<p>Earlier this year, Indian Air Force (IAF) planes carrying relief material to the earthquake-affected people in Myanmar faced a severe GPS spoofing attack. This caused distractions for the pilots who were forced to switch to the backup systems. In 2022, a ransomware attack hit the servers of the All India Institute of Medical Sciences (AIIMS) in Delhi.</p>.<p>India’s national critical information infrastructure (NCII) can be susceptible to threats from malicious nation-state attackers. These rogue attackers use advanced persistent threats (APT) to attack the target NCII. The APTs skilfully tend to breach the availability-integrity- confidentiality of an NCII operational technology (OT) system. These attacks can stop operations, damage critical assets, and put the citizen’s safety at risk, leading to widespread productivity loss across national infrastructure.</p>.<p>Power plants in India use industrial control systems such as programmable logic controllers, remote terminal units, or distributed control systems to receive input about the temperature of a boiler from field sensors. If the temperature in the boiler is too high, the control system remotely instructs an actuator to open the valve of the boiler so that more oxygen can flow in and reduce the temperature. Next, the supervisory control and data acquisition (SCADA) system monitors multiple processes of a power plant.</p>.<p>Many times, these OT systems share data points for decision-making with the Corporate Information Technology systems of the organisation. If a smart attack vector can bypass the firewall, the OT systems can become easy targets for cyberattacks because these systems were built decades ago and have many vulnerabilities. Some of the organisations have modernised their OT systems by adopting cloud-based monitoring, mobile apps, and wireless networks. This further increases the attack surface.</p>.<p>There is an urgent need for the NCII organisations to carry out a cyber-risk assessment of the OT systems by computing the likelihood of the attack and the impact. The likelihood of a cyber-attack on an OT system of a power plant remains high. Similarly, the impact of a cyber-attack on the OT systems of the energy sector can be very severe. This includes stalling of a nation’s essential services such as energy supply, economic activity, transport, and even the healthcare sector, causing immense hardship to the citizens of the country.</p>.<p>Typically, a power plant would lie in the high-likelihood and high-impact quadrant of a heat matrix. Thus, the board of directors of a power plant will be required to prioritise a cyber-risk OT risk mitigation strategy. The proposed mitigation strategy for a Chief Information Security Officer (CISO) needs to include compliance to the Electricity Grid Code, the amendments to the IT Act 2008, and regular advisories from the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre (NCIIPC).</p>.<p><strong>Guidelines and safeguards</strong></p>.<p>These provide guidance and best practices to safeguard the OT systems of the NCII sector such as patching the vulnerabilities in the OT systems. The CISO also needs to comply with the global OT security frameworks such as the NIST SP800-82 and ISA/IEC 62443. Section 5 of the NIST SP 800-82 Rev. 2 recommends segmenting the control system OT network from enterprise corporate networks to limit exposure. Section 6 of the NIST SP 800-82 Rev. 2 recommends using intrusion detection systems (IDS) to monitor traffic anomalies and to encrypt and authenticate the protocols followed by communication channels.</p>.<p>Similarly, ISA/IEC 62443 suggests implementing role-based access controls to enforce a zero-trust security architecture. The CISO also needs to carry regular audits and vulnerability assessment and penetration testing (VAPT), and employee training programmes. This will ensure greater resilience and an early detection of threats and thus reduce the likelihood of cyberattacks on OT systems.</p>.<p>Finally, the residual OT risk can be transferred to a cyber risk insurer, who would indemnify the losses due to downtime, equipment damage, and legal issues. Using this risk-based approach, the top management will be aware of the monetary and productivity impact of a cyberattack on an OT system. Compliance to standard guidelines, and deployment of the right tools will reduce the likelihood of the attack and the impact. Transferring the residual risk to a cyber-risk insurer will ensure that the operations run safe 24x7 and remain secure from the malicious nation-state attackers.</p>.<p><em>(Arunabha is a professor and Priyanka is a PhD student at IIM Lucknow)</em></p>
