Headlines in multiple newspapers drummed up the possibility of a cyber-attack being responsible for the power outage in Mumbai last month. While the systems have been restored the possibility of future attacks on critical infrastructure by an inimical state is a stark reality we are faced with. The advantage of the anonymity that cyberspace provides, makes such attacks a suitable option, not just of coercion, but physical and economic consequences. The author discusses the vulnerabilities in our systems and our preparedness to respond to such attacks.
With the ever-evolving need to achieve improved efficiencies through higher automation, seamless integration of the physical world with the cyber world is being rapidly undertaken. The Robotic Process Automation for systems like airline reservation/cancellation, audit paperwork etc., is predicted to be adopted by 90 per cent of large organisations globally by 2022. Cyber-physical systems are present in smart solutions like power distribution smart grids, smart medical services, smart factories, and smart cities etc., which form part of critical infrastructures.
However, with the advent of the cyber-physical integration, the cyber vulnerabilities earlier existing in the IT infrastructure too have now affected the operational technologies. The modern warfare strategists exploit such vulnerabilities to launch cyber-attacks on adversary’s Defence establishments, Air Defence systems, financial hubs (stock exchanges), Banking, power stations, government machinery and nuclear facilities as part of preparations to launch an offensive. Such cyber-attacks are virtual weapons that possess a surprise element and can harm critical infrastructure even without delivering a physical weapon. Due to the mesh structure of the cyber inter-connectivity, it is mostly impossible to locate the source of an advanced cyber-attack.
Cyber-attacks in various shapes, sizes and means by non-state or state actors are common during peacetime too. World over, daily, thousands of virtual attacks take place 24/7. As per the 2019 report of CERT-In (Indian Computer Emergency Response Team), about 4 lakh cyber incidents were registered for India. The type of incidents reported are as indicated in the Figure below:
Smart Grid Power Distribution Systems
In India, the power distribution is segregated into five primary regional grids, which are synchronously inter-connected. There are 250 sub-stations, with a transformation capacity of approximately half a million MVA (mega volt-amps). This power transmission network is required to be maintained at 90 per cent availability throughout the country. The transmission lines on this network utilize bulk-power electric systems like sub-stations, power generators, capacitors, transformers etc. Additionally, protective controls like relays, measuring sensors, high voltage circuit breakers, distributed and industrial control systems are also integral to the system. The cyber hackers use ‘backdoor’ electronics or programmable components fitted in the hardware like power transformers to be activated or timed to change operations disruptively. The sources of such hardware could be from China directly or indirectly through various global supply chains.
Major Ports Infrastructure
Indian ports handle about 90 per cent of EXIM (export-import) cargo by volume and 70 per cent by value through 12 major and 65 minor ports in the country. These ports are automated for operations and deployment of computer-based systems is being implemented to improve process efficiencies.
The International Maritime Organisation (IMO) has published guidelines to facilitate appropriate cyber risk management for ships and port infrastructure w.e.f. 1 January 2021 to ensure safe and secure shipping such that operations are resilient to cyber risks. These regulations follow the US National Institute of Standards and Technology (NIST) Cybersecurity Framework Guidelines promulgated for private sector companies to comply so as to be better prepared in detecting and responding to cyber-attacks.
Cyber technologies are essential on-board a ship for operations and management and are critical for the safety and security of shipping. The access interconnects or networking makes these systems vulnerable to cyber risks. Some examples of such systems are – bridge systems, cargo handling and management systems, propulsion and machinery management, power control systems, passenger servicing and management systems and communication systems.
The IMO Resolution MSC.428(98) describe the guidelines for cyber risks assessment in the existing safety management systems. For example, as per the Resolution, the major ports are to comply with the following aspects:
- “Cyber Managed Prepared” notation applicable to buildings and focuses on shipyard level only. It mentions the compliance requirements for critical equipment, remote access and system integration.
- Type Approval for systems and equipment suppliers to include Cyber Resilience i.e., design, integration and maintenance of computer based equipment to have secure operations. It elaborates the steps to shield the systems against unauthorized access, misuse, modification or destruction of the information generated, stored or used or communicated on the connected networks.
- A Criticality Assessment is recommended to provide an assessment of impact in case of a cyber-attack. This assessment takes into account various equipment and human factors.
- Extensions hardening, Industrial Control System hardening and Equipment hardening are means to secure the system by reducing its ‘surface of attack’.
Cybersecurity: Technology Trends
The advanced technologies which shall play an important role in combating cyber risks are:
- AI for Cyber Security: Artificial Intelligence and Machine Learning utilized to develop Smart Security Solutions too shall be the tool to fight cybercrimes. These solutions inherently possess following characteristics: Real time intelligence to learn, adapt and self-organise; Real-time clocks; Scalable Networked Architecture; Embedded security for sustainability; Cyber and physical system integration
- Quantum Computing: Presently, various post-quantum cryptography standards are being worked out. Quantum-era shall improve cybersecurity by detecting and thwarting cyber-attacks in real-time. However, quantum computing is a double-edged sword that can render the legacy encryption algorithms irrelevant since the cyber attacker now shall be able to break such traditional encryptions to carry out his activities.
Multiple standards and international guidelines already exist for countering cyber risks. Compliance to these standards and various other cybersecurity frameworks established by Government of India is to be strictly followed to keep the critical infrastructure safe from cyber risks. Some of the popular standards are:
- ISO/IEC 27001 (Information technology, Security techniques, Information Security Management Systems Requirements) provides companies with the necessary knowhow to protect their valuable information. More and more Indian companies should comply and get themselves certified against ISO 27001, thereby assuring customers’ data security protection. It addresses the following main aspect:
- (i)Confidentiality: Authorized person only access to the information
- (ii) Integrity: Authorized person only change the information
- (iii) Availability: Assurance that the information is accessible to the authorized persons when required
(b) UN Resolution 2341 (2017): (a) As per the counter-terrorism Cybersecurity Initiative described in the UN Resolution 2341 (2017), the Security Council calls upon all the member States to establish international partnerships with stakeholders, both public and private, to share information and experience related to cybersecurity to prevent, mitigate, investigate and respond to terrorist attacks on critical infrastructure facilities. In 2019, India signed the Memorandum of Understandings (MoUs) on cybersecurity cooperation with Finland, Estonia and South Korea for information sharing and collaboration for incident resolution. India also convenes the Asia Pacific Computer Emergency Response Teams (APCERT) pertaining to IoT Security and Secure Digital Payments. However, these tie-ups are considered to be too less to effectively counter the ever-evolving cyber threats.
Apart from the desired functionalities, the cyber-physical systems for critical infrastructure should necessarily fulfil three other key attributes viz. safety, security and sustainability. The edge technology requires to be robust against cyber exploitation. The government needs to make compliance with Cyber Secure Standards mandatory for all to achieve, especially the key infrastructure agencies like Power Grid, Ports and other strategic installations. As described by the IMO Regulations, a detailed review of all the critical infrastructure is required to be first undertaken, commencing with units with programmable devices for information exchange embedded within systems. The supply chain vulnerabilities for provisioning of such key equipment are to be identified, assessed and the vulnerabilities plugged immediately. India is still in the process of creating a resilient cyber deterrent network but needs to rapidly keep pace with the fast-evolving advanced and more complex cyber threats. This is a challenging task but definitely achievable, and in any case, there is not much of a choice when it comes to national security.
Cdr Milind Kulshreshtha (Retd)
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of BharatShakti.in)