Entire Power Grid Of India Is Under Threat – CEA Warns Of Massive Cyber Attacks!

Central Electricity Authority (CEA), is a statutory organisation constituted under section 3(1) of Electricity Supply Act 1948, superseded by section 70(1) of the Electricity Act 2003, which advises Govt. over electric systems.

In their report on cyber attacks over power grids and electricity networks, CEA has warned that “urgent” measures need to be adopted immediately, in order to protect electricity networks across India.

The findings of the report imply that if hackers are able to inject lethal viruses such as ransomware, then entire power grid of India can be paralysed.

Why did CEA prepare this report? And what can actually happen if these “urgent” measures are not taken? We will soon find out.

Ransomware Attack Can Stop Electricity In India!

On December 23rd, hackers were able to penetrate power grids of Ukraine and paralysed the electricity distribution system of the country, which affected more than 2.5 lakh citizens for hours.

This was the first known instance of such cyber attack, targeting power grids, and stopping distribution of electricity.

In May 2017, a ransomware name WannaCry paralysed 2 lakh computers across 150 countries, and such was the intensity of the incident, that Computer Emergency Response Team of India (CERT-In) had to issue a ‘red alert warning’, something which is only issued under extreme conditions.

It was during this time that dots were connected, and a high-level committee under Ministry of Power asked CEA to prepare a report on cybersecurity threat to Indian power grids, and what damage can be done if hackers are able to access the ‘smart grids’ of India.

The report has actually predicted doomsday scenario – A situation wherein entire electricity distribution network is paralysed, if adequate measures are not taken, on an “urgent” basis.

CEA Report: Doomsday Scenario For Power Grid Of India!

As per reports by Indian Express, CEA had submitted their report on “Cybersecurity Issues In The Power Sector”, among other threats in the month of July last year, and things are not rosy.

The report stated,

“Cyber and physical security threats pose a significant and growing challenge to electric utilities. Unlike traditional threats to electric grid reliability, such as extreme weather, cyber threats are less predictable and therefore more difficult to anticipate and address. This calls for an urgent need to develop a cybersecurity framework and regulatory response to address the specific security needs of the power sector in India,”

Note the emphasis on “urgent” here, which we have highlighted all along the post.

The report also mentions the fact that increased inter-connected digital devices and usage of ‘smart grids’ for electricity distribution is triggering more vulnerabilities, and a single cyber attack with a lethal virus such as ransomware can prove disastrous.

The report stated,

“Widespread connection of smart control mechanism for power equipment, smart appliances and other energy control devices will increase digital complexity and shall invite more attack points, and therefore require more intensive cybersecurity protection…”

A smart grid is a power network wherein a 2-way digital communication is used to supply electricity to the end users.

As per their presentation to the Ministry of Power, two subcommittees under the Bureau of Indian Standards (BIS) are right now creating draft standards to enhance cybersecurity.

The report also said,

“One group is working on the manual on cybersecurity of power systems so auditing of organisations (power utilities) based on the standard can be achieved. The second group aims to bring in draft IEC 62443, which are specifications as part of the standard wherein the compliance requirements for products of Industrial Control Systems is being dealt with,”

Indian Express attempted to contact State-run PSUs Power Grid Corporation of India Limited (PGCIL), NTPC Ltd, which is India’s largest power generator, the Power Ministry and the Bureau of Indian Standards regarding this CEA report, and at the time of writing, no update was received.

We will keep you updated, as we receive more information.