340 likes | 451 Views
CYBER THREATS AND SECURITY FOR POWER SECTOR By Vivek Goel, Director (DPD), CEA. Cyber threats in power sector.
E N D
CYBER THREATS AND SECURITY FOR POWER SECTOR By Vivek Goel, Director (DPD), CEA
Cyber threats in power sector With the introduction of Information & Communication Technology (ICT) in the power sector, the Power Systems is exposed to the cyber space and thus have become vulnerable to Cyber Attacks. The introduction of smart grid has opened up power sector space to the outsider asSmart grid is more and more dependent on IT system. With automated operation of grid elements, the cyber space in the Power Sector has increased and so have the Cyber Security vulnerabilities. Increased no of entry points and paths are available now for potential adversaries with automation and an attack on Smart meters and Smart appliances may lead to commercial loss apart from breach of privacy to individual consumers at distribution level.
power sector areas where cyber threats are to be dealt 1. Information Technology for system operation * Grid SCADA systems * System Data Acquisition System (DAS) * Outage Management System/ Distribution Management System of DISCOM * Advanced Metering Infrastructure (AMI) 2. Information Technology for other business functions * Metering, Billing and Collections * Consumer Web Portal * Office IT 3. Communication Systems for coordination amongst operators and the above data exchange/ processing nodes
Impact of cyber attack in power sector Impact of cyber attack in Generation sector Any cyber attack on a generation plant can put the whole plant down and lead to outage of the generation capacity. Vulnerability on Control systems used for set of Plant can lead to a possible safety incident in case exploited simultaneously However, cyber attack at one node may not disrupt multiple plants and grid operation planning takes care of one plant disruption contingency.
Impact of cyber attack in power sector Impact of cyber attack in Transmission sector Power Transmission is geographically spread across the country and deployment of SCADA system is necessary for efficiently monitoring and effectively controlling the transmission system . Any attack on the SCADA/EMS systems will jeopardize controlling/monitoring of grid which will impact reliability of the Power System. A coordinated cyber Incidence at critical grid nodes (substations) can also cause disruptions in the Integrated Operation of Grid. Cyber attacks on sub-station automation systems can cause damage to equipment in the substations and safety of operating personnel, the impact of which will be localized but could be severe depending on criticality of node.
Impact of cyber attack in power sector Impact of cyber attack in Distribution sector IT penetration in Indian Distribution sector for control and operation is relatively low. These are presently concentrated in MIS, Metering and Billing. Cyber Incidence in Distribution may not affect the operation of the Grid. However, Distribution systems operations are increasingly being centralized and any cyber incidence at Central Location can cause power supply failure. A disruption to critical infrastructure/customers like Hospitals, Metro, and Railways etc is of strategic concern. Interruption / wrong reporting in data collected through Automatic Advanced Metering Infrastructure (AMI) may result wrong/non operational decision
Cumputer Emergency Response Team-India (CERT-IN) InformationTechnology Act 2000 & Amendment Act 2008 designates CERT-In as the National Nodal agency to serve as the national agency to perform the following functions in the area of cyber security: •Collection, analysis and dissemination of information on cyber incidents •Forecast and alerts of cyber security incidents •Emergency measures for handling cyber security incidents •Coordination of cyber incident response activities •Issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents •Such other functions relating to cyber security as may be prescribed
CERT-In enabling assistance Development and implementation of sectoral crisis management plan (CMP) in line with National crisis management plan (CMP) of CERT-In. Remote profiling of IT systems and Networks to determine the Cyber security enabling assistance security posture. Cyber Security drills to enable the organizations to assess their preparedness to resist cyber attacks and enable timely detection,response, mitigation and recovery actions in the event of cyber attacks.
CERT-In enabling assistance Information security management best practices as per international standard have been mandated for compliance within Govt. and critical sectors. Following enabling actions have been taken to assist compliance efforts, covering process, product, system and people: Certification scheme as per ISO 27001 standard Tool for assisting ISMS implementation and self-assessments Cyber Security Assurance Framework Security test/evaluation facility for test and evaluation IT products as per ISO 15408 Common criteria standard Empanelment of IT security auditing organisations for IT infrastructure audits for Govt and critical sectors IT security skill specific training courses for people Guidelines for infrastructure security, user-end equipment security and information security
various cyber threats listed in the CMP of CERT Cyber threats- Large Scale defacement and semantic attacks on websites. A Website defacement is when a Defacer breaks into a web server and alters the contents of the hosted website. Attackers change the content of a web page subtly, so that the alteration is not immediately apparent. As a result, false information is disseminated. Malicious Code attacks (virus/worm/Trojans/Boot nets Boot nets) Malicious code or malware is software designed to infiltrate or damage a computer system without the owner’s informed consent. Malicious code is hostile, intrusive, or annoying software or program code. Commonly known malware are virus, worms, Trojans, spyware, adware and Bots. Large Scale SPAM attacks Spamming is the abuse of electronic messaging systems to indiscriminately sent unsolicited bulk messages. SPAM mails may also contain virus, worm and other types of malicious software and are used to infect Information Technology systems. As a result spamming could disrupt e-mail services, messaging systems and mobile phone communications.
