Independent research specialised at risk evaluation of Critical Infrastructure in the Energy Sector, have recently reported that the threat due to cyber-attacks is truly dynamic, and the counter measures will always be short-lived and the environment is again susceptible to cyber-attacks in the next instance. It can be recalled that, last year, a massive attack was directed by state/non-state actors on Colonial Pipeline, a major supplier of transportation fuel in the United States. The Cyber Attack was a well-executed ransomware attack that shut the operations of the Gas Pipeline causing damage and denial of service to the consumers. The attack was then traced to the group ‘Darkside’, which had caused extensive damage leading to price hike and panic-buying at the fuel pump until the payment of $4.4 million was made in Bitcoin to attacker. The attack was a simple theft of username and password from the virtual private network that was not using multifactor authentication, thereby leaving the hacker to exploit the vulnerability.
In India, the Digital Critical Infrastructure Sector is provided protection and immunity through the IT Act 2000, and in specific through the provisions of relevant sections of the Act. The National Critical Information Infrastructure Protection Centre (NCIIPC) is an organisation of the Government of India created under the provisions of Section 70A of the Information Technology Act, 2000, for protection of the Critical Information Infrastructure (CII). CII is defined as those facilities, systems or functions whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation. Recently, Ministry of Electronics and Information Technology (MeitY) has also launched the Cyber Surakshit Bharat initiative which was in conjunction with the National e-Governance Division (NeGD). This program along with CERT-In and NCCC will also be assisting the protection of Critical Information Infrastructure in India.
DNV, a Norway based consulting has recently conducted a survey of 948 energy professionals across the globe, and found that while IT environments are protected, energy businesses need to boost security for its operational technologies (OT), which are the computing and communication systems they use to manage, monitor and control industrial operations. The survey found that fewer than half of the respondents (47%) believe that their OT security is as robust as their IT security and less than one-third of those working with OT believe their company is making securing their supply chain a top priority. The lack of security is not because they are not aware of the possibility of cyberattacks. 85% of the respondents believe that a cyberattack on the energy sector is likely to cause operational shutdowns and damage to energy assets and critical infrastructure. In the survey, 74% expect an attack to damage the subscribers while about 57% speculate that the loss due to attack will cause devastating loss. This finding of the survey also points to a need for energy companies to invest in training employees, and this should be a continued process. Less than six in 10 (57%) of energy professionals say their employers cyber security training is effective.
The Power Minister, Shri RK Singh, in the Government of India, while addressing the issue of Security of the Energy Sector, in April 2022 at New Delhi, informed that “Our defence against cyber attack is strong. These were probing attacks in December, January and February. They did not succeed. But we are aware”. He also said “that the country has a strong defence against any kind of cyber attacks”, while referring to reports of Chinese state-sponsored hackers targeting power grid in Ladakh. The minister also informed that the country had take proactive measures well back in year 2018 against suspected cyber attacks on the country’s power supply system.
In some of the incidents of Cyber Attack on the power sector, the suspected Chinese attacker (believed to have been developed by contractors for China’s Ministry of State Security) had used trojan ‘ShadowPad’. This also indicates that the attacks are not only done by Non-State actors, but also by State-Sponsored Agencies. India’s Energy needs have increased multi-fold and in the day ahead, the need will see an exponential growth.
The Power Sector is the most frequently targeted Critical Infrastructure and this Sector rides completely on Information Technology (IT), Industrial Control Systems (ICS) and Information Communication Technology (ICT) Assets. The use of Supervisory Control and Data Acquisition (SCADA) Systems in the complete Energy Sector makes the Systems more susceptible to Cyber Attacks on these Assets. The need to manage risk arising due to Cyber Attacks in this is a mandate that all stakeholders including Government has to exercise.