Cyber Security in the Power Sector


Published on

Smart Grid Mission promises to modernize India’s power sector but is highly susceptible to cyber attacks. Focus of cyber attacks evolving. Earlier: pure financial motive; Now: creating mayhem. Comprehensive security policy and regulatory response required for the power sector

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cyber Security in the Power Sector

  1. 1. © 2014 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL1 Cyber Security in the Power Sector Assessing vulnerabilities in the Power Industry Value Chain
  2. 2. © 2014 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL2 The Reality of Cyber Threats Understanding the need for a dedicated security machinery HIGHLIGHTS Smart Grid Mission promises to modernize India’s power sector but is highly susceptible to cyber attacks Focus of cyber attacks evolving. Earlier: pure financial motive; Now: creating mayhem Comprehensive security policy and regulatory response required for the power sector
  3. 3. © 2014 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL3 Introduction • R-APDRP: Restructured Accelerated Power Development and Reforms Program – ICT intensive modernization of India’s state electricity boards • Smart Grid Mission: $5.8 billion outlay in 12th Five Year Plan (2012-17) • Addresses capacity storage issues and transmission & distribution losses • Risk: Technology intensive, hence susceptible to cyber attacks Attack on the National Critical Infrastructure (NCI) can bring the nation to its knees
  4. 4. © 2014 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL4 • Cyber attackers can cause widespread damage without taking excessive risk • Power sector nuances: Generation, transmission & distribution are all at risk Enforcing Cyber Security Appreciation Acknowledge the threat Discovery Find the exposure/threat Attribution Identifying the perpetrator/source Address jurisdiction issues Determine appropriate reponse Information sharing, collaboration and learning Lack of an international legal framework is a major hurdle to implementing these Steps to Enforce Cyber Security
  5. 5. © 2014 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL5 Vulnerabilities in the Value Chain 11% 62% 14% 13% Electric Terrorism: % of attacks by grid components targeted (1994-2004) Generation Transmission Substations Others Generation Vulnerabilities • Weaknesses in GenCos' IT systems • SCADA vulnerabilities: Weak authentication, backdoors, ladder logic Transmission Vulnerabilities • D-DOS attack on smart grids • Malicious data injection • Attacks on controllers (SCADA, PLCs) Distribution Vulnerabilities • Network Operating Centre impersonation • Smart Meter tampering through unauthorized control Other vulnerabilities • Telemetry (data connectivity) systems have little to no security protocols • Consumer data can potentially be stolen from Smart Grids and put to malicious use • Zero-day threats due to gaps in network zoning, default passwords, dated patch updates. Power sector is vulnerable to both short-term and long-term disruptions, e.g.: – Unauthorized access to control systems causes outages, overloads or other damages – Malicious data transmission causes unintended system behavior – Meter tampering causes huge financial losses due to replacement – Theft of personally identifiable information reveals usage patterns, home occupancy, etc.
  6. 6. © 2014 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL6 Importing Best Practices • Non-power NCI sectors – Banking and telecom have rigorous and mature security mechanisms – Power companies have much to learn from RBI, SEBI, DoT and TRAI • Metrics – Measuring and reporting – Clear goals and measurable metrics should be established for all systems – GenCos and grid cos. should follow regulations like SOX and PCI-DSS • Global cyber security regulations for the power sector – E.g., U.S. follows a voluntary reporting approach for its power sector while the EU has compulsory compliance in place – Indian power sector can pick and choose from such regulations Power sector can learn about cyber security from : • Other National Critical Infrastructure (NCI) sectors of India • Regulations prevailing in power sector in other countries
  7. 7. © 2014 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL7 Conclusion  Upgrading power infrastructure without addressing security risks can make it highly susceptible to cyber threats.  Cost-benefits study must be done at each step, although it can be challenging in areas where loss expectancy is hard to quantify.  The security policy should address the entire spectrum of cyber security, possibly leveraging prior experiences of other agencies.  Continuous monitoring and well- defined incident response guidelines can go a long way in reducing risk exposure.
  8. 8. © 2014 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL8 For more details please visit the link below: threats-in-the-power-sector.pdf
  9. 9. © 2014 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL9 About Wipro Wipro Ltd. (NYSE:WIT) is a leading Information Technology, Consulting and Outsourcing company that delivers solutions to enable its clients do business better. Wipro delivers winning business outcomes through its deep industry experience and a 360 degree view of "Business through Technology"; helping clients create successful and adaptive businesses. A company recognized globally for its comprehensive portfolio of services, a practitioner's approach to delivering innovation and an organization wide commitment to sustainability; Wipro has over 140,000 employees and clients across 61 countries. For more information, please visit
  10. 10. © 2014 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL10 Thank You ©Wipro Limited, 2014. All rights reserved. For more information visit No part of this document may be reproduced in whole or in part without the written permission of the authors. Wipro is not liable for any business outcome based on the views presented in this document. For specific implementation clients should take advise from their client engagement manager.