Iranian Hackers Created False Social Networking Accounts And A Bogus News Website To Spy On Military And Political Leaders In The US

Iranian Hackers Created False Social Networking Accounts And A Bogus News Website To Spy On Military And Political Leaders In The USFake identities and pseudonymity is a common feature of Internet. The United States has been planning to use fake virtual people botnet and persona management software for long. Till now U.S. must actually be using these tactics. It has been alleged that radio waves and malware have been used by United State’s NSA for world wide e-surveillance.

The relationship between intelligence community, social media and open source intelligence is now well established. It is common practice among intelligence agencies around the world to use social media platforms and Internet for gathering intelligence related information and data. The cyberspace landscape of India is fast changing as is reflected in various cyber security and ICT trends. Keeping the contemporary requirements, the intelligence infrastructure of India needs transparency and strengthening.

It has been reported that the Iranian hackers created false social networking accounts and a bogus news website to spy on military and political leaders in the United States, Israel and other countries. ISight Partners, which uncovered the operation, said the targets include a four-star U.S. Navy admiral, U.S. lawmakers and ambassadors, and personnel from Afghanistan, Britain, Iraq, Israel, Saudi Arabia and Syria.

The firm declined to identify victims and said it could not say what data had been stolen by the hackers, who were seeking credentials to access government and corporate networks, as well as intelligence on weapons systems and diplomatic negotiations.

ISight dubbed the operation “Newscaster” because it said the Iranian hackers created six “personas” who appeared to work for a fake news site, NewsOnAir.org, which used content from the Associated Press, BBC, Reuters and other media outlets. The hackers created another eight personas that purported to work for defense contractors and other organizations, iSight said.

The hackers set up false accounts on Facebook and other social networks for these 14 personas, populated profiles with fictitious personal content, and then tried to befriend targets, according to iSight. The operation has been active since at least 2011, iSight said, noting that it was the most elaborate cyber espionage campaign using “social engineering” uncovered to date from any nation.

To build credibility, the hackers would approach high-value targets by first establishing ties with the victims’ friends, colleagues, relatives and other connections over social networks including Facebook Inc, Google Inc LinkedIn Corp and Twitter Inc. The hackers would initially send the targets content that was not malicious, such as links to news articles on NewsOnAir.org, in a bid to establish trust. Then they would send links that infected PCs with malicious software, or direct targets to web portals that ask for network log-in credentials, iSight said.

Iranian hackers stepped up their activity in the wake of the 2010 Stuxnet computer virus attack on Tehran’s nuclear program, widely believed to have been launched by the United States and Israel. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc have changed the way cyber warfare and cyber espionage battles are fought these days.

ISight said it could not ascertain whether the hackers were tied to the Tehran government, though it believed they were supported by a nation state because of the operation’s complexity.

Posted in Uncategorized | Comments Off

Joshua Rogers Detected SQL Injection Vulnerability In EBay’s Sub Domain

Joshua Rogers Detected SQL Injection Vulnerability In EBay’s Sub DomainEBay has been facing litigations in United States and Europe over the cyber breach of its computer systems. These investigations would analyse whether EBay has failed or not to adhere to proper cyber security practices and disclosure norms. Meanwhile, EBay is planning to boost the cyber security of its systems and this effort seems to be working.

Recently the IT security expert Joshua Rogers discovered SQL Injection vulnerability on eBay.com.au sub domain. Whilst looking for some bugs in EBay, he came across the domain http://3.ebay.com.au/. It appeared to be a domain for phone users on the old “Three” phone carrier/network that has been bought out by Vodafone awhile ago.

On the third tab of the page, there was a link to the “Categories section”. This is a list of categories as to where you can view items to buy or as was in this case, go into a sub-category. Joshua noticed that there were a few $_GET parameters being used. He just put a simple apostrophe into the end of the first parameter, “emv_CatParent”.
To his amazement, it came back with a half-completed page (Pretty much the poster-child of a blind SQL Injection).

He faced some trouble during his exploration as the Microsoft SQL Server was being used for the backend, not a unix-based one. He loaded the website into sqlmap and did everything through there. First, he scanned the parameter to see if my assumption was right. He found that 1 to 10 columns were injectable. He also found that the “Microsoft SQL Server/Sybase stacked queries” were also injectable. This meant possible file write/read and he did not look further into this research.