various cyber threats have been listed in the CMP of CERT Cyber threats- Large scale spoofing - Spoofing is an attack aimed at ‘Identity theft’. Spoofing is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining access to modify the original process/response/undermining legitimate operation with or without illegitimate advantage to perpetrator. Phishing attacks - Phishing is an attack aimed at stealing the ‘confidential data’ like sensitive information, such as usernames, passwords and credit card details that can lead to committing online frauds. Vishing attacks - Vishing is a combination of ‘voice’ and ‘phishing’. It is the practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward. It exploits the trust in landline telephone services and uses (VoIP) to trick the user.
various cyber threats have been listed in the CMP of CERT Cyber threats- Denial of service (DoS) attacks and Distributed Denial of Service (DDoS) attacks. DoS is an attempt to make a computer resource unavailable to its intended users. A distributed denial of service attack (DDoS) occurs when multiple compromised computer systems flood the communication link (called bandwidth or resources) of a targeted system DDoS attacks are launched through a Botnet which is a network of compromised computer systems called ‘Bots’ Domain Name Server (DNS) attacks Attacks on DNS Servers aim at denying resolving of a domain name into a IP address, reverse DNS queries or redirecting users and traffic to fake/malicious domains in some other country to disrupt internet and mail traffic in the country / domain of target. Application Level Attacks Exploitation of inherent vulnerabilities in the code of application software such as web/mail/databases/controllers
various cyber threats have been listed in the CMP of CERT Cyber threats- Infrastructure attacks Attacks such as DoS, DDoS, corruption of software and control systems such as Supervisory Control and Data Acquisition (SCADA) and Centralized/Distributed Control System (DCS), Gatewards of ISPs and Data Networks Compound attacks By combining different attack methods, hackers could launch an even more destructive attack. The Compound attacks magnify the destructiveness of a physical attack by launching coordinated cyber attack Router level attacks Routers are the traffic controllers of the Internet to ensure the flow of information (data packets) from source to destination. Routing disruption could lead to massive routing errors resulting in disruption of Internet communication.
various cyber threats have been listed in the CMP of CERT Cyber threats- High Energy Radio Frequency Attacks Use of physical devices like Antennas to direct focused beam which can be modulated from a distance to cause RF jamming of communication system including Wireless networks leading to attacks such as Denial of Service. Cyber Espionage Targeted attack resulting in compromise of computer system through social engineering techniques and specially crafted malware. The data from compromised system is siphoned off to remote locations. Common channel of attacks include spoofed/compromised email accounts of key officials. Unauthorized Access Targeted Scanning, Probing and reconnaissance of Networks and IT Infrastructure in sensitive Government and critical information infrastructure.
CYBER SECURITY STANDARDS / REGULATORY FRAMEWORK FOR POWER SYSTEMS: Standards and guidelines can be used to help identify problems and reduce the vulnerabilities in an ICT system deployed for power sector to reduce cyber security concerns. Relevant International standards: Product and application level – IEC 62351 part 1 to 7 IEC TC 57 WG15 Security Standards Organization and Regulatory level – NERC CIP 002 through 009 NIST Guide to Industrial Control Systems Security 800-82 NIST Guide to Smart Grid Cyber Security NISTIR-7628 Guidelines from Center for Protection of National Infrastructure (CPNI) UK.
National Initiatives Department of Information Technology, Ministry of Communication and Information Technology, Government of India has prepared a Crisis Management Plan for countering cyber attacks and cyber terrorism for preventing the large scale disruption in the functioning of critical information systems of Government, public and private sector resources and services. In December 2010, Ministry of Power has constituted CERT-Thermal ( Nodal agency:NTPC), CERT-Hydro(Nodal agency NHPC) and CERT-Transmission (Nodal agency PGCIL) to take necessary action to prevent cyber attacks on the Utilities under their jurisdiction. The State Utilities were requested to prepare their own Crisis Management Plan (CMP) and be in touch with the Nodal Agencies i.e NTPC, NHPC & PGCIL and CERT-In for the necessary actions. Nodal Agencies of Hydro & Thermal i.e NHPC & NTPC have prepared Crisis Management Plan (CMP) for Hydro/ Thermal Power Stations and The Nodal agency of CERT-Transmission i.e POWERGRID is preparing Crisis Management Plan (CMP) for Transmission Sector. They are also participating in mock drills carried out by CERT-In and has also carried out audit of cyber security in their Organisation.
