Industrial Automation Magazine India

The impact of a cyber-attack on smart electricity networks might be enormous

Published on : Wednesday 01-02-2023

Dr Shekhar Pawar, Founder and CEO, SecureClaw Inc., USA; and GrassDew IT Solutions Pvt Ltd, Mumbai.
What is the general level of awareness in the Indian context about cybersecurity in general and the risks enterprises face in particular?

I have lived and worked in the United States and Europe. I saw that starting from their social security number until their mobile number; everything is considered personally identifiable information (PII). The government takes the protection of their country's PII data very seriously. As a citizen of India, when I look at our PII data, which can be our PAN or Aadhar card number, photocopies of those are being shared by individuals with agents of various agencies and many other entities. The types of phone calls made by policy-selling agents are one indication that our contact information is easily accessible and kept by such agencies. I can share my experience working in cybersecurity, where we interact with various organisations, as well as my doctoral studies and daily analysis of various cyber-threats news. In India, yet, cybersecurity is not taken seriously by people or even by enterprises. The majority of the time spent on cybersecurity implementation is deemed unimportant. Many organisations are only focusing on their business revenue goals, and due to the lack of GDPR-like strong compliance laws, they do not spend on improving their cybersecurity posture. Organisations can face issues like IP theft, data theft, malware attack, Distributed Denial of Service (DDoS) attack, etc. More importantly, cyber-attack can damage the reputation of an organisation's brand.
 
If we look at the recent Covid pandemic, a virus impacted every person on this planet. Many times, I feel that there will be an innovative computer virus in the future that will spread and impact the entire industry. As many industries, especially in India, do not have a minimum level of cybersecurity in place, it might impact the country’s economy as well. It is the biggest risk.
 
As a professional working in the cybersecurity domain, what is your experience when it comes to enterprise security? Are there any use cases?
The top management in any enterprise is important for taking decisions and implementing cybersecurity. Many of them are not considering it because they see it as an additional expense, as well as the fact that it requires only a small investment of resources. There is no mandate as per the government or other bodies in India.
 
Experts believe that existing security approaches are either inapplicable or inadequate to prevent cyber-attacks. How should companies approach these threats?
I would answer both reason and solution with two words: ‘Continuous Innovation’. Organisations and cybercriminals are both becoming more advanced as technology advances. Computers were merely encrypted in a previous ransomware attack, which demanded payment to receive the decryption key. Cybercriminals started threatening victim organisations with selling the stolen data on the Dark Web after receiving the decryption key payment. This is double extortion. The latest cyber news is now discussing ‘triple extortion’, in which hackers can use the stolen information about victim organisations to launch a DDoS assault and saturate the victim's server with traffic, among other things. A traditional approach to cybersecurity would be ineffective in the face of rapidly changing digitisation and cyberspace. When it comes to cyber-threats, there is no single solution. Organisations need different levels of security controls at different layers. Again, the implementation strategy must change year after year, as hackers invest significant time and effort in studying existing postures and identifying vulnerabilities to perform malicious acts. A traditional approach to cybersecurity would be ineffective in the face of rapidly changing digitisation and cyberspace. When it comes to cyberthreats, there is no single solution. Organisations need different levels of security controls at different layers. Again, the implementation strategy must change year after year, as hackers invest significant time and effort in studying existing postures and identifying vulnerabilities to perform malicious acts.
 
How vulnerable are the power generation and distribution plants today to cyber-attacks?

It is difficult to respond without conducting a real assessment. These matters are private and cannot be discussed outside of that organisation. Because the entire world depends on the electric network for daily living, power systems are intricate systems that are crucial to socio-economic progress. That is why cybercriminals find those appealing. For power systems to operate reliably, many protection and control measures are required. Power system stability should be able to be preserved by the controllers. Frequency, rotor angle, and voltage are three crucial factors that should be effectively controlled to preserve the stability of power systems. By boosting load power factors, power factor control increases the efficiency of power distribution systems while voltage control keeps voltage and reactive power within the necessary bounds. Due to the use of mechanical components, frequency control is the power system control mechanism that takes the longest to operate. Load frequency control (LFC) systems are more susceptible to disruptions and cyber-attacks because the control algorithms of frequency stabilisation produce control signals in the timeframe of seconds and cannot handle complex data validation procedures. The LFC system is also built to function with less human interaction and features extended digital layers with open communication networks. Additionally, the stability of the entire network is threatened by frequency fluctuations brought on by load changes or cyber-attacks in one location, which affect all other interconnected areas. Power grids are experiencing major cyber-security issues as a result of the smart grid's quick development and increasingly interconnected communication networks.
 
DoS Attack, FDI attacks, Replay Attack, Covert Attack, Resonance Attack, and Time-Delay Switch Attack are few cyber-attacks which can negatively impact LFC systems. The ability to access the resonance source is the first requirement for a resonance attack, and the second is the capacity to inject or change the power plant input in accordance with the resonance reference. As a result, the most crucial defence is the safeguarding of the input data. The stability and performance of the LFC system can be negatively impacted by a time-delay switch attack. The delay injection can be carried out either at the size of sampled data or by delaying the telemetered transmission packets.
 
