SECURITY

Cyber Security

Tata Power-DDL has been a front runner in implementing various technologies landscape for providing efficient and effective services to its customers. With the huge penetration of technologies, its gives major positive impact to the business, but along with this it also possesses cyber security challenges too. These advancements have led to growing concerns over cyber security. The organization has a variety of confidential information like personal information of customers, employees, business associates, salary details of employees, operational data, trade secrets, long term/ short term strategies, product details, research results, audit reports, financial balance sheets and many more stored in information technology and operational technology (IT-OT) systems. These systems are the critical information infrastructure (CII) of the organization and thus it is imperative to realize that securing the critical information is vital for the functioning of any organization.

The protection and resilience of its information and operational technology (IT-OT) are of utmost importance to Tata Power-DDL. There is a dedicated cyber security team to monitor, review and maintain information security policies, identify information security risks, and operate a comprehensive set of cyber security controls and measures. IT-OT landscape is compliant with ISO27001, ISO22301 and legal requirements of IT Act, 2000 which covers the cyber resilience of our critical systems and ensure business continuity. In addition, Critical Information Infrastructure (CII) has been identified in coordination with the National Council Information Infrastructure Protection Centre (NCIIPC) as per provisions of Section 70 of IT Act 2000.

Some of the best practices of information security are content filtering, installing firewalls, auditing, database & network security, business continuity, penetration testing and risk assessment. The most important practice to be followed is to make users aware of information security. The behavioural and diligence of the employees play a vital role in implementing a robust information security management system.

The protection and resilience of its IT-OT systems are of utmost importance to Tata Power-DDL. The organization has deployed a dedicated cyber security team. The team is responsible for ensuring Confidentiality, Integrity and Availability of its IT-OT systems by various measures like monitoring, reviewing of information security policies and controls, identifying information security risks, incident management, etc.

IT-OT landscape is compliant to ISO27001, ISO22301, ISO 31000 and legal requirements of IT Act, 2000 which covers the cyber resilience of our critical systems and ensure business continuity. Tata Power-DDL has successfully implemented ISO 27001 in FY’ 2008-09 for IT data centres and later enhanced the scope to OT systems. In addition, CII has been identified in coordination with National Council Information Infrastructure Protection Centre (NCIIPC) as per provisions of Section 70 of IT Act 2000.

In order to enhance the cyber security posture of the organization, various measures have been undertaken such as content filtering, gateway firewalls, DDOS protection, anti-virus, Intrusion Detection System, Intrusion Prevention System, auditing, business continuity management system, penetration testing and risk assessment. A cross-functional team is formulated to conduct Vulnerability Assessment and Penetration Testing (VAPT) addressing various domains like network security, application security, etc.

IT-OT convergence impacts the security of Supervisory Control and Data Acquisition (SCADA)/ Advanced Distribution Management System (ADMS) systems. In order to prevent the OT environment from being compromised due to an expanding threat landscape, the organization has adopted the following measures:

  • Risk Assessment framework based on IEC 62443, IEC-62351, NIST and DoE guidelines
  • Vulnerability Assessment and Penetration Testing of OT systems
  • Domain based access control
  • Implementation of Industrial grade firewall
  • Real-time monitoring of OT network through automated tool

Another important aspect of cyber security is user awareness. The behavioural and diligence of the employees plays a vital role in implementing a robust information security management system. User awareness also helps in minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding IT-OT systems design, operations, or security controls. Over a period of time the organization has successfully been able to address all the major domains of information security.