Cyber security issues in India have gradually started gaining attention of our government departments and ministries. However, till now cyber security has not been given the priority and importance that it deserves. The cyber security trends and developments in India 2013 (PDF) have proved this point. We still lack an implementable techno legal cyber attacks crisis management plan of India. We have no dedicated cyber security laws in India. It is only now that the national cyber security policy of India 2013 (NCSP 2013) has been declared by Indian government. However, the actual implementation of the NCSP 2013 has yet to take place.
Cyber security legal practice in India is still maturing and there are very few law firms that can take up cyber security related cases. As a result most of the cyber attacks and cyber contraventions are either not detected or they are not reported and properly prosecuted. This position may change very soon as Indian government has proposed to introduce the cyber security disclosure norms in India.
The cyber security of automated power grids of India is still not upto the mark and the cyber security challenges for the smart grids in India are still unresolved. Indian government must ensure robust and effective cyber security for power energy and utilities in India. Thus, a robust crisis management plan for preventing cyber attacks on the power utilities in India is need of the hour.
The supervisory control and data acquisition (SCADA) has been in limelight these days. This is because malware are specifically designed these days to target SCADA systems. It is not the case that malware were not used in the recent past to target SCADA systems but their sophistication and intensity has increased tremendously these days. The critical infrastructure protection in India (PDF) needs to be strengthened to prevent such cyber attacks upon the SCADA systems of India.
As per the media reports, the increasing cyber attacks targeting and paralysing key thermal power infrastructures has forced the Union power ministry to grade such installations as sensitive or hypersensitive, and asked state governments, officials of state-owned and private electricity generation stations to ensure physical, technological and cyber security of their units.
The Ministry of Power has also formed a panel for development of National Infrastructure Protection Plan in thermal power sector. The committee will be headed by a member of the Central Electricity Authority and members drawn from CISF, IB, NIC and power utilities. The panel has already prepared guidelines for physical, technological and IT security of thermal power stations. However it is yet to be seen how effective such guidelines are and when those guidelines would be actually implemented.
In Orissa, the 460 megawatt thermal power station of NTPC at Talcher and 3000 megawatt Super Thermal Power Station in Kaniha have been labelled hypersensitive by the ministry, while the upcoming 1800 megawatt thermal power station by Jindal India Thermal Power Ltd at Derang of Angul district was termed sensitive. Similarly, the upcoming 350 megawatt thermal Power Station of KVK Neelachal at Cuttack has been marked as hypersensitive, while Jindal India Thermal Power and Monnet ISPAT Thermal Power Station at Angul was labelled sensitive.
Sources in the NTPC said the guidelines suggested creation of a nodal agency at central level to carry out classification of the projects based on threat perception and intelligence inputs. The nodal agency would prepare standard security manual with graded security guidelines, coordinate security response requirements with the power stations and law enforcement agencies, prepare roadmap and contingency response plans, develop guidelines for security audits and establish procedures for dealing with bomb threats.
They also said the guidelines contain physical security measures to be provided at the thermal power stations, such as boundary walls, biometric/iris-based access control systems, CCTV surveillance as well as operational measures to be taken by the stations like evacuation plan, record keeping, engagement of security agencies, segregation of security sensitive areas. The panel has also suggested cyber security measures.