India’s ambitious project to install 250 million smart metres across the country and connect them to household solar power grids is currently underway. This project is moving the needle towards improving the profitability of power distribution companies. However, since these are interconnected IoT devices, they introduce new attack vectors increasing cyber risk.
Using smart metres and other similar technologies in India’s legacy power infrastructure introduces new kinds of risks. Low barriers to entry, aggressive attack methods, and a shortage of cybersecurity professionals, alongside patchwork governance mechanisms, make it more difficult to implement preventive cybersecurity measures.
Over the last few years, India has witnessed several attacks on the power grid. In August 2020, an unauthorised remote disconnect signal caused a power outage for nearly 158,000 smart metres users in Uttar Pradesh. Since February 2021, there have been multiple reports of cyber intrusion campaigns on Indian power infrastructure. These attacks are a stark reminder that security cannot take a backseat, especially in critical infrastructure sectors like power.
Potential cyber risk to India’s smart metre networks
At its core, advanced metering infrastructure (AMI) is a system of smart metres, data management systems, and communication networks that allow the storage and processing of energy usage data. The two-way communication between distribution companies and energy metres at the consumer or feeder levels opens up the cyberattack surface exponentially.
Smart metering networks consist of ICT-based devices distributed throughout the electricity supply chain that collect, transmit, store, and analyse data in real-time. However, like any ICT system, smart metres are vulnerable to insecure users, placing the physical power supply network at risk.
These vulnerabilities can expose sensitive information, such as electricity consumption data, to malicious actors. These threat actors can alter data during transmission or at the transmitting and receiving terminals, resulting in false billing records or misleading operators through data spoofing. Additionally, hardware within the network can cause communication breakdowns, leading to delays and interruptions in real-time services. The lack of comprehensive asset visibility also results in incomplete monitoring and inspection practices, compromising incident response preparedness.
The threat from nation-state actors endangers the entire power grid, along with interconnected external systems such as healthcare and transportation. Depending on the AMI architecture, cybercriminals can move laterally through the network, gaining access to the entire system by compromising endpoints, users, and identities. For example, access to upstream communication channels can provide access to other metres and connected systems, potentially compromising system operators. Once threat actors infiltrate the grid, they can send false pricing and operational signals to metres, dramatically increasing or decreasing the load and compromising grid security.
Securing India’s ambitious smart metre infrastructure
Power grid monitoring requires energy management, cybersecurity, and the construction of energy-optimised systems. OT security is the guardian of systems responsible for energy transmission, optimization, and supply reliability, whether it’s wind, solar, coal, or electrical supply. OT security solutions contribute towards the identification of assets in the OT environment, including IT assets. In addition, security solutions should include the assessment of vulnerabilities and threats and the monitoring of network traffic.
Balancing modernization with operational security requires proper planning, collaboration, and a commitment to staying ahead of evolving threats. Securing smart metre infrastructure in India requires a multi-pronged approach. This includes:
Asset inventory and tracking: AMI service providers, who are responsible for the security of smart metres in India, must automate the identification, monitoring, and inventory of cyber-physical assets through active querying, to know what’s on the entire network.
Exposure management: Distribution companies and AMI service providers need to have a strong incident response plan in case of a cyberattack. However, such reactive measures only go so far in minimising risk. Discoms and AIM service providers must adopt a preventive approach to security. This includes gaining full visibility into the depth and breadth of the attack surface, making it easier to predict, prioritise, and remediate cyber risks. This ensures that the most critical risks are mitigated before they can be exploited.
Real-time threat detection: Preventive security measures establish continuous visibility into the power grid and all connected systems, detecting and responding to threats in real-time to prevent disruptions and breaches. It aids in detecting anomalous activities and stopping lateral movement before the entire network is compromised.
Proactive incident response: While it is important to have multiple layers of security to minimise the risk of breaches, proactive incident response is critical to the security of cyber-physical systems. This involves being able to quickly and effectively contain and remediate security incidents, minimising damage, and ensuring operational continuity.
Legacy system integration: AMI service providers and distribution companies must securely integrate legacy OT systems with modern cybersecurity solutions, leveraging the best of both worlds without compromising functionality.
When IT and OT cyber-physical systems come together, they can make operations smoother and safer — but such convergence isn’t without problems. AIM service providers and distribution companies in India must place importance on gaining visibility into outdated or legacy systems to ensure security without interrupting the energy supply. This requires a custom approach to OT security, purposely designed to safely engage with OT systems so they maintain their productivity.
Ensuring the resilience of the power supply is another potential issue, especially in the face of extreme weather events, cyber threats, and equipment failures. The consequences of an attack could be dire, jeopardising not just operations but national security itself, making it an important focus for India.
