Satya Gupta

Head(IT) & CISO

Tata Power Delhi Distribution Ltd

Communications and Cyber Security

10th March’2017

Tata Power-DDL BUSINESS OVERVIEW

Licensed for distribution of power in North and North West Delhi

Certifications : ISO 9001, 14001, 27001, 22301, 31000, SA 8000 & OHSAS 18001

Joint Venture of Tata Power Company and Govt. of NCT of Delhi (51: 49)

ParameterValues(Jul'02)

Values(Mar'16)

AT&C Loss 53.10% 8.88%

Annual Energy Requirement

970 MW 1791 MW

Total Registered Customers 7 Lakhs 15.3 Lakhs

Number of Employees 5600 3525

Area 510 SQ KMS

Turnover INR 6174 Crs

3

Current scenarioWhat TPDDL had inherited

Multi-pronged approach adopted by Management to turnaround a traditional Government setup into a role model for private sector efficiency in only 10 years

• AT&C losses: > 50%

• No concept of consumer service and IT interface

• Lack of performance orientation

• Electricity supply system on the verge of collapse

• AT&C losses: 8.88 %

• One stop solution: State-of-the-artIntegrated Call Centers & ConsumerCare Centers

• Performance orientationthrough Change Management & Balanced Scorecard Approach

• Remarkable improvementin System Reliability: DT losses <1%

TPDDL Turnaround Story-Brief Snapshot

Parameter UoM 2002-03 2016-17AT&C Losses % 53.1 8.88%

System Reliability – ASAI % 70 99.9%

Number of Employees Nos. 5600 3530

Number of Consumers Mln 0.7 1.6

Vision 2022

Industry’s Shift Towards Smart Grid

Power Sector’s move towards Smart Grid Practices has resulted in steep rise in adoption of various advance IT & OT technologies.

• Communication technology plays a key role in the implementation of various Smart Grid Technologies.

• Robust Cyber Security practices are required to ensure all systems & services are up and running(24X7).

Communication a Key Enabler of “Smart-Grid”

• Smart Grid requires a robust and a two-way communication system.

• Applications like AMI, ADR, ADMS etc.. requires information to communicated on a real time basis.

• Communication system acts as the cornerstone for successful implementation of various Smart Grid applications.

• Any failure in ensuring an effective communication system will have severe impact on reliability and services.

TPDDL Communication System: Objectives

TPDDL established its Communication Network (in FY 2004-2005) across its area of operation ; to

support

Operational applications like SCADA/ Tele-protection / GIS /OMS/

Commercial and Billing applications

Enterprise applications – SAP CRM/ SAP BCM/SAP ERP , e-mail etc.

TPDDL has upgraded its Communication Network to TP-MPLS (in FY 2014-2015) ; to

support

forthcoming Smart grid applications such as AMI, EV charging stations, MWM, ADR and Integrated security solution etc.

TP-DDL Communication Landscape

The Communications “landscape” consists of laying its own OFC

network covering all main offices, data-centers, stores, district

offices and Zonal Offices.

Redundant Communication Network

RG-3 SUB Ring 1STM 4Σ2

2

2 2

2

2

Σ

Σ

RG-5

PUSA ROAD

RANIBAGH GRID

Saraswati garden

NARAYANA PH-I

CORE RINGSTM 16

FIBER RING - TPDDL

RANIBAGH CCC

NEW ROHTAK ROAD

ΣΣ

Σ

Σ

Σ

ΣΣ Σ

Σ

Σ

Σ Σ

Σ

Σ

ΣΣ

Σ

Σ

Σ

Σ

Σ

Σ

Σ

2

Σ

Σ2

Σ

Σ

Σ

Σ

Σ

WZP-II

INDER VIHAR

AZAD PUR

WAZIRABAD

CIVIL LINES

SARASWATI GARDEN

PANDU NAGAR

VSNL

S PARK

KESHAV PURAM DO

ROHTAK ROAD

RAM PURA

TRI NAGAR

ASHOK VIHAR H BLOCK CCC

GULABI BAGH SHEHJADA BAGH

SHAKTI NAGAR DO

GTK Grid

SHALIMAR BAGH

PITAM PURA DO

PP III

PP II

MGP-II

INDER PURIHUDSON LINES

WZP-I

ASHOK VIHAR GRID

MGP-1

Σ2

RG-IVRG-22

RG-23

BAWANA GRID-6

POOTH KHURD GRID

BAWANA WATER WORKS and Bawana DO

DSIDC A7, NARELA

DSIDC1 NARELA

RG-1

PP-1

HDR’PUR

SGTN

JAHANGIR PURI

AIR KHAMPUR

BADLI

RG-6

RG-II

Fiber Sub RingFiber Main Ring

Σ Grids2 Enterprise DATA Σ2 Enterprise and Grid

VSNL VSNL Gateway for internet

RAMA ROAD

Σ

Σ2

Σ2

Σ2

Σ2

Σ2

2NARELA DO

DSIDC2 NARELA

SUB Ring 3STM 4

SUB Ring 2STM 4

SUB Ring 4 STM 4

SUB Ring 5STM 4

OFFICES

TRANSCO Grid

Stations

Sub Transmission

Grid Stations

Distribution

Stations

CUSTOMERS

SCADA/ DMS/DA

SAP-ISU

(CRM/BILLING)

SAP

(PM/PS/MM/HR/FICO)