He intimated about this vulnerability to Ebay that was grateful to him for exposing this vulnerability. Very soon EBay patched the vulnerability and publicly acknowledged the efforts of Joshua. This is best step that Ebay team has done after the recent cyber breach.

Posted in Uncategorized | Comments Off

Three U.S. States Are Investigating EBay’s Cyber Security Standards And Cyber Security Breach Disclosure Practices

Three U.S. States Are Investigating EBay’s Cyber Security Standards And Cyber Security Breach Disclosure PracticesCyber security breaches are very common and are increasing world over these days. Cyber criminals are targeting companies possessing and storing sensitive information about people. These include banks, law firms, e-commerce companies and many more such institutions that are retaining other’s sensitive information.

However, these institutions are also required to ensure robust cyber security and effective data protection of the information and data submitted to them. We at Perry4Law believe that these institutions hold the information about their customers/clients in a fiduciary capacity and they are under legal obligation to protect this information as far as and as much as possible.

We also believe that not only the obligation is regarding protecting the information but there is also an obligation to report any potential and actual cyber security breach that has taken place and that has endangered or had the potential to endanger the information of the customers/clients.

World over companies are not complying with the cyber security breach notification requirements. For instance, Target Corporation was attacked by cyber criminals and as a result of that Target Corporation faced litigation threats around the world. Similarly, EBay was also attacked recently and it has asked its customers to change their passwords.

Now it has been reported that three U.S. states has initiated investigation about EBay’s cyber security practices.  Connecticut, Florida and Illinois said they are conducting a joint investigation of the matter. New York Attorney General Eric Schneiderman requested eBay provide free credit monitoring for everyone affected, according to a person familiar with the matter.

Details about what happened are still unclear because eBay has provided few details about the attack, which is under investigation by the FBI and a cyber forensics firm. It is also unclear what legal oversight the states had to respond to eBay`s handling of matter.

The states` quick move to investigate the attack shows that authorities are serious about holding companies accountable for securing consumer data following high-profile breaches at other companies, including retailers Target Corp, Neiman Marcus and Michaels Stores and the credit monitoring bureau Experian Plc. Congress and the Federal Trade Commission are already investigating the Target breach, which resulted in the firing of the company’s chief executive and chief information officer.

The investigation by the three states will focus on eBay`s measures for securing personal data, the circumstances that led to the breach, how many users were affected and the company’s response to the breach, said Jaclyn Falkowski, a spokeswoman for Connecticut Attorney General George Jepsen. His office, which is also investigating breaches at Target Corp, Neiman Marcus and Experian, has already contacted eBay.

Several security experts said the best practices in responding to a breach of this type would be for eBay to have a message pop up when victims log in, telling them about it and forcing them to change their passwords.

EBay spokeswoman Amanda Miller declined to comment on the investigation by the three states or Schneiderman’s request for credit monitoring, but said the company was working with governments around the globe in the wake of the attack. “We have relationships with and proactively contacted a number of state, federal and international regulators and law enforcement agencies”, she said. “We are fully cooperating with them on all aspects of this incident”.

Indian customers of EBay can also take appropriate action against EBay under Indian laws especially under the Information Technology Act, 2000. Indian regulatory authorities and law enforcement agencies must also initiate their own investigations in this regard to safeguard Indian customer’s interests.

Posted in Uncategorized | 2 Comments

U.S. Public Utility Cyber Attacked And Its Control System Network Compromised Reports ICS-CERT

U.S. Public Utility Cyber Attacked And Its Control System Network Compromised Reports ICS-CERTMalware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc have been targeting virtually everything worth money or strategic importance. They are also been used to indulge in cyber warfare and cyber espionage activities. They are stealth in nature and till they are detected much damage is already been done.

The supervisory control and data acquisition (SCADA) systems may be the new cyber attack priority for cyber criminals and rouge nations. Internet is full of unprotected and unsafe devices, SCADA systems and computers. India is also required to protect critical ICT infrastructure (PDF) and SCADA systems.

The Department of Homeland Security (DHS) has reported that a sophisticated hacking group recently attacked a U.S. public utility and compromised its control system network, but there was no evidence that the utility’s operations were affected. The DHS also warned public utilities and critical infrastructure operators about the dangers of not using a firewall and allowing remote access to Internet facing devices.

As per the ICS-CERT report (PDF), the public utility was penetrated by a group of hackers that gained access to its control system network; although it found no evidence that the utility’s operations were affected. The agency said the utility was using a simple password mechanism, which hackers can easily bypass using a standard brute-forcing technique by trying on various passwords until they hit the right one.