With increased digitalisation and smart grids soon becoming a reality, is the industry prepared to face the threats of cyber-attacks from hostile powers?
It is very difficult to say if a particular industry is well prepared against cyber threats, but looking at recent cyber-attacks, we can predict that there is a long way to go. The majority of these cyber-attacks are State-sponsored, and no nation claims ownership of them in the press. The impact of a cyber-attack also gets worse and more widespread as energy systems grow more intelligent and interdependent. According to the 2019 Global Danger Report from the World Economic Forum, large-scale cyber-attacks are the risk that is most likely to materialise over the next ten years, ranking fifth overall. According to estimates, a cyber-attack on the US smart power grid would cost $1 trillion, or almost eight times as much as it would to clean up the Fukushima nuclear accident. Over $1.7 billion in damages might be incurred in France during a six-hour winter blackout. Given that nearly everything, including water supply, transportation, and communication, depends on the availability of power, the negative externalities of a cyber-attack on smart electricity networks might be enormous. In terms of expected losses per company from cybercrime, the utilities and energy industry come in second place; it costs an estimated $17.2 million per company annually. With an estimated $18.2 million in damages per organisation each year from cybercrime, the financial services sector tops the list. Experts concur that society frequently pays the price for the cascading repercussions brought on by cyber-attacks.
 
One of the types of power systems that use the LFC method is the smart grid, a power transmission system with bidirectional information flow. Availability, Integrity, and Confidentiality are the three fundamental characteristics that make up the security qualities of a smart grid, microgrid, or any other type of power system. These three high level security standards can be used to classify power system cyber-attacks.
 
In the electricity system's transmission network, availability guarantees the timely and dependable availability of the information. From the perspective of control, it is a property of the control system or system elements like sensors, actuators, and controllers to be reachable and operational by a designated entity upon request. Denial of Service (DoS) attack has an impact on the availability of information through communication channels and poses a threat to such security requirements.
 
The ability to accomplish operational goals while preventing and detecting intrusions into the communication channels between actuators, sensors, and controllers is referred to as a system's integrity. Attacks on the power system that pose a danger to its integrity typically change the data sent via its communication channels. Integrity attacks primarily target telemetered data from the RTU of power systems, such as line flows or power signals. Attacks on data integrity pose substantial risks to the reliable operation of power grids or other systems.
 
The ability of the system to prevent unauthorised users from accessing information is referred to as confidentiality. This stops eavesdropping on the communications of sensors, actuators, and controllers from being used to infer the status of physical systems. Therefore, very effective detection and defence methods against cyber-attacks are needed to ensure the three security features.
 
What course of actions should the power generation and distribution companies follow for effective cybersecurity?
If smart grid organisations want to be up to mark to prevent at least cyber-attacks which will impact confidentiality, integrity, and availability – it will prevent most of the cyber threats for mission critical assets which is power grid. Apart from that, as an organisation it must have defence-in-depth in place strengthening various layers of the organisation. Many cybersecurity standards including the latest BDSLCCI framework which was invented by me for small and medium enterprises (SME), are based on these core cybersecurity concepts.
 
The amount of energy needed rises exponentially as technology and new inventions are used more frequently. Smart grid communication infrastructure growth in recent years has given rise to new cyber security-related problems in the physical power system. The separation of the cyber and physical domains is a common practice in handling cyber-attacks on power systems. Therefore, it is crucial to integrate the physical and digital power systems. The cyber physical power system (CPPS) is being introduced to overcome these problems.
 
The core physical power system and the cyber system make up the majority of the CPPS. The goal of CPPS is to efficiently and effectively monitor and manage the smart grids. Power transmission, generation, distribution, use of electricity, supervisory control and data acquisition (SCADA), and use of power are some of the phases that make up the CPPS. Because these phases of smart grids are vulnerable to cyber-attacks, it is crucial to compile, analyse, and keep track of cyber-attack techniques on CPPS for the purpose of defending against various cyber-attacks. This area is still evolving with the changing digital era.
 
Dr Shekhar Pawar is a DBA in the cybersecurity domain at SSBM, Switzerland. He has completed his executive management degree from SJMSOM, IIT Bombay, and engineering in electronics and telecommunications from Mumbai University. Some of his skills and certifications include Certified Information Systems Auditor (CISA), Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI), ISO 27001 – Lead Auditor, PCI DSS Implementer, Diploma in Cyber Laws, Microsoft Certified Professional (MCP), Certified Blockchain Developer, Certified ATM for CMMi Assessment, DSP & Applications – IIT Madras, and Diploma in Industrial Electronics. He is also the author of the nonfiction book ‘Air Team Theory: Understanding 10 Types of Teammates and Best Practices to Succeed’. Currently he is working as Founder and CEO of SecureClaw Inc., USA, and GrassDew IT Solutions Pvt Ltd, Mumbai.