Building Cyber Resilience in Critical Infrastructure

A few years back, Mumbai witnessed a major power shut down those crippled hospitals, trains, and the stock market. The disruption affected nearly 20 million people, when there was a raging pandemic. In another incident, a nuclear power plant in India suffered a serious cyber security breach.

Both these incidents are reported to have had some element of cyber mischief, possibly malware attacks from hackers. Their key intention was data theft, coupled with a plan to manufacture chaos, disrupt essential services, and create major operational damage. Even leading equipment manufacturers have fallen prey to cyberattacks.

Power Plants: A Sweet Spot for Cyber attacks
Increased adoption of technologies such as Cloud, Smart Grids, Industry 4.0, and IIOT have led to an increase in cyber intrusions and cyberattacks. According to a National Herald report, Indian Power plants face at least 30 cyber-attacks every day. This is expected to increase leaps and bounds going forward.

The nodal agency National Critical Information Infrastructure Protection Center (NCIIPC), classifies Power plants and Transmission and Distribution sector (T&D) inside the frame of Critical Information Infrastructure (CII). In case of external aggressions or terrorist attacks, CIIs become the key targets of hackers, as it can immediately disrupt economies and everyday lives. Meddling with transportation, healthcare, and power grids can cause physical threats to citizens.

Building Resilience: Understanding the Types of Cyberattacks:
Cyber security can no longer be restricted to IT alone. It has to become a business priority and have a place in the board room. Energy firms can create a culture of resilience by educating employees, increasing awareness, and helping them identify threats, especially threats of social engineering activities that prompt victims to share confidential data.

Plant assets are operated by SCADA, DCS and PLC systems which are intended to work only within a limited secure radius. Exposing these assets to the internet makes them vulnerable for attacks, and thus possibility to create disruption of CII. Here are some of the most common cyberattacks:

• Network Intrusions: It provides unauthorized access to a computer network. The intruders plant malicious codes to extract critical data, key strokes, passwords etc. Other type of network intrusions can be multi routing and protocol impersonation, to name a few.

• Ransomware Attacks: The motive here is to gain financial benefits by blocking or encrypting critical data, which is difficult to decrypt. Threats may even be to permanently delete the data if ransom is not paid on time. The attacker can be sitting in a different geography, sometimes demanding payments in cryptocurrency, which offers anonymity hence making tracing difficult.

• Insider Threats: In most cases, people closely associated with the organization will be the reason for insider threats. Personnel credentials will be compromised. Social engineering becomes the primary reason to gain access to credentials.

• SQL Injection: Malicious codes embedded in SQL code. Key intention is to gain access to a database and access critical information.

• DOS and DDOS: Denial of Service attacks is mainly to flood the requests from external unauthorized agents that the service to authorized person is denied by the system due to the load. Distributed Denial of Service, which is distributed DOS coming from various distributed and compromised systems.
 

• Malware Attacks: Malware is a code developed to gain unauthorized access to data, system or a network with an intention to create severe damage. It is delivered by clicking links or emails from unknown entities. Clicking this malicious link starts code execution which will then initiate unauthorized action or attacks, putting the business at risk.

Cyber Security Capabilities to Avoid Disruption
Threat actors are unfortunately leveraging digital transformation, which has created value for business, for attacks and theft. We can no longer make cyber security relevant only post-attack, but build capabilities to identify and prevent them. Here are some ways energy providers can boost cyber resilience.

• Creating Subnets: An architecture that divides network into various subnetworks, each acting as its own network. This will enable better access control for the administrator and ensures better performance. Access to sensitive information thus becomes hard for penetrators to access irrespective of whether its physical or virtual network.

• Checking IPs and Securing Servers: Provide access to content based on user’s geographical location. Check the IPs and identify and block blacklisted IPs. Measure end to end delay in network response to identify physical location of the users. Use one hardened server as the control point where users login to access systems in a different security zone.

• Strict SOPs for Cyber Health: Initiate and sustain the practice of upgrading or replacing legacy systems, updating patches, and changing passwords regularly. Deploy intrusion detection systems and conduct audit trials on critical areas and regular vulnerability assessments.

• Secure Data: Ensure critical data is encrypted at rest or at motion and is retained in secured reliable networks. Use multilayer network topology for most critical communication.

Government of India through Ministry of Power and CEA has released guidelines 2021 for Cyber security, which clearly defines all the requirement and compliance that a CII should adhere to. Indian Computer Emergency Response Team (CERTIn) is created across the sectors (Thermal, Hydro, Transmission, Grid Operation, Renewable energy, and Distribution). The guidelines refer to ISO/ IEC standards for Equipment, Communication Standards, Risk assessment, Audit requirement, Testing, Reporting, Crisis management etc, which is required for CIIs to comply with.

Being cyber ready is key for any business and all the more important for CIIs. The more security protocols and best practices are followed, the better we can prevent intrusions and unwanted data theft. CIOs of the organizations will have a major role along with the government in strategizing and adhering to guidelines and standards. Cyberattacks will continue, however, it is important that we strive for fool proof ecosystem and social awareness to prevent such risks.

- Lakshman Rao Ramesh Sutrave, Principal Consultant, Bahwan CyberTek