“It was determined that the systems were likely exposed to numerous security threats and previous intrusion activity was also identified. This incident highlights the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring and detection capabilities” the ICS-CERT report claims.

The second threat involved an Internet-connected control system attached to a “mechanical device”, which was accessed by a hacker using SCADA protocol. ICS-CERT said the device can be accessed directly through the Internet and is not protected by a firewall or authentication access controls. The device, however, was disconnected for maintenance at the time of the attack, said the report.

ICS-CERT said that the use of tools such as SHODAN, Google and other search engines to look for and identify devices that were not meant to be Internet facing, as well as the emergence of vulnerabilities such as Heartbleed continue to provide a threat to the Internet.

Posted in Uncategorized | Comments Off

Cyber Security Obligations Of Directors Of Indian Companies Under Indian Companies Act, 2013

Cyber Security Obligations Of Directors Of Indian Companies Under Indian Companies Act, 2013Recently the Ministry of Corporate Affairs (MCA) notified many provisions of the Indian Companies Act, 2013 (PDF) and corresponding rules under the same. Most of the corporate stakeholders have considered the new company law of India as a purely corporate regulatory framework. However, this is not true as the Indian Companies Act 2013 has prescribed legal obligations that are far more complicated than the traditional company law.

The truth is that the new company law of India has prescribed many techno legal compliance requirements that very few companies and their directors are capable of managing. As a result cyber law and cyber security related legal violations would be in abundant in the coming times.

With the formulation of the proposed cyber security breach disclosure norms of India and possible cyber security laws in India, Indian companies and their directors would find themselves in a legal fix. The powers of Serious Frauds Investigation office (SFIO) have also been significantly increased by the Companies Act 2013. SFIO has become very active in prosecuting Indian companies and their directors in the recent past. With the notification of the Companies (Inspection, Investigation and Inquiry) Rules, 2014 (PDF) SFIO would become more active in this regard.

The legislature made it sure that the regulatory compliances under Indian Companies Act 2013 should cover cyber law and cyber security compliances as well. The directors’ liabilities under the Indian Companies Act 2013 also cover cyber law due diligence (PDF), cyber security due diligence, e-discovery compliances, cyber forensics, etc on their part. Even the cyber security obligations of law firms in India has significantly increased and various stakeholders, including companies and law firms, must keep in mind the international  legal issues of cyber security.

The Companies (Management and Administration) Rules, 2014 (PDF) also prescribe many techno legal and cyber security obligations upon the directors of a company. The directors must be well versed with the techno legal regulatory provisions under the Companies Act 2013 and other technology laws of India.

The cyber security trends and development in India 2013 (PDF), provided by Perry4Law’s Techno Legal Base (PTLB), have also indicated that various corporate stakeholders would be required to comply with cyber law and cyber security related obligations in the near future. As on date, companies and directors are not complying with the cyber law and cyber security obligations as prescribed by Indian laws and regulations.

As the cyber law and cyber security obligations of the directors of companies operating in India have been clearly mandated by various laws of India, it is in their own interest to ensure their due compliance.

Posted in Uncategorized | Comments Off

Law Firms Cyber Security Obligations Are Increasing

Law Firms Cyber Security Obligations Are IncreasingCyber criminals target banks and financial institutions because that is where the money is. This traditional theory has now been expanded to other segments as well as either money or money worth information and data is available at multiple platforms and locations. Law firms are one such place where money worth information is available. The potential buyers for information extracted from laws firms range from competitors to cyber criminals. This is the reason why law firms are facing increasing and incessant cyber attacks and in most of the cases cyber criminals successfully get the information they are looking for.

There are no universally acceptable cyber security treaties or convention as on date. This is a problematic situation as cyber security is an international issue (PDF) and not a national one. Therefore, an international cyber security treaty is required (PDF). In the absence of such globally acceptable cyber security treaty, the conflict of laws in cyberspace would continue to make the things difficult. International legal issues of cyber attacks must be addressed by all nations as soon as possible. India must also safeguard its critical infrastructures and other utilities from global cyber attacks and cyber threats.

Cyber security in India is still maturing and the cyber security trends and developments in India 2013 (PDF) projected many shortcomings of the same. The cyber security policy of India 2013 has still not been implemented by Indian government and various stakeholders like banks have ignored the same as mere non obligatory guidelines.

