On 30 July 2012, the northern, eastern and northeastern parts of the country witnessed a blackout caused by a tripping of the regional electricity grids. It was the world’s largest blackout, with half of India’s population left without electricity, which resulted in losses of approximately $100 million. It took three days for the power supply to be fully restored and for life to return to normal.
The power companies had a lot to answer for. But if this had been an attack by cyber hackers from Pakistan or China, which brought down India’s public and private infrastructure systems, the damage would have been deep and devastating for India’s economy – and to regional geopolitics. However, such a scenario is not too far-fetched.
Fortunately, the committee set up by the Ministry of Power to examine the July 2012 grid collapse ruled out any possibility of cyber sabotage. However, it noted that cyber attacks on the power grid will have far-reaching and detrimental effects on the country’s energy sector, national security, and economy.
Indeed, the spectre of cyber attack extends to other critical infrastructure too, spanning the private and public sectors. The pipeline networks of GAIL and ONGC, the dams of the Narmada Water Authority, the steel plants of SAIL and Tata Steel, are all susceptible to cyber attack. Their vulnerability is primarily located in the weakness of the Supervisory Control and Data Acquisition (SCADA) system, which is used to manage the operations of all these facilities.
The SCADA systems are computer-based industrial control systems. They monitor and control industrial and infrastructure processes, including power transmission, civil defence, communications, and air-conditioning and space systems. They manage operations at facilities that are functional 24×7; any disruption can impact human life, the economy, and national security.
A majority of the SCADA systems used in India were installed 20-30 years ago, in the pre-internet era. Now known as “legacy” systems, these older systems were stand-alones unconnected to remote users. They were therefore not built to deal with today’s network-based threats or cyber attacks. According to industry insiders, not only the legacy systems, but also the recently-installed SCADA systems in a networked environment, are vulnerable to cyber attacks. This is because devices running SCADA systems have limited computational power to implement security protocols.
The devastation that cyber attacks on SCADA systems can inflict is illustrated by the 2010 Stuxnet virus attack. The virus was allegedly designed by the U.S. and Israel to target the Iranian nuclear programme, which runs on the Siemens-designed SCADA system. Stuxnet exploited the security gaps in the system to slow down operations at the Iranian nuclear reactor in Natanz. It affected the uranium enrichment process, and succeeded in its goal of setting back Iran’s nuclear ambitions.
Unfortunately, before reaching its ultimate target, the virus infected computers in many other countries which also used the Siemens systems. After Iran and Indonesia, the country most affected by Stuxnet was India. The virus exploited the same vulnerabilities in computers in India that it had exploited in Iran. These included SCADA systems at facilities like power plants and oil pipelines. Fortunately, apart from system infections, these locations did not report any other adverse impact.
Stuxnet is a minor manifestation of the damage that cyber attacks can have on SCADA systems. Confidential data from India’s Computer Emergency Response Team reveals that hundreds of attacks on the SCADA systems of India occur annually. So far, these attacks have been small, but anecdotal evidence suggests that their scale and frequency is increasing over the years. Moreover, information on how to breach SCADA systems is freely available on the internet.
Considering the criticality of this threat to India’s economy and cyber security, efforts to counter the threat are tiny. The government and private companies are equally to blame for this lapse. The government does have a National Cyber Security Policy –unveiled on 2 July 2013. It aims to strengthen regulatory, legal, and monitoring mechanisms for cyber security. But it makes no mention of plugging SCADA vulnerabilities or of developing a dedicated critical infrastructure protection policy.
Additionally, the government has also formulated a Crisis Management Plan – a set of measures in the eventuality of cyber attacks on critical infrastructure. But the effectiveness of it implementation has been questioned after the Stuxnet attack.
What does exist and works operationally is the National Critical Information Infrastructure Protection Centre. Set up to secure critical infrastructure, the centre was established under the umbrella of the National Technical Research Organisation (NTRO). The NTRO is a technical intelligence agency about which little is publicly known – except that it is part of India’s intelligence network. This makes it virtually invisible to the public, which undermines its effectiveness.
The government’s ambiguity is coupled with a reluctance among private businesses to disclose the vulnerability of their SCADA systems. The mutual public and private mistrust has restrained a focused effort to ensure SCADA security. Indian business houses are plugging the security gaps in their SCADA systems as and when the gaps emerge, but they hesitate to talk about it for fear of exposing themselves and losing a competitive edge over rivals.
New Delhi complains that the businesses’ focus on plugging the SCADA vulnerabilities is a tactical, short-term business-specific response, which overlooks the possibility of a concerted cyber war against India as a country.
Given the mutual distrust and vulnerability of both public and private players, the solution will involve jointly addressing the problem in the form of a public-private-partnership (PPP). The National Security Council Secretariat’s Joint Working Group on engagement with the private sector on cyber security has identified the dimensions of a robust PPP model. It includes building an institutional framework, expanding and deepening capacity, and creating security standards and strict audits but falls short of specifying measures for SCADA security.
This must be taken forward by creating a regulatory framework; identifying the most vulnerable infrastructure facilities in the public and private sectors; establishing a platform for real-time information-sharing on emerging cyber threats; coordinating with the Centre for Development of Advanced Computing which works on SCADA security; and formulating security standards for SCADA systems in all sectors.
At a time when India’s regional environment is hostile and the country is the target of to increasing cyber attacks, it is important to promote greater PPPs. Without such measures, the next Stuxnet attack could be the one which cripples our businesses and critical national infrastructure for longer than we can imagine.
Sameer Patil is Associate Fellow, National Security, Ethnic Conflict and Terrorism, at Gateway House.
For interview requests with the author, or for permission to republish, please contact firstname.lastname@example.org.
© Copyright 2014 Gateway House: Indian Council on Global Relations. All rights reserved. Any unauthorized copying or reproduction is strictly prohibited