National Initiatives The guidelines for cyber security frame work, issues and standards are being prepared by BIS in association with CPRI under Sectional Committee LITD-10 and the work for preparation of standards are under progress. Under LITD 10, it was decided to adopt IEC/TS 62351-1 to 62351-7 specifications as Indian Standards as these were considered to be important technical specification from security point of view. These 07 documents of IEC 62351 series are still into the printing stage. Further, Panel 2 on Security, LITD 10/P2 has submitted the draft standard “Security Standard for Power Control Systems” which has been prepared indigenously. During the last meeting of LITD 10 held on 09 Jan 2013, it was decided that this draft standard would be sent into wider circulation for a period of one month to seek comments from stakeholders.
Immediate measures for prevention of cyber attacks Physical Security: All the vulnerable areas like control centre area should be notified as restricted Area and only authorized persons should be allowed to enter the area. The Security should be manned by the armed personnel of Central Industrial Security Force (CISF) / other security agencies approved by GOI on round the clock basis equipped with metal detector system etc. For important locations e.g. entry gate, building door control room door etc; a video surveillance system should also been installed and all the movements may be monitored from the Control Room. The video images should also be continuously recorded for review, record and investigation purpose. Further control room and computer room doors should be equipped with Access Security System which can be opened with Identity card only so that all the equipments deployed in nerve centre are protected against intrusion and surveillance is performed to keep an integrity check.
Immediate measures for prevention of cyber attacks Identification of Critical Cyber assets/areas: There is need for formal identification/ notification of critical cyber assets for: Major Power Station Control rooms All LDC i.e. NLDC, all RLDCs and SLDCs. All EHV-AC Substations (>400 kV) HVDC stations (>500 MW). Generating Plants Distribution Grid feeders to critical infrastructure Risk assessment and Vulnerability study in each area of responsibility. Generation plants All Load Dispatch Centers All Transmission Substations Distribution substations Creation & Enactment of Cyber Security Policy covering all the stakeholders of Cyber space in Indian Power system.
Immediate measures for prevention of cyber attacks Secure Product Deployment Deploy secured network architecture for control centers. Deploy various network security products like firewalls, IDS/IPS, VPN, IPSec and Central logging server in line with CERT-In guidelines. Deploy physical access control devices to Power Utility premises like CCTV cameras, Biometric scanning etc. All Application or proprietary software to be deployed in the Power System applications shall be tested for cyber vulnerabilities. To follow all the guidelines suggested by ISGTF / CERTInd
Immediate measures for prevention of cyber attacks Process management: Continuous evaluation of vulnerabilities. Device Configuration management. Cyber security audit process management Process of Obscurity Process of Segregation Necessary screening before choosing process of outsourcing Personnel & Training Management: Authorized users of secured control rooms (Zone Blue) in the Power Sector should be adequately trained and certified. Certification of the users shall entitle a person with different set of user access permissions to critical cyber assets. Other Users with indirect access to the critical cyber assets should be trained for Cyber security awareness. Each user action to be logged and monitored to check the employee behavior at various levels for possible internal vulnerabilities, which are hard to tackle than intruders and do more harm.
Immediate measures for prevention of cyber attacks Mock Drill In view of IT framework and the security of information, utilities have to develop a crisis management plan and undertake to periodic mock drill exercise initiated by CERT-IN Utility needs to continuously interact with CERT to imbibe all the new tools for mitigating any risks from various cyber attacks. Utility needs to appoint a cyber security officer in their IT cell for cyber security. CERT-IN have empanelled the cyber auditors and utilities may take the help of these cyber auditors CMP of CERT-IN also listed out the Steps to be taken by the organizations / utilities in case of any cyber attack / crisis happened
ROAD MAP FOR CYBER SECURITY IN INDIAN POWER SECTOR Harmonization of various Standards and Guidelines on Cyber Security for Power Systems in Indian context. Formulation and Enactment of Cyber Security Policy for Indian Power Sector in synchronization with CERT Transmission /Thermal/Hydro. Strengthening of Communication Network through laying of Optical Fiber cables by State Transmission & Distribution utilities. Prepare Disaster Recovery / Crisis Management Plan for countering cyber attacks in the system as per the “Crisis Management Plan for countering cyber attacks and cyber terrorism” issued by Ministry of Communication & Information Technology , CERT in
ROAD MAP conti.. Mitigation strategies for countering physical attacks has to be drawn by all the power utilities. Capacity building through identification of Agencies for training of the personnel in Cyber Security aspects. Creation of Regulatory Framework for cyber security in Power Systems. Vendor development for Cyber Security Systems as per International/National standards. Identification of Cyber Security Vulnerabilities through comprehensive annual security audits with respect to the Best Security practices employed in Power Sector globally.
