With about 179 GW of installed renewable energy capacity as of July 2023 (40 percent of total energy capacity), India’s electricity grid is fundamentally transforming its character. The transformation of the energy system aligns with the country’s ambition of installing 500 GW of non-fossil-fuel-based energy capacity by 2030 and achieving its energy independence by 2047. Power sector players are expected to increasingly embrace an army of smart grid-interfacing devices during power generation, transmission, distribution, and consumption. On the demand side, popular examples of appliances for home/office/industry and commercial spaces include smart devices for lighting, heating, ventilation, and air conditioning (HVAC), cleaning, cooking, etc. Due to their rapid electrification, the mobility and agriculture sectors are also getting intertwined with the power sector. As time progresses, all these smart devices are expected to become increasingly capable of communicating and coordinating with each other and the national grid in real time. One must remember that these energy management use cases are critical in our fight against climate change. However, as the electricity value chain assumes these new characteristics, it will be crucial to ensure that progressive cybersecurity measures are infused into new devices, systems, and power infrastructure. Cybersecurity elements should become a non-separable design feature of these systems. The media reports of Chinese hackers targeting seven Indian power hubs, cyberattacks on the United States (US)’s electrical grid emanating from a West-Asian country, cyber warfare between Russia and Ukraine, and other such attempts mandate that this threat must be addressed with alacrity.
One must remember that these energy management use cases are critical in our fight against climate change.
National security concerns
Clean energy generation facilities can exchange significant amounts of data with utility operators and aggregators through a ‘smart grid-interactive inverter.’ This is a cyber-physical device. Because of its unique functionality, it may pose a risk of cyberattack and may render the national grid operations insecure. Attackers can exploit this vulnerable intrusion vector to enter the national network and carry out lateral movement to other sensitive and strategically important assets. This is also true for smart grid-interfacing devices in the transmission, distribution, and point-of-use value chains. It is well-known that original equipment manufacturers (OEMs) operating outside India possess the capability to manage the operations of these devices remotely. This attribute can be exploited to jeopardise the safety and security of India’s national power grid by India’s adversaries (state and non-state actors). There is also a perpetually looming threat of strategic databases being breached, as some of them may be surreptitiously maintained/controlled from outside India.
Attackers can exploit this vulnerable intrusion vector to enter the national network and carry out lateral movement to other sensitive and strategically important assets.
Existing cybersecurity framework in India
Cyber Security in Power Sector Guidelines (2021) under the Central Electricity Authority (CEA) incorporate the cardinal principles of cyber security for the power sector. These require mandatory compliance by all responsible entities (including renewable energy generation utilities and aggregators). With a multifold increase in the complexity and frequency of cyber threats, this framework should evolve as per the changing requirements of domains like cyber policy, risk assessment, and mitigation plans, Chief Information Security Officers (CISO) training, supply chain risks management, incident/sabotage reporting and response actions, cyber security audits, etc. The Ministry of Power also created six sectoral Computer Emergency Response Teams (CERT) for thermal, hydro, transmission, grid operations, renewables, and distribution. In line with the National Cyber Security Policy, all power sector utilities are expected to board the Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centers). Moreover, an Information Sharing and Analysis Centre (ISAC-Power) was established to provide a common platform for the six CERTs for information sharing and act as a central data repository. Additionally, the National Critical Information Infrastructure Protection Centre (NCIIPC), under the aegis of the National Technical Research Organization (NTRO), performs the multifaceted role of executing all necessary actions to protect relevant critical infrastructure from untoward incidents in alignment with the Information Technology Act 2000 (amended in 2008). NCIIPC facilitates coherent interventions from stakeholders and increases awareness amongst them about the evolving nature of cyber threats.
An Information Sharing and Analysis Centre (ISAC-Power) was established to provide a common platform for the six CERTs for information sharing and act as a central data repository.
Way forward to neutralise power sector cyber security threats
Technical initiatives: Through the Grid Controller of India Limited, it is desirable to scrutinise the source code, intellectual property rights, and periodic updates of OEMs to their products/software and certify them as ready for interfacing with the national grid. To keep up with the developments in artificial intelligence and machine learning, suitable vulnerability management tools and cyber-attack resilient capabilities may be co-developed with indigenous centres of excellence. Regulatory initiatives: The CEA and the Ministry of Electronics and Information Technology (MeitY) should work closely with software and hardware manufacturers of foreign origin to build early consensus on complying with the law of the land in letter and spirit. Organisations like the National Institute of Solar Energy, the National Institute of Wind Energy, the National Institute of Bioenergy, etc., must be directed to periodically create an ‘approved list of models and manufacturers for their domains as per the protocol laid down by the CEA and MeitY. It must be made mandatory for equipment suppliers and software developers for clean energy applications to set up their server rooms, data centres, critical R&D centres, design studios, and similar critical facilities within the country. Necessary and sufficient firewalls with access controls and IP-based communication protocols must be audited periodically as per global best practices. It must be mandatory for all utilities to nominate a CISO who will reside in India to comply with the country’s cyber security requirements punctually.
To keep up with the developments in artificial intelligence and machine learning, suitable vulnerability management tools and cyber-attack resilient capabilities may be co-developed with indigenous centres of excellence.
Financial initiatives: To ensure the long-term sustainability and growth of the above efforts, a dedicated budgetary provision can be made within the relevant ministry, and a separate power sector cyber security cell must be created. Special financial incentives can be carved out within the production-linked incentives (PLI) for entities creating novel indigenous solutions addressing this issue. Research grants can be extended to support the development of cutting-edge cyber security technologies on a mission-mode basis. In the strategic national interest of the country, the government, the private sector, academia, and startups must work collectively to develop and manufacture all critical components and associated cyber architecture in India. This will help create a world-class clean energy ecosystem that is safe, reliable, and cost-competitive.
Labanya Prakash Jena, Head, Centre for Sustainable Finance, Climate Policy Initiative (CPI) Prasad Ashok Thakur is a CIMO scholar and an alumni of Indian Institute of Management, Ahmedabad (IIMA) and Indian Institute of Technology, Bombay (IITB)
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.