Electricity is the major driving force for any economy. ‘Access to clean and affordable energy’, is one of the goals under 2030 Agenda for sustainable development. According to International Energy Agency and World Bank, one-quarter of India’s population lacks access to electricity. While access to electricity has been a challenge for decades, there is one other emerging problem which is ensuring cyber security in the energy sector. Economies have become more dependent on Information and communication Technology (ICT) and hence vulnerable to cyber-attacks. Cyber-attacks target the economic infrastructure to reduce the available state resources and undermine the confidence in their supporting structures. The most serious cyber security risks are those that threaten the functioning of Critical Information Infrastructures (CII). In India, the National Critical Information Infrastructure Protection Center (NCIIIPC), the nodal agency for protection of CII, has identified eight CII which are: Telecom, Banking and Financial Services and Insurance (BFSI), Government database, Power & Energy, Strategic & Public Enterprises (PSUs and Heavy Industries).
Energy Infrastructure has become a major target for the cyber-attacks over the past decade that are launched either by the nation states or cyber criminals. Protecting energy systems from Cyber-attacks is essential for the functioning of various other industries like: transportation, water, communications, finance, food and agriculture, emergency services and more.
Today, electric power grids and oil & gas supply network is monitored using energy control systems to ensure reliability and continuous availability of energy. Now what are these energy control systems? Simply, they are digital systems that operate real time physical processes by dispatching commands to millions of nodes and devices dispersed across the energy delivery infrastructure (generation, transmission, distribution and consumption). These systems exchange massive amounts of data at high speeds over cyber networks to monitor and control physical devices such as transformers, switches, compressors, valves and pumps. Thus data availability and integrity is essential for energy operations. Let us examine the cyber security problems in a power generating station.
What is vulnerable in a power station for a cyber-attack is SCADA (Supervisory Control and Data Acquisition) control system. SCADA architecture makes use of the Human-Machine Interface (HMI) that allows humans to interact with and control devices (for example regulate the pressure of a boiler). In the past, energy control systems were functioning within the Operational Technology (OT) environment and were isolated from the rest of the world. But now, they are connected with Information Technology (IT) allowing cyber-attacks in OT as well. We will take up an incident as an example how a computer worm developed by human sitting elsewhere could operate a machinery in a power plant in Iran. Stuxnet is a computer worm, believed to be a cyber weapon, intended to attack nuclear facilities in Iran. The attack was done by uploading a malicious code to a power facility’s Programmable Logic Controller (PLC). The worm initially infiltrated the computer machines in the control room of the nuclear facilities, replicated and reached the target software, after which the worm gained access to the industrial program logic controllers. This gave the creator of the worm the access to the crucial industrial information as well as the ability to operate the industrial machinery from a remotely placed PC.
How are hackers able to identify their targets? Public disclosures of vulnerabilities of an energy facility may make them potential targets. A lot of industry information is already available to the public through journals like, transmission capacity of switching station, their geography of operation. Further, using different types of communication to gain access to a substation control network (telephone lines, wireless, microwave, private fiber and internet) makes it complicated and difficult to establish a secure communication. It is impossible to predict when and where attacks happen. But it is possible to identify those substations and lines within the electric grid system, in the event of an attack would cause large scale outages. This would help us to drive the grid resiliency investments into those facilities which pose the greatest risk.
Cyber-attack and cyber threats are two different terms. Cyber threats is a person, threat, thing or an idea which poses some danger to the asset, in terms of its availability, confidentiality, integrity. Cyber-attack is realization of such threats. The possible effects of an attack include: loss of load, destabilization of grid, loss of information, harm to human life and environment and economic loss.
What could be the costs of establishing cyber security measures? According to a 2015 study by Poneman Institute, the annualized costs of cyber crime for an average energy company is more than $27 million. Consider an existing power generation facility which is owned by one, constructed by other and being operated by another, who will bear the costs of cyber security measures is a question whose answer has to be sought through negotiations between the parties. This is a situation where none of the contracts (Engineering, Procurement and Construction [EPC], Operations and Maintenance [O&M]) anticipated or apprehended such capital or liability.
