On July 30th, 2012, the northern region of India had its worst blackout in history, and then again the next day. By number of customers affected, it dwarfed the 2003 Northeast Blackout by ~570 million people. In response, the Indian government created a four person committee to investigate and report on the causes of the blackout, and make recommendations to prevent a similar event in the future. The report came out on August 16th, and I’ve finally had a chance to look at it in depth. It has about 81 pages of explanation, analysis, and recommendations, and includes a separate section on cyber security.
My basic impression of the Cyber Security section is this: The Report reflects a lack of understanding from the electric power community in India regarding the risks associated with Cyber Security for Electric Power. This report’s mission was to understand the cause the 2012 Blackout, but the cyber security section walks completely past the investigation part, and doesn’t back up the committee’s opinion that the “Grid Disturbance could not have been caused by a cyber attack.”
The committee toured three facilities, the Northern Regional Load Despatch[sic] Centre (NRLDC, similar to a Control Center in North America) , a 400KV substation and a 2500 MW coal fired facility. The substation visit showed all ‘switching’ (electric power, not Ethernet) was independent of networking, only local control was available. The coal fired visit noted that each unit had independent controls, and is “in no way connected with the outside network”. There was an acknowledgment that cyber attacks could affect the Indian power grid, but the common sense ends there.
For both the generation station and substation, the report states that systems are disconnected from outside networks, either being completely manual, or by being “no way connected to the outside network”. Coming from experience, those samples are not representative of all generators and substations. Some generators have remote monitoring from their control system vendor, some substations have communication links that fall outside of normal SCADA channels (mainly, maintenance). And honestly, it takes more than a day trip to make an objective determination of what measures are being taken by stakeholders.
Also in this section, a statement concerning the NRLDC communicating with outside networks is absent, which begs the question “What networks does the NRLDC connect to?” Well, according to an article in February 2010 edition of Electrical India[PDF], the typical configuration of a Regional Load Despatch Center (RLDC) involves communication to every State Load Despatch Center (SLDC) using ICCP links. So yes, the NRLDC is connected to outside networks, namely networks at each SLDC, and does so through IP over X.25 PPP channels.
Second, the final recommendation for cyber security, selected from 9 others, recommends the development of a dedicated telecom network for all power systems to “avoid any cyber attack on the power system”. The practice of cyber ‘avoidance’ is unheard of, those who plan to avoid cyber attacks tend to get surprised. While the recommendation to build the network is admirable and will pay other dividends, ‘avoidance’ cannot be a guiding principle. Any of the other 8 recommendations (with the exception of 8.4.1, see below) are bare minimum security practice, why was that one used?
Finally, the committee made a non-suggestion-suggestion in Section 8.4.1 that “it emerged that Power Sector stack [sic] holders have taken adequate steps to prevent cyber attacks on their systems”. This is a very bold statement for two weeks of work, and is not based upon any referenced evaluation criteria relating to cyber security.
In all fairness, two weeks is little time to perform analysis and investigation into this blackout. The report may have succeeded in investigating the power related aspects of the blackout, but also revealed that cyber security for electric power in India is not well understood. The August 2003 NorthEast blackout took 9 months to pull together all the evidence and analysis, including cyber security recommendations. We still struggle with those recommendations 8 years later. ‘Avoidance’ is the one key phrase from the report, predicting little investment in cyber security in India.
Image by Ajay Tallam