GIS

Call Centre

OMS

AMR/PG/SPT BILL

WEBDATA

CENTER

ONE

DATA

CENTER

TWO

COMMUNICATION NETWORK

ISO 9001, ISO 27001 & BCMS (ISO 22301:2012) certified

Adoption of Technology

Integrated Communications Architecture

Home

Network

Meters &

Premise

Gateways

Access

Communication

AMI Mgmt

System

Home /CustomerNetwork

Local

Field CommsNeighborhood

AggregationT&D

Management

System

Monitoring,

DA

Utility Wide

Comm.Web

Access

Back Haul

Communication

Back-Office

& Operational

SystemsExternal

Data Access

3rd Parties

Customers

Field Crew

Distribution Equipment

200kW Phosphoric Acid Fuel Cell

The power plant in

Santa Clara is rated

at 1.8 MW AC net

It contains more

than 4,000 cells

$2000-3000/kW

DG

T&D Equipment

Control & Monitoring Centers

Monitoring

SA, DA

Field

Workforce

Automation

PEV

Monitoring

AMI

WiFi, WiMax, PLC, RF Mesh,

GSM, CDMA

Zigbee, Bluetooth,

HomePlugMicrowave,

SDH,MPLS,MPLS-TP, CE

Internet, HTTPS,

VPNEthernet LAN

• Mail service on mobile and web(External/Internal)

• Website• Consumers accessing connection, reading, bill, payment details,etc.

• On line bill payment

• SMS services for consumers

• E-procurement

• Smart Grid Applications require to communicate with various field based devices

• IT & OT Integration for enhancing consumer experience

• FFA for improving field based operations

Cyber Security-Vital for Survival

Cyber Security Challenges

• Highly exposed and distributed environment

• Technology Obsolescence

• Separate IT & OT Verticals with limited coordination

• Less awareness about cyber security practices among OT team members

• Cyber Security not considered during fundamental design phase

• Fast and constantly evolving nature of security risks

• Ever evolving standards, technologies, services, applications

• Increasing complexity of systemsMobile & Wireless EverywhereHeterogeneous SystemsMultiple Interfaces

Cyber Security for Smart Grid

• Change in traditional scenario

• Grid automation systems use public networks due to lower costs

• Increases the vulnerability of grids to cyber attacks

Field components like RTU are attacked through remote access

Using communication protocols available in public domain, an intruder can reverse engineer the data acquisition protocols & exploit them

Network topology vulnerability is exploited e.g. DOS attack

Classification of Attacks

ComponentWise

ProtocolWise

TopologyWise

Strategies to detect & Mitigate

• Network Segmentation

− Effective network segmentation restricts communication between networks and reduces the extent to which an

adversary can move across the network

• Strict Role-Based Access Control

− Grants or denies access to resources based on job function

− Active Directory (AD) implements role-based user access control through group policies.

• Application Whitelisting

− Permits the execution of explicitly allowed (or whitelisted) software and blocks execution of everything else

− Eliminates the execution of unknown executable, including malware

Multiple Layers of Security

• Firewall based security

• Intrusion Detection System

• Threat Management Gateway(Proxy Server)

• Demilitarized zone for all public portals

• Single sign-on

• Secure tunnel via two factor authentication for Remote Access

• Vulnerability assessment & Penetration Testing

Operationalizing Information Security

• Regular Review meeting of Information Security Council (ISC) for identifying new risks, mitigating them

and discussing Incidents

• Involvement of Top Management

• Cyber Security Awareness through TIPS, Quiz, sessions etc.

• Involvement of all major departments like OT, HR, Finance, Administration, Safety, Legal, etc. in Council

• Annual Plan for review and implementation -

- Review and update processes

- Focus on creating awareness on IT Security

- DR Drill at regular intervals

- Pro-active approach before implementing any new solution

• System driven implementation of various policies – Password & patch management, anti-virus, etc

Cyber Security Control Room

• EMS, NMS and SIEM generates huge logs.

• Cyber Security Control Room required for real time monitoring and analysis to decide and quickly take preventive and corrective actions in case of any event / incident and activating Emergency Response Team, if required

MUX

SAP/R3 Application servers

Database Servers

Websense

Ironport

Mailbox

Exchange server

ISP router (CENNET)

ISP

Local LAN for CENNET

Crystal Reports

CHECKPOINT(4800 series)

DMZ

6509 Switch

4507 Switch

Enterprise Router

SCADA Router

OMS Switch

OMS ServersSCADA Servers

SCADA Switch

IT Network OT Network

DC1 Segregation of IT & OT

ISA

IT – OT Technology Segregation at DCs

19

Risk Mitigation

• Penetration Testing followed by Grey Box testing, through CERT approved agency forall portals on public domain e.g. Website, Customer Portal, E-tendering, etc. toensure that

- Public portals are Secured to avoid hacking.

- Consumer data remains confidential.

• Training team members to develop secure web enabled S/W’s• Robust Change Management Process for H/W & S/W• Pro-active approach for Security of System before implementing any new solution in

both IT & OT side

Best Practices at TPDDL

• ISO 27001 certification for both IT & OT Systems• HR directly activates and de-activates mail-ids on joining and separation• Revalidation of User ids, VPN access specially for critical roles or discontinuation

of BA services• Regur DR Drill for all critical applications, network, electrical equipment's, etc.• n-1 for all elements i.e. IT Infra, Communication, Data Center, Application and

Manpower• Use of BitLocker Drive Encryption to protect hard disk on laptops to protect

Enterprise Data• Security Incidents handled by Information Security Council• Measurement of Information Security parameters through Departmental

Balanced Score Card

3/16/201721

“THANK YOU”