Protecting power assets

Kudankulam should serve as a wake-up call

Last week, the Nuclear Power Corporation of India Ltd (NPCIL) admitted that computer systems at the Kudankulam nuclear power station had been infected with malware since early September. This confirmed rumours about cyberattacks targeting India’s power system. Cyber-threat researchers estimate that a large number of assets on India’s national power grid could be vulnerable to attacks. India may be under-prepared to protect these assets for a variety of reasons. Ramping up security across the power grid should be a strategic priority since this is a tempting target for terrorists, in addition to being vulnerable in the case of hostilities with any other nation. Cyberattacks on nuclear installations and other power sector assets have become increasingly common. Some attacks have been carried out by state actors, while others appear to be the work of cybercriminals out to steal data, or extract ransom. The infamous Stuxnet attack on Iran’s nuclear sector in 2010 is believed to have set back its nuclear programme by years. There have been multiple ransomware assaults on electric power billing systems across the world.

 
Known cyberattacks on Indian power sector assets include a November 2017 malware attack on the Tehri Dam in Uttarakhand, a ransomware attack on West Bengal State Electricity Distribution Company in May 2017, an attack on Rajasthan’s discom (February 2018), and an attack on Haryana’s discoms (March 2018). Kudankulam is high on the list of such targets because it is both part of the nuclear programme, as well as on the power grid. The NPCIL infection is said to be caused by Dtrack, a Trojan virus that creates backdoors into computer networks. This was originally developed and commonly used by North Korean hackers with state backing. However, there are many variations of Dtrack “in the wild” and the code may have been adapted by another group.

 
White-hat hackers have released lists of dozens of other Indian power sector assets that they claim are vulnerable to cyber-assaults. While the Indian Computer Emergency Response Team (CERT-In) claims to be aware of these vulnerabilities, and is reported to have issued advisories in many instances, it has its hands tied because it is the responsibility of the organisation owning the asset to protect it. It is also true that much of the equipment on the power grid is old and based on outdated chips with vulnerabilities that cannot be patched. The government has been trying to set up a system for cyber-protection of infrastructure with the National Critical Information Infrastructure Protection Centre (NCIIPC) as a coordinator and dedicated sectoral CERTs, such as CERT-Thermal-NTPC and CERT-Transmission-POWERGRID, which are responsible for guarding power assets. However, it has to iron out the bureaucratic hassles in assigning the responsibility, which can prevent a vulnerability being patched even after it is identified.

 

Protecting power assets will be increasingly important, given the linking of all the regional grids to the national grid. While the linking makes it easier to supply power to any region on demand, it also makes the entire infrastructure more vulnerable to contagion from cyber-attacks. It is quite conceivable that an aggressive cyber-assault could cause a nationwide outage. A holistic plan must be devised and implemented to prevent such a disaster.