Cloud Hosting

On October 12 last year, Mumbai plunged into darkness as the electric grid supply to the city failed. Trains, stock markets and hospitals battling the pandemic stopped functioning. Just recently, a study by Massachusetts-based Recorded Future, a firm that specialises in studying the use of the internet by states, said that the Mumbai power outage could have been a cyberattack aimed at critical infrastructure and was probably intended as a message from China. It was carried out by the state-sponsored group Red Echo, which has close ties to the Peoples Liberation Army (PLA) and has fronted many of the recent cyberattacks by China. As Recorded Future had no access to Indian power grids and could not study the malicious code, they didnt have a definite answer but they did inform Indian agencies of the discovery of malware in the system.

Indias power minister denied reports that a cyberattack was the cause of the power failure, although Maharashtras power minister informed the state assembly on the same day that the Mumbai Cyber Police investigation had suggested a possible cyberattack with an intent to disrupt power supply. As recently as in February, the Centres nodal agency National Critical Information Infrastructure Protection Centre (NCIIPC) had reported concerted attempts by Red Echo to hack the critical grid network. Another government agency, CERT-In, is reported to have detected the ShadowPad malware in one of the largest supply chain attacks a month after the Mumbai outage. Many of the suspected IP addresses identified by NCIIPC and CERT-In were the same and most have been blocked in time. What remains to be seen is if there is conclusive proof of Chinese involvement in such surreptitious attacks through proxies, although spoofing often saves the actual perpetrator from identification. The Chinese focus in the past was stealing information and not projecting power, but the situation with India might be different.

Critical infrastructure has become increasingly vulnerable to cyberattacks. The power grid ecosystem is a major target of such attempts. Analysing the general techniques used by state-sponsored hacker groups, a trend of multi-stage attacks has been observed. In recent attacks on global power grids, the attacker targeted the enterprise network of the power company and then gradually climbed into the control systems network, which is responsible for managing, generating and distributing power. As many of these critical infrastructures were never designed keeping security in mind and always focused on productivity and reliability, their vulnerability is more evident today. With devices getting more interconnected and dependent on the internet facilitating remote access during a pandemic, the security of cyber-physical systems has, indeed, become a major challenge for utility companies.

For more than a decade, there have been concerns about critical information infrastructure protection (CIIP). In January 2014, the NCIIPC) was notified to be the national nodal agency for CIIP and over these years has been working closely with the various agencies. In January 2019, the government also announced a National Mission on Interdisciplinary Cyber-Physical Systems (NM-ICPS), with a budget of Rs 3,660 crore for the next five years, to strengthen the sector. However, most ministries and departments need better budget allocations for cyber security as well as a more robust infrastructure, processes and audit system. The Industrial Cybersecurity Standards (IEC62443) aimed at providing a flexible framework to address and mitigate current and future security in industrial automation and control systems, launched by the Bureau of Indian Standards (BIS), has to be adopted soon. For the power sector, a strong regulation on the lines of the North American Electric Reliability Critical Infrastructure Protection (NERC) policy could serve as a guide so that the public and private sector utility companies in India harden and secure their operational technology (OT) networks.

Clearly, the incident is a wake-up call for better preparedness in terms of a more robust cyber security ecosystem in place. The new cyber security policy awaiting imminent announcement will hopefully cater to that. So far, India has done well to protect critical networks like the sensitive Aadhaar ecosystem, the income tax department and the core banking systems. The road ahead will be tougher as far as cyber networks are concerned. Only the fittest and most vigilant will survive.

This article first appeared in the print edition on March 10, 2021 under the title Firewalling the grid. Subimal Bhattacharjee is a cybersecurity policy expert; Biprotosh Bhattacharjee is an industrial cybersecurity researcher and leads Global Cyber Defence Centre at LMNTRIX

More:
Can we keep hackers from shorting the grid? - The Indian Express