Companies and individuals are still not much concerned about ensuring a robust cyber security. Even cyber security best practices in India have not been formulated by most stakeholders, including Indian government. There are very few law firms that are practicing in the field of cyber security and who understand the complexities and requirements of cyber security at national and international levels.

Law firms have not only the cyber security obligations but they also have obligations arising out of e-discovery and cyber forensics legal mandates. Indian government is planning to formulate the e-mail policy of India that would be implemented by government officials around the India. Such a policy may be required to be followed by all stakeholders, including law firms, in future. The cyber security laws in India may also be formulated very soon that would impose obligations upon law firms to protect the data and information of their clients.

Even at the international level, law firms are not managing cyber security related obligations in a proper manner. Most of the times cyber breaches are not reported at all and this puts sensitive data of clients at risks. A well planned cyber security strategy for law firms is need of the hour that every law firm must put in place and implement the same effectively and dedicatedly.

Posted in Uncategorized | 1 Comment

International Legal Issues Of Cyber Attacks And Indian Perspective

International Legal Issues Of Cyber Attacks And Indian PerspectiveCyber security threats are global in nature due to the very nature of Internet and multifaceted stakeholders. Cyberspace also put forward complex problems of authorship attribution for cyber attacks and anonymity. Cyberspace also gives rise to conflict of laws in cyberspace where multiple laws of different jurisdictions may be applicable at the same time. Take the example of Target Corporation that is facing litigation in multiple jurisdictions as it failed to take cyber law due diligence despite becoming aware of the cyber attack and data breach. Similarly, cyber attacks are targeting Bitcoin users and Bitcoin Exchanges world over. Sophisticated Malware like Uroburos/Snake have been making the rounds undetected for years before they are found.

As the cyberspace and Internet has become very hostile and vulnerable to cyber attacks, countries across the world have started to strengthen their cyber security capabilities. While protecting their own cyberspace domain, various countries must understand that cyber security is an international issue (PDF) and not a national one. Therefore, an international cyber security treaty is required (PDF). In the absence of such globally acceptable cyber security treaty, the conflict of laws in cyberspace would continue to make the things difficult.

Of course, we have mutual legal assistance treaties (MLATs) between different nations that can help in collaborating and cooperating regarding an international cyber attack. However, these treaties are not always very helpful. For instance, the United States has not only refused to serve Indian summons upon US websites including Facebook and Google but has also blocked a MLAT attempt to make Google, Facebook, etc comply with Indian Laws. Similarly,  an Indo-American alert, watch and warn network for real time information sharing in cyber crime cases has been proposed between U.S. and India but its establishment and effectiveness is yet to be tested.

This would force India to search for alternatives where it has more direct and effective control over cyber incidences having Indian connections and effect. The cyber warfare policy of India (PDF) and e-surveillance policy of India (PDF) must be urgently drafted and implemented. Similarly, self defence and privacy protection in India must be ensured. To strengthen these efforts, cyber security laws in India are required to be formulated urgently. The cyber security of e-governance infrastructure of India is need of the hour. Recently, India announced that it would constitute a tri service cyber command for armed forces of India. However, the ultimate solution is to formulate a techno legal national security policy of India that covers cyber security aspects as well.

You may see International Legal Issues of Cyber Attacks if you are interested in reading more on this aspect.

Posted in Uncategorized | 1 Comment

National Security Council (NSC) Proposes Three Pronged Cyber Security Action Plan For India

National Security Council (NSC) Proposes Three Pronged Cyber Security Action Plan For IndiaIndian government has always been very slow regarding ensuring robust cyber security in India. Most of the actions of India government are either knee jerk reactions or just ill suited super imposing of foreign models to Indian conditions. The National Cyber Security Policy of India 2013 (NCSP 2013) was formulated very late and till now it has been not implemented properly. Similarly, there is no dedicated cyber security law in India that can be pressed for punishing cyber attacks against Indian cyber space and critical infrastructures.

The conflict of laws in cyberspace has further complicated the Indian scenario. Foreign companies keep on operating from their home land and openly flout Indian laws. Law enforcement agencies of India are finding it really difficult to investigate cases relating to social media and foreign websites. The Supreme Court of India is presently hearing the Google’s online defamation case and this is a good opportunity for India to make these foreign companies and websites accountable to Indian laws.