<p>Earlier this year, Indian Air Force (IAF) planes carrying relief material to the earthquake-affected people in Myanmar faced a severe GPS spoofing attack. This caused distractions for the pilots who were forced to switch to the backup systems. In 2022, a ransomware attack hit the servers of the All India Institute of Medical Sciences (AIIMS) in Delhi.</p>.<p>India’s national critical information infrastructure (NCII) can be susceptible to threats from malicious nation-state attackers. These rogue attackers use advanced persistent threats (APT) to attack the target NCII. The APTs skilfully tend to breach the availability-integrity- confidentiality of an NCII operational technology (OT) system. These attacks can stop operations, damage critical assets, and put the citizen’s safety at risk, leading to widespread productivity loss across national infrastructure.</p>.<p>Power plants in India use industrial control systems such as programmable logic controllers, remote terminal units, or distributed control systems to receive input about the temperature of a boiler from field sensors. If the temperature in the boiler is too high, the control system remotely instructs an actuator to open the valve of the boiler so that more oxygen can flow in and reduce the temperature. Next, the supervisory control and data acquisition (SCADA) system monitors multiple processes of a power plant.</p>.<p>Many times, these OT systems share data points for decision-making with the Corporate Information Technology systems of the organisation. If a smart attack vector can bypass the firewall, the OT systems can become easy targets for cyberattacks because these systems were built decades ago and have many vulnerabilities. Some of the organisations have modernised their OT systems by adopting cloud-based monitoring, mobile apps, and wireless networks. This further increases the attack surface.</p>.<p>There is an urgent need for the NCII organisations to carry out a cyber-risk assessment of the OT systems by computing the likelihood of the attack and the impact. The likelihood of a cyber-attack on an OT system of a power plant remains high. Similarly, the impact of a cyber-attack on the OT systems of the energy sector can be very severe. This includes stalling of a nation’s essential services such as energy supply, economic activity, transport, and even the healthcare sector, causing immense hardship to the citizens of the country.</p>.<p>Typically, a power plant would lie in the high-likelihood and high-impact quadrant of a heat matrix. Thus, the board of directors of a power plant will be required to prioritise a cyber-risk OT risk mitigation strategy. The proposed mitigation strategy for a Chief Information Security Officer (CISO) needs to include compliance to the Electricity Grid Code, the amendments to the IT Act 2008, and regular advisories from the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre (NCIIPC).</p>.<p><strong>Guidelines and safeguards</strong></p>.<p>These provide guidance and best practices to safeguard the OT systems of the NCII sector such as patching the vulnerabilities in the OT systems. The CISO also needs to comply with the global OT security frameworks such as the NIST SP800-82 and ISA/IEC 62443. Section 5 of the NIST SP 800-82 Rev. 2 recommends segmenting the control system OT network from enterprise corporate networks to limit exposure. Section 6 of the NIST SP 800-82 Rev. 2 recommends using intrusion detection systems (IDS) to monitor traffic anomalies and to encrypt and authenticate the protocols followed by communication channels.</p>.<p>Similarly, ISA/IEC 62443 suggests implementing role-based access controls to enforce a zero-trust security architecture. The CISO also needs to carry regular audits and vulnerability assessment and penetration testing (VAPT), and employee training programmes. This will ensure greater resilience and an early detection of threats and thus reduce the likelihood of cyberattacks on OT systems.</p>.<p>Finally, the residual OT risk can be transferred to a cyber risk insurer, who would indemnify the losses due to downtime, equipment damage, and legal issues. Using this risk-based approach, the top management will be aware of the monetary and productivity impact of a cyberattack on an OT system. Compliance to standard guidelines, and deployment of the right tools will reduce the likelihood of the attack and the impact. Transferring the residual risk to a cyber-risk insurer will ensure that the operations run safe 24x7 and remain secure from the malicious nation-state attackers.</p>.<p><em>(Arunabha is a professor and Priyanka is a PhD student at IIM Lucknow)</em></p>