Do we need to cyber secure smart grids? In India, majority of energy generated (up to 50%) are being lost in transmission which accounts approximately to 1.5% of India’s GDP. Smart grids not only ensured low transmission losses, but improved the grid stability, better management of energy systems, improved efficiency and reliability. On the other side, through smart grids, there is increased connectivity and integrity which again poses another threat, which is vulnerability to cyber-attacks. Such vulnerabilities allow hackers to break a system, corrupt user privacy, gain unauthorized access to control the software, modify load conditions to destabilize the grid. Hackers may also gain access to smart meter to alter the energy meter readings, which could mislead the electric utility in making incorrect decisions about the local usage and capacity. The WannaCry ransomware (A malicious software that locks the system of the user and demands ransom for unlocking it) attacks from the last year has been considered as a warning to all the smart grid systems in India according to Central Electricity Authority (CEA). India, in its 12th Five Year Plan has spent USD 5.8 billion towards the National Smart Grid Mission. Also, the issue has become more severe after the 2015 black out incident (Cash Override) in Kiev, Ukraine, where the ICT of three prominent electric power distribution companies were under a cyber-attack and which lead to a power outage for an hour. The malware could be used by the hackers even to physically damage the electrical equipment (For example, a large diesel generator could be broken with the help of digital commands). One instance could be where digital relays are used to send information automatically to open circuit breakers on detection of dangerous power levels and where the malware disables digital relay. As per the recommendations of CEA, testing standards are being developed (with two standards in the phase of completion) for power utilities, a test bed is created at Central Power Research Institute (CPRI), has proposed modifications in guidelines for procurement of equipment used in power utilities and security audits of all SCADA systems. However, there is lack of cyber security standards for smart meters in India. Here’s a preview of the video how hackers took control over operations of Ukrainian power grid, part of a breach which caused a blackout for a quarter million.
Solving the Question of Jurisdiction in the case of a cyber attack: Let’s create a hypothetical situation where a hacker located in XYZ country launches an attack against a computer system within the jurisdiction of India. Such an activity firstly, has to be classified whether it’s a ‘cyber-attack’ or ‘cyber-warfare’ or ‘cyber crime’. Cyber crime refers to those activities committed by individuals (strictly non-state actors) which is criminalized under domestic or international law. When such an activity is committed with a motive to undermine the functioning of a computer network, it may either be a cyber-attack or cyber-warfare. All cyber warfare are cyber-attacks but not vice versa. A cyber-attack qualifies to be a cyber-warfare when the activity was committed with national or political purpose and the effects of such an activity must be equivalent to an armed attack or the activity must occur in the context of an armed conflict. In case of cyber-warfare, law of war in the context of international law is to govern such activity. No state so far has claimed a cyber-attack to be equivalent to an armed attack and claimed right of self-defense under Article 51 of the U.N. Charter. There needs to be a consensus or agreement between the states to decide when cyber-attacks constitute cyber-warfare. While states are generally the parties to a cyber-warfare, in reality, states do not openly involve in such activities. They commit the activities through non-state actors. For those cyber-attacks which do not qualify as warfare, which are committed by one state against the other, there is customary international law of ‘countermeasures’ which the injured state can take against the attacking state, before appropriate international forum, either cessation of such activity or for reparation or both. Till date, there is no comprehensive international legal framework that governs all cyber-attacks. The role of United Nations regarding cyber security has been limited to discussion and information sharing. However, NATO (North Atlantic Treaty Organization) through the 2008 Bucharest Summit, the Council of Europe through the 2001 Convention on Cyber crime have been regulating cyber attacks and enforcing cyber security.
There are certain international instruments which indirectly regulate cyber-attacks like International Telecommunication regulations prepared by ITU (International Telecommunication Union) where electromagnetic spectrum or international telecommunication networks are used for cyber-attacks; Aviation law, to categorize those activities which would endanger the safety of an aircraft while in flight, as illegal; Space law, which requires the States to use the Moon and other celestial bodies only for peaceful purposes; and law of the Sea (UNCLOS) where it allows a vessel the right of innocent passage through another nation’s territorial sea as long as its activities are not prejudicial to the peace, good or the security of the coastal state. Let’s come back to the question that was raised earlier.
