Crisis Management Plan For Preventing Cyber Attacks On The Power Utilities In India

Cyber security for power energy and utilities in India is a major cause of concern these days. As cyber attacks are increasing against India, power utilities are also vulnerable to these cyber attacks. To effectively tackle the menace of cyber attacks against India, a crisis management plan of India for cyber attacks and cyber terrorism is absolutely required. A crisis management plan (CMP) is essentially part of the anti cyber attack plan of India that is presently missing.

CMP pertaining to information and communication technology (ICT) is also an essential part of national ICT policy of India. The other parts of national ICT policy of India are cyber security policy of India, critical infrastructure protection policy of India, critical national infrastructure protection policy of India from cyber attacks, national security policy of India, etc.

The position of cyber security in India is not very good. There us a lack of cyber security awareness in India. Techno legal expertise to manage cyber security issues of India is also missing. The critical infrastructure protection in India is not satisfactory and we still miss an implementable critical ICT infrastructure protection policy of India. The critical infrastructures around the world like power grids, nuclear facilities, satellites, defense networks, governmental informatics infrastructures, etc are vulnerable to known and unknown malware.

Cyber security challenges for smart grids and utilities in India are well known in India. Realising the cyber security risks of power utilities and sector of India, the Power Ministry of India has directed all state governments to ensure that power utilities are ready with crisis management plans for restoring normalcy in the “shortest possible time” in case of disruptions in generation, transmission or distribution of electricity. Indian government has also recently announced that cyber security awareness brochures would be mandatory for hardware sales in India.

At Perry4Law and Perry4Law’s Techno Legal Base (PTLB) we welcome this move of Indian government and we believe that this is a good step in the right direction. This direction must include cyber security preparedness on the part of power utilities of India as well, if the same has not already been prescribed. As on date, the state government regulated power utilities are grossly deficient in ensuring cyber security for their respective grids.

The proposed CMP for power utilities of India should also have details about “hierarchical set up at various levels” to ensure effective handling of crisis situations. Such plans would be applicable for both public and private sector entities. The Central Electricity Authority (CEA) has already written to all state governments asking them to prepare crisis management plans with regard to power utilities of their respective states.

India must develop both offensive and defensive cyber security capabilities that must be robust enough to detect and nullify cyber warfare against India, cyber terrorism against India, cyber attacks against India, cyber espionage against India, etc. Cyber security of banks in India is still deficient. The business community must also keep in mind the cyber law due diligence requirements in India. Cyber due diligence for Indian companies is now a statutory obligation and failure to observe cyber due diligence can bring serious legal ramifications.

Power grids and utilities cyber security in India and their challenges are not easy to manage. They require a systematic, dedicated and security oriented approach on the part of Indian government. In fact, smart meters are becoming headache for power companies world wide.

With the advent of sophisticated and specially customised malware like Stuxnet, Duqu, Flame, etc critical infrastructures like power grids, nuclear facilities, satellites, defense networks, governmental informatics infrastructures, etc are vulnerable to diverse range of cyber attacks.

Perry4Law and PTLB strongly recommend that Indian government must ensure cyber security of energy and utilities in India as soon as possible. SCADA may be the new cyber attack priority for cyber criminals and rouge nations. We must ensure sufficient cyber protection of SCADA systems in India in general and critical infrastructure in particular.