Haryana Power Corp's Billing System Hit by HackerCTO Confirms Attack, Says Other Services Not Breached
The power sector continues to be a focus for online attackers. The latest victim: the electricity generation company of the government of Haryana in India, called Haryana Power Corporation. Its billing system has been hit by a hacker and encrypted, with the attacker appearing to have demanded Rs 1 crore (US$154,000) to unlock the billing system.
Sandeep Kapoor, chief technology officer at Haryana Power Corporation, has confirmed the attack to Information Security Media Group.
"The power house, Uttar Haryana Bijli Vitran Nigam, is a small power distribution center and the attack has occurred on its IT billing system. There has not been any impact on our services as this system caters to only 4,000 consumers and we have immediately fixed the services and restored them," Kapoor said.
"The attackers have tried to attack an old, standalone system that had been on the verge of being phased out," Kapoor said. "Another billing system that serves 60 lakh (100,000) consumers has not been impacted and this will be moved to a cloud-based system in a month or two."
In response to a query about whether the attackers demanded a ransom in exchange for a decryption key to unlock the billing system, Kapoor told ISMG: "It may be their job to demand a ransom, we have not paid any."
The CTO declined to share further details, but has promised to describe attackers' modus operandi as well as his organization's improved security controls after the incident has been fully addressed.
Wake-Up Call for India's Power Sector?
Some security practitioners believe that this episode represents a wake-up call to the power sector, which the government categorizes as being part of the nation's critical infrastructure.
Reports of the cyberattack on the Ukrainian power grid over a year ago confirmed warnings from the information security community that critical infrastructure worldwide remains vulnerable to hackers (see Ukraine Power Supplier Hit by WannaCry Lookalike).
The specter of critical infrastructure attacks is increasingly rising, and CISOs protecting targeted organizations are under increased pressure to identify emerging risks and prepare an appropriate response.
Driven by this, one year ago, India's minister for power, Piyush Goyal, in a statement to the Rajya Sabha, the upper house of the Parliament of India, said that the Ministry of Electronics and Information Technology (MeitY) and National Critical Information Infrastructure Protection Center have taken several steps to make power utilities and key stakeholders aware of the need to properly prepare to defend themselves against online attacks.
Goyal added that for cybersecurity in power systems, four sectoral CERTs - covering transmission, thermal, hydro and distribution - are being formed to coordinate with power utilities. Relevant smart grid stakeholders have also been advised to identify critical infrastructure and use end-to-end encryption for data security, though not mandatory.
Surprisingly, some say, not much is being heard from India's ISAC-Power, the information sharing and analysis center covering the entire sector.
Sanjay Sahay, additional director general of police for Karnataka cyber police, says, "It's not an overstatement to say that we are not in a state of responding to the increasing sophistication of cyber threats of the 21st century and innovative mechanisms of attackers. It's essential to go beyond ISO standards and benchmarks to tackle growing threats in critical infrastructure."
Some organizations appear to be doing more than others. "We are moving to cloud platforms to protect our systems against cyber threats," Haryana Power's Kapoor said.
Late last year, to better address online threats and breaches, Haryana state launched its own cybersecurity policy that spells out action the state intends to undertake to bolster cybersecurity in the region. It has also specified security guidelines that critical sectors have an option to follow (see: Haryana State Launches Its Own Cybersecurity Policy).