For the first time ever, India’s sprawling power utilities have cybersecurity rules in place. On 7 October, India’s electricity policy advisor and regulator, the Central Electricity Authority (CEA), issued extensive cybersecurity guidelines cybersecurity guidelines Central Electricity Authority CEA (Cyber Security in Power Sector) Guidelines, 2021 Read more for the power sector.
Utilities have to put in place basic security controls, invest in updating their electronics and software—whether connected by the internet or air-gapped air-gapped These are devices that aren't connected to the internet as security measure. —test all equipment for backdoors and trojans trojans A piece of software or malware that pretends to be something useful, helpful, or fun while actually causing harm or stealing data. , and carry out timely audits. The guidelines aren’t binding yet, but the CEA hopes to make it so within a year or two, giving utilities time to get their acts together, multiple officials associated with India’s Ministry of Power told The Ken.
The power utilities could share their feedback on the guidelines before that happens. Once made mandatory, it could take another six months to a year for utilities to bring their facilities up to scratch. Overall, though, it could take up to five to seven years for power companies to fully mature and ready themselves for fast-evolving cyber threats, said an official who’s part of the committee that drafted the new rules.
That is time India’s power sector doesn’t have. Several power generation and transmission and distribution companies, both from the public and private sector, use Chinese equipment. “The ministry feared that if there were trojans embedded in the equipment in the grid, China might activate them at an opportune time,” said an official who has worked closely with the ministry on security matters. It was a fear that gave Indian power ministry officials sleepless nights in 2020, when border conflicts between India and China spiralled.
The fear came alive on 12 October 2020, when the country’s financial capital Mumbai was forced into a city-wide blackout for upto six hours. While the union government denied that the blackout had anything to do with China, attributing the grid failure to human error, industrial security experts The Ken spoke to believe that’s only partly true. The outage could have been triggered by cyber manipulation.
“The hackers messed up the dashboards connected to the plant machinery, generating false alarms, compelling shutting down of the grid manually,” said a senior executive with a multinational cyberservices firm.