- What if a person (fugitive) from XYZ country hacks a computer system located in India? In such a case, India has to rely upon extradition agreement with XYZ country and deal the case accordingly, provided that the offence alleged to have been committed by the fugitive is an ‘offence’ both in requesting (India) state and requested (XYZ) state. The act of extradition is an agreement between the concerned states which allows the extradition of fugitive criminals. In the absence of any treaty, extradition may be allowed if it has the backing of principle of reciprocity which means we pay back what we received from others, or the penalties, benefits granted by one state to the individuals of other state must be returned. It is interesting to note that we haven’t signed the Budapest Convention on Cyber crime;
- Now what if an Indian citizen goes abroad and commits a crime. Can he be tried in India under the Indian Penal Code (IPC)? He can be tried in India under Section 4 of IPC provided that he is an Indian citizen and the act committed is punishable under IPC. Further, IPC is applicable to both Indian and foreigners who commit any crime within the territory of India.
Constitutional and Statutory Provisions: “Electricity” has been placed as a subject matter under the Concurrent List under the Schedule VII of the Indian Constitution which means that both the Central and State Government can legislate about it. But, “Taxes on consumption or sale of electricity” subject matter can be legislated only by the State. The parent statute, The Electricity Act, 2003, in matters related to electricity, nowhere mentions about the cyber security aspect in the power sector. Even the National Electricity Policy, 2005 fails to bring it on paper. However, the National Cyber Security Policy 2013 along with Information Technology Act, 2000 has provisions for establishment and enforcement of cyber security standards.
Is there any administrative authority for laying cyber security standards in India? CERT-In (Computer Emergency Response Team), is an organization under Ministry of Electronics and Information Technology (MeitY) for laying down cyber security standards, compliance, incident response and guidance. Government of India after realizing the need of CERT in for securing CII, specifically for power industry, created four sectoral CERT for Thermal, Hydro, Electricity Transmission and Distribution, in line with the National Cyber Security Policy 2013. CERT-In is the nodal agency which is under MeitY and sectoral CERT is under Ministry of Power. During any emergency event, plenty of information have to be exchanged between two ministries to produce any response. This has to be done keeping in mind of the efficiency of communication with no time lag and preserving the integrity of information. Under the domestic laws, we have Information Technology Act, 2000 where punishments for unauthorized access to computer systems have been prescribed under Section 70 and Section 66F (Through the 2008 Amendment, which increased the deterrence level against attacking CII by classifying them as an act of terrorism).
In India, a lot of electric and electronic systems for the energy industry are being imported from foreign countries, especially China, from where a junk of SCADA systems are imported for electricity distribution, will require India to lay down stringent regulations to test the equipment before it is connected to the electric grid. This not only will boost the local manufacturing, but also reduces the risk of cyber-attacks. Usually these regulations are laid down by Central Electricity Authority by notification in exercise of the powers under Section 177 of the Electricity Act, 2003.
What could be the other issues that can be discussed?
- According to UN International Telecommunication Union (ITU) through its Global Cyber Security Index (GCI) has placed India in 23rd position out of 165 nations that measures the commitment of nations across the world to cyber security. India is yet to ratify the Budapest Convention on Cyber crime and yet to establish cyber security standards for smart grids which are currently vulnerable to attacks;
- When we talk about maintaining the grid stability, one other challenge is where maintaining the stability in a cross-border interconnected energy network where failure in one system can have a cascading effect in different regions;
- While drafting the cyber security policy in the energy industry, India’s energy mix, present and future demands and prospects have to be kept in mind. For example, the share of Natural Gas in the country’s energy mix will rise up to 15% according to the Ministry of Petroleum and Natural Gas. Suppose, if there is any cyber attack within the Natural Gas pipeline industry, which can disrupt the supply of natural gas to the power plants, it can affect the power generation and hence the grid stability. Hence, we need to establish cyber security standards for Natural Gas industry and all other raw materials;
- According to a survey of over 500 businesses in UK by PricewaterhouseCooper, 65% of them were concerned over the cyber risks to energy technology, while three out of five stated that they would switch their energy supplier if they suffered a cyber breach;
Electricity is an important national asset, the loss or inadequacy of which might severely damage the economy. Cyber security threats are outpacing the energy sector’s best defenses and year after year, the costs of cyber security measures are escalating. New vulnerabilities and threats are being identified day by day. It all began when industrialists started automating many industrial processes for better productivity and reliability which on the other hand increased the vulnerabilities to cyber attacks. So, identifying all the network assets and vulnerabilities is crucial and which might solve half the problem. This coupled with international and domestic regulation, industry co-operation, individual participation and appropriate security standards could make the industry and in turn economy more secure.