Satya Gupta

Head(IT) & CISO

Tata Power Delhi Distribution Ltd

Communications and Cyber Security

10th March2017

Tata Power-DDL BUSINESS OVERVIEW

Licensed for distribution of power in North and North West Delhi

Certifications : ISO 9001, 14001, 27001, 22301, 31000, SA 8000 & OHSAS 18001

Joint Venture of Tata Power Company and Govt. of NCT of Delhi (51: 49)

ParameterValues(Jul'02)

Values(Mar'16)

AT&C Loss 53.10% 8.88%

Annual Energy Requirement

970 MW 1791 MW

Total Registered Customers 7 Lakhs 15.3 Lakhs

Number of Employees 5600 3525

Area 510 SQ KMS

Turnover INR 6174 Crs

3

Current scenarioWhat TPDDL had inherited

Multi-pronged approach adopted by Management to turnaround a traditional Government setup into a role model for private sector efficiency in only 10 years

AT&C losses: > 50%

No concept of consumer service and IT interface

Lack of performance orientation

Electricity supply system on the verge of collapse

AT&C losses: 8.88 %

One stop solution: State-of-the-artIntegrated Call Centers & ConsumerCare Centers

Performance orientationthrough Change Management & Balanced Scorecard Approach

Remarkable improvementin System Reliability: DT losses

Vision 2022

Industrys Shift Towards Smart Grid

Power Sectors move towards Smart Grid Practices has resulted in steep rise in adoption of various advance IT & OT technologies.

Communication technology plays a key role in the implementation of various Smart Grid Technologies.

Robust Cyber Security practices are required to ensure all systems & services are up and running(24X7).

Communication a Key Enabler of Smart-Grid

Smart Grid requires a robust and a two-way communication system.

Applications like AMI, ADR, ADMS etc.. requires information to communicated on a real time basis.

Communication system acts as the cornerstone for successful implementation of various Smart Grid applications.

Any failure in ensuring an effective communication system will have severe impact on reliability and services.

TPDDL Communication System: Objectives

TPDDL established its Communication Network (in FY 2004-2005) across its area of operation ; to

support

Operational applications like SCADA/ Tele-protection / GIS /OMS/

Commercial and Billing applications

Enterprise applications SAP CRM/ SAP BCM/SAP ERP , e-mail etc.

TPDDL has upgraded its Communication Network to TP-MPLS (in FY 2014-2015) ; to

support

forthcoming Smart grid applications such as AMI, EV charging stations, MWM, ADR and Integrated security solution etc.

TP-DDL Communication Landscape

The Communications landscape consists of laying its own OFC

network covering all main offices, data-centers, stores, district

offices and Zonal Offices.

Redundant Communication Network

RG-3 SUB Ring 1STM 42

2

2 2

2

2

RG-5

PUSA ROAD

RANIBAGH GRID

Saraswati garden

NARAYANA PH-I

CORE RINGSTM 16

FIBER RING - TPDDL

RANIBAGH CCC

NEW ROHTAK ROAD

2

2

WZP-II

INDER VIHAR

AZAD PUR

WAZIRABAD

CIVIL LINES

SARASWATI GARDEN

PANDU NAGAR

VSNL

S PARK

KESHAV PURAM DO

ROHTAK ROAD

RAM PURA

TRI NAGAR

ASHOK VIHAR H BLOCK CCC

GULABI BAGH SHEHJADA BAGH

SHAKTI NAGAR DO

GTK Grid

SHALIMAR BAGH

PITAM PURA DO

PP III

PP II

MGP-II

INDER PURIHUDSON LINES

WZP-I

ASHOK VIHAR GRID

MGP-1

2

RG-IVRG-22

RG-23

BAWANA GRID-6

POOTH KHURD GRID

BAWANA WATER WORKS and Bawana DO

DSIDC A7, NARELA

DSIDC1 NARELA

RG-1

PP-1

HDRPUR

SGTN

JAHANGIR PURI

AIR KHAMPUR

BADLI

RG-6

RG-II

Fiber Sub RingFiber Main Ring

Grids2 Enterprise DATA 2 Enterprise and Grid

VSNL VSNL Gateway for internet

RAMA ROAD

2

2

2

2

2

2NARELA DO

DSIDC2 NARELA

SUB Ring 3STM 4

SUB Ring 2STM 4

SUB Ring 4 STM 4

SUB Ring 5STM 4

OFFICES

TRANSCO Grid

Stations

Sub Transmission

Grid Stations

Distribution

Stations

CUSTOMERS

SCADA/ DMS/DA

SAP-ISU

(CRM/BILLING)

SAP

(PM/PS/MM/HR/FICO)

