Cyber security and data privacy in smart grid infrastructure

Abstract

Every day we come across headlines stating that our use of technology is full of opportunities and risks. Increased economic growth, modernized industry and simplified everyday life has been driven by the advent of Internet and other information & communication technologies. In case of Russian hackers attacking electricity distribution system in Ukarine, 2015, resulted outage that affected 80000 households for three (03) hours. Subsequent analysis raised serious concern regarding the new evolutionary level of weaponisation achieved in critical infrastructure hacking. The attackers could directly control equipment at remote sub-stations and could cause massive power outages and simultaneous denial of service attacks on the telecom infrastructure. In context of electric grid cyber threats give rise to possible business risks due to vulnerabilities in the installations of smart devices at various levels of electric power supplychain, and their integration with the communication networks with possible spanning of ownership across multiple organisations. If such an infrastructure is affected by a cyberattack, the complexity of interdependence among the various subsystems operating in the smart grid may greatly impact services across multiple sectors. Smart Grid is envisaged as an integrated system of intelligent electrical components with control and monitoring devices embedded in the architecture. This significantly reduces the reliability of the power system, which has adverse economic impacts on the national economy. In context of electric grid, a cyber-attack would not just involve communication network but also impact physical equipment of sub-station. This kind of security attack involves both physical and cyber systems and is referred to as cyber-attack on cyber-physical system (CPS) Smart Grid technologies are modeled as, self-sufficient systems that have the adaptive ability to issues related to the power grid in a dynamic environment with efficiency, security, economic quality energy. A smart grid system for monitoring, control and analysis within the supply chain is modeled on digital automation technology. It can be described as a smart electrical network that combines digital communication technology and electrical network. The main components of smart grid are smart meter, control center, intelligent appliances, smart substation and integrated communication system. Another implication of these advanced metering infrastructure is two categories of Big data generated i.e. Electric grid data and Consumer data, flowing via backbone communication network of electric grid. In case of attack on these interconnected cyber physical systems, there may be two types of resultant security risks viz national security and personal data privacy. If critical infrastructure such as electric grid is attacked by hackers in particular the nation state attackers, it will have huge implications on economic, strategic and social fabric of a nation. Motivation of these hackers could be commercial rivalary, trade wars or weaponisation to achieve damage to social system fabric. In case of personal data breach, driver could be accessibility to consumer data for market insights which may include critical data such as passwords, bank account details etc. In recent years, experts have demanded that cyber security and data privacy should be considered as public goods, due to their merit to the society. Therefore, government agencies, responsible for framing and adopting policy in terms of cyber security guidelines and International standards, should have comprehensive, adaptive and forward-looking approach. Public and private utilities at state and central level should adopt cyber security and data privacy as strategic goal, governed by C-suite level. In this context, behavioral issue holds more significance than mere allocation of resources and formulation of policy itself. Adherence to standards and effective risk management systems could significantly reduce the risk of cyber-attack. Additionally, personal data, which is collected by networks of these smart devices called the Internet of Things (IOT), may be analyzed to provide better services to consumers. At the same, of the evolving data protection laws may require organisations to review new legal and business risks. As it would be tricky to follow the principles of purpose, consent, collection and restricted usage of data, encoded in exiting privacy laws (eg: GDPR, General Data Protection Regulation in Europe and upcoming Data Privacy Act in India. Therefore, we need to scrutinize the applicability and inclusion of data privacy laws in these cyber physical smart infrastructures. This policy memo presents the two implications of Cyber security and Data privacy from massively integrated intelligent electric grid, and their associated risks. We shall discuss the existing policy guidelines and practices, and privacy law in context of organizational effectiveness in implementation and operation.