Cyber
security for power energy and utilities in India is a major cause
of concern these days. As cyber attacks are increasing against India,
power utilities are also vulnerable to these cyber attacks. To
effectively tackle the menace of cyber attacks against India, a
crisis
management plan of India for cyber attacks and cyber terrorism is
absolutely required. A crisis management plan (CMP) is essentially
part of the anti cyber attack plan of India that is presently
missing.
CMP pertaining to information and communication
technology (ICT) is also an essential part of national ICT policy of
India. The other parts of national ICT policy of India are cyber
security policy of India, critical
infrastructure protection policy of India, critical
national infrastructure protection policy of India from cyber
attacks, national security policy of India, etc.
The position of cyber security in India is not very
good. There us a lack of cyber security awareness in India. Techno
legal expertise to manage cyber
security issues of India is also missing. The critical
infrastructure protection in India is not satisfactory and
we still miss an implementable critical
ICT infrastructure protection policy of India. The
critical infrastructures around the world like power
grids, nuclear
facilities, satellites,
defense
networks, governmental
informatics infrastructures, etc are vulnerable to known
and unknown malware.
Cyber
security challenges for smart grids and utilities in India
are well known in India. Realising the cyber security risks of power
utilities and sector of India, the Power Ministry of India has
directed all state governments to ensure that power utilities are
ready with crisis management plans for restoring normalcy in the
“shortest possible time” in case of disruptions in generation,
transmission or distribution of electricity. Indian government has
also recently announced that cyber
security awareness brochures would be mandatory for hardware sales in
India.
At Perry4Law
and Perry4Law’s
Techno Legal Base (PTLB) we welcome this move of Indian
government and we believe that this is a good step in the right
direction. This direction must include cyber security preparedness on
the part of power utilities of India as well, if the same has not
already been prescribed. As on date, the state government regulated
power utilities are grossly deficient in ensuring cyber security for
their respective grids.
The proposed CMP for power utilities of India should
also have details about “hierarchical set up at various levels”
to ensure effective handling of crisis situations. Such plans would
be applicable for both public and private sector entities. The
Central Electricity Authority (CEA) has already written to all state
governments asking them to prepare crisis management plans with
regard to power utilities of their respective states.
India must develop both offensive
and defensive cyber security capabilities that must be
robust enough to detect and nullify cyber
warfare against India, cyber
terrorism against India, cyber
attacks against India, cyber
espionage against India, etc. Cyber
security of banks in India is still deficient. The
business community must also keep in mind the cyber law due diligence
requirements in India. Cyber
due diligence for Indian companies is now a statutory
obligation and failure to observe cyber due diligence can bring
serious legal ramifications.
Power
grids and utilities cyber security in India and their challenges
are not easy to manage. They require a systematic, dedicated and
security oriented approach on the part of Indian government. In fact,
smart
meters are becoming headache for power companies world
wide.
With the advent of sophisticated and specially
customised malware like Stuxnet,
Duqu,
Flame, etc critical infrastructures like power
grids, nuclear
facilities, satellites, defense
networks, governmental
informatics infrastructures, etc are vulnerable to diverse
range of cyber attacks.
Perry4Law and PTLB strongly recommend that Indian
government must ensure cyber security of energy and utilities in
India as soon as possible. SCADA may be the new cyber attack priority
for cyber criminals and rouge nations. We must ensure sufficient
cyber
protection of SCADA systems in India in general and
critical infrastructure in particular.