the immediate and clear threat posed by China.
In its annual worldwide threat assessment report, the Office of the Director of National Intelligence, US, which was tabled in the Senate in January 2019, had given a detailed insight into the cyber threat posed by China.
The report said that China now had the capability to successfully target critical infrastructure, such as the electric grid and cause “temporary disruptive effects”.
“China presents a persistent cyber espionage threat and a growing attack threat to our core military and critical infrastructure systems. China remains the most active strategic competitor responsible for cyber espionage against the US government, corporations, and allies. It is improving its cyber attack capabilities and altering information online, shaping Chinese views and potentially the views of US citizens—an issue we discuss in greater detail in the Online Influence Operations and Election Interference section of this report. Beijing will authorize cyber espionage against key US technology sectors when doing so addresses a significant national security or economic goal not achievable through other means. We are also concerned about the potential for Chinese intelligence and security services to use Chinese information technology firms as routine and systemic espionage platforms against the United States and allies. China has the ability to launch cyber attacks that cause localized, temporary disruptive effects on critical infrastructure—such as disruption of a natural gas pipeline for days to weeks—in the United States,” the relevant part of the report stated.