We at Perry4Law have been suggesting for long that all Subsidiary/Joint Ventures Companies in India, especially those dealing in Information Technology and Online Environment, must mandatorily establish a server in India. Otherwise, such Companies and their Websites should not be allowed to operate in India. The Ministry of Home Affairs, India and Intelligence Bureau (IB) are already exploring this possibility.

We have also been suggesting that a “Stringent Liability” for Indian Subsidiaries dealing in information technology, online advertisement and online environment must be established by laws of India. More stringent online advertisement and e-commerce provisions must be formulated for Indian subsidiary companies of foreign companies and their websites.

Foreign e-mail service providers like Gmail are also working in active violating of Indian laws and they must be banned in India as they abet and encourage commission of cyber crimes in India. In fact, an advisory has already been issued by the Maharashtra government to use official e-mails, Indian cloud based services and routing of traffic through National Internet Exchange of India (NIXI). Further, the e-mail policy of India is already in pipeline.

It has now been reported that to protect data of Indian Internet users, the National Security Council (NSC) has proposed a three-pronged action plan. This includes asking all email providers to set up local servers, creating an Indian email service and making it mandatory for government officials to use the email provided by the National Informatics Centre (NIC).  The NSC wants all data related to communication between two users in India to remain within the country. This is a logical move and is also the need of the hour.

“All email service providers may be mandated to host servers for their India operations in India. All data generated from within India should be hosted in these India-based servers and this would make them subject to Indian laws,” said an internal NSC note. The National Security Advisor has asked the Department of Telecom to look at the possibility of making it mandatory for all telecom and Internet companies to route local data through the NIXI.

For example, an e-mail sent from Delhi to Mumbai may now be routed through servers in the US for which the ISPs need to buy international bandwidth. If all ISPs connect to the National Internet Exchange, this data can be kept within the country.

However, foreign email service providers such as Google are not required to connect to exchange or keep data within India as they are governed by the laws of their respective home countries. It seems NSC failed to understand the requirement to regulate foreign e-mail service provides in India. This would also defeat the entire purpose of these suggestions. In the larger interest of India, foreign e-mail service providers like Gmail, Yahoo, Hotmail, etc must also be forced to establish servers in India. Alternatively, the Indian traffic of these foreign e-mail services must be mandatorily routed through NIXI or other infrastructure.

In addition to this, the NSC paper said that the Government must facilitate the establishment of an Indian email service that would compete in terms of quality and technical sophistication with foreign players. The objective is to wean users from companies that do not conform to the requirements of India’s security. This is a good suggestion and Perry4Law welcomes the same.

Posted in Uncategorized | 1 Comment

Has Target Failed To Observe Cyber Law And Cyber Security Due Diligence After The Cyber Attack?

Has Target Failed To Observe Cyber Law And Cyber Security Due Diligence After The Cyber AttackCyber security breaches are common these days. It is also well understood that none can ensure 100 per cent cyber security for their cyber infrastructures. However, with prudence and due diligence, cyber incidences can be minimised to maximum possible extent. Similarly, coordinating with the national and international cyber security authorities is an essential requirement whenever a serious cyber attack or cyber threat is detected.

The requirement of cyber security breach notification originates out of this condition that needs a good legislative backing to make it effective. Countries around the world are formulating laws to make cyber security breaches disclosures mandatory. India has also proposed mandatory cyber security disclosure norms but till now they have not been formulated. However, sooner or later cyber security breach disclosures would become mandatory in India and companies must be prepared for the same in advance.

For instance, recently National Security Council Secretariat (NSCS) requested Reliance Jio Infocomm to share potential cyber security threats on India’s telecom networks. Almost all telecom companies of India are complying with this requirement by creating the Information Sharing and Analysis Centre (ISAC). This (ISAC) is an agency that will collate all classified industry feedback on potential cyber threats and vulnerabilities in telecom networks across technology platforms.

Recently Target was targeted by cyber attackers and consumer information of mass proportion was leaked and stolen. According to Slate, 40 million credit card numbers and personal data from 70 million customers were stolen during an attack on Target that lasted from Nov. 27 to Dec. 18, when the big box store finally shut it down. Now the crucial question is whether Target failed to observe cyber law and cyber security due diligence?

Bloomberg Businessweek reports that Target officials could have been made aware of the attack on Nov. 30 and again on December 2. On both days malware detection software sent an alert to Target’s security monitors in Bangalore, India, who then contacted Target’s security team in Minneapolis. But for some reason, they apparently didn’t respond to either alert.

