By Nikunj Garg and Prajakta Chaudhari
The early hours of 9/11 of 2019 brought in a report that at least 30 cyber-attacks were attempted, every day, on the Power Sector of India. Two years down the line, the Government of India acknowledged that four Regional Load Dispatch Centres were under a massive cyber-attack. Even though unsuccessful within the Power Sector as of yet, one cannot avoid noticing the recent successful cyber-attack on Oil India that shut down all systems at their headquarters and came in with a price label of $7.5 million (approx. Rs 57 crores).
Cyber-Error is a costly affair!
Apart from the damaging effects that a malign cyber-attack would have on the public life and economic activities of the nation, it would be pertinent to note that the Government of India had enshrined the essence of electricity in all dimensions of the life of the people of the nation by recognizing it as a ‘basic human need’ in its National Electricity Policy, 2005. Now, what makes this analysis furthermore interesting is that various sources confirm that around 85% of consumers; across categories, are connected to the electricity grid today. So, a cyber-attack on the Power Sector of India could be construed as a violation of the rights and privileges of an entire people of a nation.
A call for aggrandising the cyber-defences of our Power Sector
Considering the cyber-attacks on the Power Sector of India over the past few years, and the increase in their numbers year-on-year, it is evident that the function of cybersecurity has gained focus amongst the Power Sector organisations, across the value-chain, within the nation. Moreover, taking cognizance of the trend of the ever-escalating creativity in the manner in which these attacks are conducted, it is imperative that we ought to consider improving our ‘established’, ‘strong’ defences.
So, cyber-securing the Power Sector organisations across the value-chain is not only vital from the perspective of ensuring continued, peaceful conduct of public life and persistent progress of economic activities within the nation, but also fundamental from the standpoint of safeguarding the rights and interests of the people of India. Moreover, since it is well-established knowledge within the academia-government-industry ecosystem; worldwide, that cyber-attacks on National Critical Infrastructure are becoming relentlessly more complex and crippling, the matter attains a prominent degree of urgency – because the only window available with our Power Sector organisations to better their cyber-defences, is from now until the point-in-time where cyber-criminals have obtained sufficient understanding of our Information Technology systems.
Hence, a supplemental effort to our existing endeavours of rigorously working towards making the digital systems of our Power Sector organisations vulnerability-free is required to be put in outrightly.
A potential way forward by way of ‘Learning’
An approach leveraging the ‘learning’ process, in the form of the ‘Distract-Learn-Secure Strategy’ is recommended to be explored for employment. The Distract-Learn-Secure Strategy is envisaged to comprise of two components – first, element of distraction within the existing digital ecosystem of our Power Sector organisations for slowing the cyber-criminals in their process of learning about the digital ecosystem of our Power Sector organisations, and second, an additional line of defence for enabling ‘our learning’ of the behaviours and traits of the cyber-criminals assailing our Power Sector’s digital systems. As an outcome of its implementation, the Distract-Learn-Secure Strategy is intended to create two additional lines of cyber-defence over and above our existing installations of cybersecurity.
The ‘Distract-Learn-Secure’ strategy
The digital systems of our Power Sector organisations are inherently characterized by enormous intricacies on account of the roadmap of their development over time. The ‘Distract’ element of the Distract-Learn-Secure Strategy aims to utilize this intrinsic feature of the digital systems of our Power Sector organisations, and enhance it with prudent installations of honeypots for misrepresenting the digital ecosystem of our Power Sector organisations to the cyber-criminals. This approach is expected to lead to a larger number of failed attacks, which; in turn, is contemplated to yield in two advantages predominantly – first, it will provide us with additional opportunities of learning about the behaviour of the cyber-criminals through their failed cyber-attacks on our systems, and second, it will prolong the duration of time-to-a-successful-attack allowing us to further strengthen our cyber-defences.
In comparison to the ‘Distract’ element, the ‘Learn’ element of the Distract-Learn-Secure Strategy is anticipated to be a vigorously active pursuit. It will entail in setting-up of a dedicated Cybersecurity Governance Office; under the IT function of a Power Sector organisation, that will ensure meticulous execution of Standard Operating Procedures pertaining to the learning actions of our Power Sector organisations. In addition, this operation is also prognosticated to result in the creation of a comprehensive, robust knowledge base for not only planning upgrades to the existing lines of defence within an organisation, but also providing a possibility of building a sector-wide, national-level ‘collective defence’ through collaboration between Power Sector organisations and government.
Prima facia, commissioning of the Distract-Learn-Secure Strategy may seem extraordinarily tedious, and even unnecessarily costly and futile. However, considering the safeguard it shall offer to the operations of our Power Sector ecosystem, and its concomitant impact on the public life and economic activities of the nation, the effort and expenditure only seems justifiable.
(The authors, Nikunj Garg is director, Cyber and Prajakta Chaudhari, manager, Cyber at Grant Thornton Bharat. Views are personal.)