For more updates follow Grant Thornton Bharat WhatsApp channel
Considering the cyber-attacks on the Indian power sector over the past few years, it is evident that the function of cybersecurity has gained focus amongst the power sector organisations, across the value chain. While one cannot deny the readiness of the power sector ecosystem and the nation, in terms of dealing with such cyber-attacks, one cannot also ignore the facts these were only initial attacks, and that our systems are far more complex for a newbie-to-the-the-Indian-context cyber-criminal to breach. Moreover, taking cognisance of the trend of the ever-escalating creativity in the manner in which these attacks are conducted, it is imperative that we ought to consider improving our ‘established’, ‘strong’ defences.
Apart from the damaging effects that a cyber-attack would have on the public life and economic activities of the nation, it would be pertinent to note that the Government of India had enshrined the essence of electricity in all dimensions of the life of the people of the nation by recognising it as a ‘basic human need’ in its National Electricity Policy, 2005. With this as the basis of our analysis, it could be deduced that a cyber-attack on the critical infrastructure deployed for the generation and supply of electricity should be construed as an attack on the rights and privileges conferred by the Constitution of India on the citizens of India for ensuring their individual and overall national development. Further, such an attack could also be interpreted as a violation of the right to an adequate standard of living under the International Covenant on Economic, Social and Cultural Rights treaty of the United Nations; which was ratified by the Republic of India on Apr 10, 1979. Now, what makes this analysis furthermore interesting is that various sources confirm that around 85% of consumers, across categories, are connected to the electricity grid today. So, a cyber-attack on the power sector could be construed as a violation of the rights and privileges of an entire people of a nation.
So, cyber-securing power sector organisations across the value chain is not only vital from the perspective of ensuring continued, peaceful conduct of public life and persistent progress of economic activities within the nation, but also fundamentally from the standpoint of safeguarding the rights and interests of the people of India. Moreover, since it is well-established knowledge within the academia-government-industry ecosystem, that cyber-attacks on National Critical Infrastructure are becoming relentlessly more complex and crippling, the matter attains a prominent degree of urgency. The only window available with our power sector companies to better their cyber-defences is from now until the point-in-time where cyber-criminals have obtained a sufficient understanding of our Information Technology (IT), Operational Technology (OT) and Internet of Things (IoT) systems.
Hence, it's important to rigorously work towards making the digital systems of our power sector organisations vulnerability-free. An approach leveraging the learning process, in the form of the ‘Distract-Learn-Secure Strategy’ (DLSS) is recommended to be explored for employment. The Distract-Learn-Secure Strategy is envisaged to comprise of two components - first, an element of distraction within the existing digital ecosystem of our power sector organisations for slowing the cyber-criminals in their process and second, an additional line of defence for enabling our learning of the behaviours and traits of the cyber-criminals assailing our power sector’s digital systems. As an outcome of its implementation, the DLSS is intended to create two additional lines of cyber-defence over and above our existing installations of cybersecurity.
The digital systems of our power sector organisations are inherently characterized by enormous intricacies on account of the roadmap of their development over time. The 'Distract' element of the DLSS aims to utilise this intrinsic feature of the digital systems of our power sector companies and enhance it with prudent installations of honeypots for misrepresenting the digital ecosystem to the cyber-criminals. This approach is expected to lead to a larger number of failed attacks, which in turn, is contemplated to yield two advantages– first, it will provide us with additional opportunities of learning about the behaviour of the cyber-criminals through their failed cyber-attacks on our systems, and second, it will prolong the duration of time-to-a-successful-attack, allowing us to further strengthen our cyber-defences.
In comparison to the ‘Distract’ element, the 'Learn' element of the DLSS is anticipated to be a vigorously active pursuit. It will entail in setting up of a dedicated Cybersecurity Governance Office, under the IT function of a power sector organisation, that will ensure patient, systematic and meticulous institution and execution of Standard Operating Procedures (SOPs) pertaining to the learning actions, for building the additional line of ‘Learned Defence’. In addition, this operation is also prognosticated to result in the creation of a comprehensive, robust knowledgebase for not only planning upgrades to the existing lines of defence within an organisation but also providing a possibility of building a sector-wide, national-level ‘collective defence’ through collaboration between power sector organisations and government.
So, in a nutshell, the DLSS is all about efficaciously employing the science and art of learning to launch our very own enterprise of reconnaissance; which was otherwise only engaged by cyber-criminals. Prima facia, commissioning of DLSS may seem extraordinarily tedious, and even unnecessarily costly and futile. However, considering the safeguard it shall offer to the operations of our power sector ecosystem, and its concomitant impact on the public life and economic activities of the nation, the effort and expenditure only seem justifiable.