Congress is now investigating the situation, and congressional testimony shows that federal law enforcement officials got in touch with Target about the breach on December 12. Businessweek spoke to 18 people who either worked on Target’s cybersecurity in the past or have specific internal knowledge of the breach. Target’s chief financial officer, John Mulligan, told a congressional committee in February that the company began investigating December 12, when the U.S. Justice Department warned the company about suspicious activity involving payment cards.

“With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different,” company spokeswoman Molly Snyder said in a statement.

When asked to respond to a list of specific questions about the incident and the company’s lack of an immediate response to it, Target Chairman, President, and Chief Executive Officer Gregg Steinhafel issued an e-mailed statement: “Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security and are committed to learning from this experience. While we are still in the midst of an ongoing investigation, we have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards. However, as the investigation is not complete, we don’t believe it’s constructive to engage in speculation without the benefit of the final analysis.”

Let us wait for the final outcome of all investigations and how/whether target would be held accountable for the loss of consumer data and personal information.

Posted in Uncategorized | 3 Comments

National Infrastructure Protection Plan In Thermal Power Sector Of India Proposed

National Infrastructure Protection Plan In Thermal Power Sector Of India ProposedCyber security issues in India have gradually started gaining attention of our government departments and ministries.  However, till now cyber security has not been given the priority and importance that it deserves. The cyber security trends and developments in India 2013 (PDF) have proved this point. We still lack an implementable techno legal cyber attacks crisis management plan of India.  We have no dedicated cyber security laws in India. It is only now that the national cyber security policy of India 2013 (NCSP 2013) has been declared by Indian government. However, the actual implementation of the NCSP 2013 has yet to take place.

Cyber security legal practice in India is still maturing and there are very few law firms that can take up cyber security related cases. As a result most of the cyber attacks and cyber contraventions are either not detected or they are not reported and properly prosecuted. This position may change very soon as Indian government has proposed to introduce the cyber security disclosure norms in India.

The cyber security of automated power grids of India is still not upto the mark and the cyber security challenges for the smart grids in India are still unresolved. Indian government must ensure robust and effective cyber security for power energy and utilities in India. Thus, a robust crisis management plan for preventing cyber attacks on the power utilities in India is need of the hour.

The supervisory control and data acquisition (SCADA) has been in limelight these days. This is because malware are specifically designed these days to target SCADA systems. It is not the case that malware were not used in the recent past to target SCADA systems but their sophistication and intensity has increased tremendously these days. The critical infrastructure protection in India (PDF) needs to be strengthened to prevent such cyber attacks upon the SCADA systems of India.

As per the media reports, the increasing cyber attacks targeting and paralysing key thermal power infrastructures has forced the Union power ministry to grade such installations as sensitive or hypersensitive, and asked state governments, officials of state-owned and private electricity generation stations to ensure physical, technological and cyber security of their units.

The Ministry of Power has also formed a panel for development of National Infrastructure Protection Plan in thermal power sector. The committee will be headed by a member of the Central Electricity Authority and members drawn from CISF, IB, NIC and power utilities. The panel has already prepared guidelines for physical, technological and IT security of thermal power stations. However it is yet to be seen how effective such guidelines are and when those guidelines would be actually implemented.

In Orissa, the 460 megawatt thermal power station of NTPC at Talcher and 3000 megawatt Super Thermal Power Station in Kaniha have been labelled hypersensitive by the ministry, while the upcoming 1800 megawatt thermal power station by Jindal India Thermal Power Ltd at Derang of Angul district was termed sensitive. Similarly, the upcoming 350 megawatt thermal Power Station of KVK Neelachal at Cuttack has been marked as hypersensitive, while Jindal India Thermal Power and Monnet ISPAT Thermal Power Station at Angul was labelled sensitive.

Sources in the NTPC said the guidelines suggested creation of a nodal agency at central level to carry out classification of the projects based on threat perception and intelligence inputs. The nodal agency would prepare standard security manual with graded security guidelines, coordinate security response requirements with the power stations and law enforcement agencies, prepare roadmap and contingency response plans, develop guidelines for security audits and establish procedures for dealing with bomb threats.

They also said the guidelines contain physical security measures to be provided at the thermal power stations, such as boundary walls, biometric/iris-based access control systems, CCTV surveillance as well as operational measures to be taken by the stations like evacuation plan, record keeping, engagement of security agencies, segregation of security sensitive areas. The panel has also suggested cyber security measures.

Posted in Uncategorized | Comments Off