GIS

Call Centre

OMS

AMR/PG/SPT BILL

WEBDATA

CENTER

ONE

DATA

CENTER

TWO

COMMUNICATION NETWORK

ISO 9001, ISO 27001 & BCMS (ISO 22301:2012) certified

Adoption of Technology

Integrated Communications Architecture

Home

Network

Meters &

Premise

Gateways

Access

Communication

AMI Mgmt

System

Home /CustomerNetwork

Local

Field CommsNeighborhood

AggregationT&D

Management

System

Monitoring,

DA

Utility Wide

Comm.Web

Access

Back Haul

Communication

Back-Office

& Operational

SystemsExternal

Data Access

3rd Parties

Customers

Field Crew

Distribution Equipment

200kW Phosphoric Acid Fuel Cell

The power plant in

Santa Clara is rated

at 1.8 MW AC net

It contains more

than 4,000 cells

$2000-3000/kW

DG

T&D Equipment

Control & Monitoring Centers

Monitoring

SA, DA

Field

Workforce

Automation

PEV

Monitoring

AMI

WiFi, WiMax, PLC, RF Mesh,

GSM, CDMA

Zigbee, Bluetooth,

HomePlugMicrowave,

SDH,MPLS,MPLS-TP, CE

Internet, HTTPS,

VPNEthernet LAN

Mail service on mobile and web(External/Internal)

Website Consumers accessing connection, reading, bill, payment details,etc.

On line bill payment

SMS services for consumers

E-procurement

Smart Grid Applications require to communicate with various field based devices

IT & OT Integration for enhancing consumer experience

FFA for improving field based operations

Cyber Security-Vital for Survival

Cyber Security Challenges

Highly exposed and distributed environment

Technology Obsolescence

Separate IT & OT Verticals with limited coordination

Less awareness about cyber security practices among OT team members

Cyber Security not considered during fundamental design phase

Fast and constantly evolving nature of security risks

Ever evolving standards, technologies, services, applications

Increasing complexity of systemsMobile & Wireless EverywhereHeterogeneous SystemsMultiple Interfaces

Cyber Security for Smart Grid

Change in traditional scenario

Grid automation systems use public networks due to lower costs

Increases the vulnerability of grids to cyber attacks

Field components like RTU are attacked through remote access

Using communication protocols available in public domain, an intruder can reverse engineer the data acquisition protocols & exploit them

Network topology vulnerability is exploited e.g. DOS attack

Classification of Attacks

ComponentWise

ProtocolWise

TopologyWise

Strategies to detect & Mitigate

Network Segmentation

Effective network segmentation restricts communication between networks and reduces the extent to which an

adversary can move across the network

Strict Role-Based Access Control

Grants or denies access to resources based on job function

Active Directory (AD) implements role-based user access control through group policies.

Application Whitelisting

Permits the execution of explicitly allowed (or whitelisted) software and blocks execution of everything else

Eliminates the execution of unknown executable, including malware

Multiple Layers of Security

Firewall based security

Intrusion Detection System

Threat Management Gateway(Proxy Server)

Demilitarized zone for all public portals

Single sign-on

Secure tunnel via two factor authentication for Remote Access

Vulnerability assessment & Penetration Testing

Operationalizing Information Security

Regular Review meeting of Information Security Council (ISC) for identifying new risks, mitigating them

and discussing Incidents

Involvement of Top Management

Cyber Security Awareness through TIPS, Quiz, sessions etc.

Involvement of all major departments like OT, HR, Finance, Administration, Safety, Legal, etc. in Council

Annual Plan for review and implementation -

- Review and update processes

- Focus on creating awareness on IT Security

- DR Drill at regular intervals

- Pro-active approach before implementing any new solution

System driven implementation of various policies Password & patch management, anti-virus, etc

Cyber Security Control Room

EMS, NMS and SIEM generates huge logs.

Cyber Security Control Room required for real time monitoring and analysis to decide and quickly take preventive and corrective actions in case of any event / incident and activating Emergency Response Team, if required

MUX

SAP/R3 Application servers

Database Servers

Websense

Ironport

Mailbox

Exchange server

ISP router (CENNET)

ISP

Local LAN for CENNET

Crystal Reports

CHECKPOINT(4800 series)

DMZ

6509 Switch

4507 Switch

Enterprise Router

SCADA Router

OMS Switch

OMS ServersSCADA Servers

SCADA Switch

IT Network OT Network

DC1 Segregation of IT & OT

ISA

IT OT Technology Segregation at DCs

19

Risk Mitigation

Penetration Testing followed by Grey Box testing, through CERT approved agency forall portals on public domain e.g. Website, Customer Portal, E-tendering, etc. toensure that

- Public portals are Secured to avoid hacking.

- Consumer data remains confidential.

Training team members to develop secure web enabled S/Ws Robust Change Management Process for H/W & S/W Pro-active approach for Security of System before implementing any new solution in

both IT & OT side

Best Practices at TPDDL

ISO 27001 certification for both IT & OT Systems HR directly activates and de-activates mail-ids on joining and separation Revalidation of User ids, VPN access specially for critical roles or discontinuation

of BA services Regur DR Drill for all critical applications, network, electrical equipment's, etc. n-1 for all elements i.e. IT Infra, Communication, Data Center, Application and

Manpower Use of BitLocker Drive Encryption to protect hard disk on laptops to protect

Enterprise Data Security Incidents handled by Information Security Council Measurement of Information Security parameters through Departmental

Balanced Score Card

3/16/201721

THANK YOU