ROAD MAP cont.. Establishment of Security teams to identify, evaluate work against and perform drill for possible attack scenarios . Ministry of Power has constituted following CERTs (Computer Emergency response Team) by the nodal agency identified for the purpose: CERT- Hydro - NHPC CERT- Transmission - POWERGRID CERT- Thermal - NTPC Power Utilities may get in touch with these nodal agencies for necessary help regarding cyder security in their system.
Cyber security aspect in Grid failure Central Electricity Authority constituted five Sub-Groups to enquire the grid disturbance in Northern, Eastern & North Eastern Region on 30th and 31st July, 2012. One of the Sub-committee was to look into the Cyber Security aspects for grid disturbance. The sub –committee focused its examination on the following aspects- Status of IT intervention in the operation of Power Sector Measures taken by various stakeholders to counter any possible cyber attack in their system Communication facilities available between various stake holders
Cyber security aspect in Grid failure The Committee in course of meeting with stakeholders, reviewed existence of appropriate security policies and procedures as envisaged in the Crisis Management Plan prepared and circulated by CERT- India. Based on the feed back provided by the stakeholders during the discussion, it emerged that – No abnormal cyber event was observed by the stakeholders prior to and during grid disturbances on both occasions. They have their own dedicated PLCC/ Fibre Optics based communication network which have no connection with the public domain. Adequate steps have already been taken up by the various organisations including PGCIL, NTPC, NHPC & POSCO to prevent the cyber attack on their system and they also have dedicated organisational policies in force. Regular cyber vulnerable test/mock drills/cyber audit/and other measures as per the Crisis Management Plan of CERT-In are reportedly being conducted by them.
Findings of the sub committee for Grid failure After going through the records, discussion & field visits, it is observed that the operations of generating stations and substations are primarily manual and operations are done locally except in case of few 400 KV S/Ss which are controlled from remote locations through dedicated networks. At present there is no wide area network at generation/ grid control level and there is no communication with power utilities using public domain. The Sub Committee is of the opinion that this Grid Disturbance could NOT have been caused by a cyber attack.
recommendations of the sub committee for Grid failure Although it emerged that Power Sector stack holders have taken adequate steps to prevent the cyber attack on their system and also have dedicated organisational polices in this regard, but considering the latest developments in the SCADA and System Automation, CERT-Thermal, CERT-Hydro and CERT-Transmission need to expedite the process of preparation of sectoral based Crisis Management Plans(CMP) in line with the CMP prepared by CERT-In, considering the specific threats to their system including SCADA and PLCs and should also extend the support to other concerned Central & Stats power utilities as per the mandate of Ministry of Power. The existing communication network should be maintained properly. RTUs and communication equipments should have uninterrupted power supply with proper battery back up so that in case of total power failure, supervisory commands & control channels do not fail.
recommendations of the sub committee for Grid failure Regular cyber vulnerability test/mock drills/cyber audit/and other measures as per the crisis management plan of CERT- In should be carried out regularly by all the stakeholders. The organizations need to create a mechanism to collect and analyze all events/logs across the networks to detect abnormal events and report the same to sectoral CERT/CERT-IN. A cyber audit specifically to detect malware targeting Industrial Control Systems (ICS) should be conducted at critical plants and sub-stations after any abnormal event. A dedicated team of IT Personnel for cyber security in all the Power Stations and Sub-stations should be developed and proper training for the team members should also be conducted regularly by the respective organizations to upgrade their skills. Mitigation strategies for countering physical attacks have to be drawn by all the power utilities.
recommendations of the sub committee for Grid failure Regulatory framework should be created for cyber security in the power sector. An Office/ Body of Cyber Security Auditors should be created within Power Sector. Vendors for cyber security systems should be developed as per International / National standards. For smooth operation of grid systems, it is absolutely important that all the power generating and distributing stations are connected on a very reliable telecom network. A proper network may be built up preferably using MPLS(Multi Protocol Label Switching) which is simple, cost effective and reliable. In remote place where connectivity is a problem, the stations can use dedicated fibre cable from the nearest node Since power grid has its own fibre optic cables, practically covering all major nodes and power stations, a proper communication/IT network may be built using dedicated fibres to avoid any cyber attack on the power system.