In an exclusive interview, Anwaya Bilas Sengupta, Alternate Chief Information Security Officer (Alt-CISO) of Grid Controller of India Limited, shares insights into the organization’s IT infrastructure, the critical role it plays in maintaining national power grid stability, and the comprehensive cybersecurity measures in place to protect this vital asset.
As the apex body for independent power system operation in India, Grid Controller of India Limited is tasked with overseeing real-time system operations across the national and regional load dispatch centers, ensuring the secure and reliable transmission of power. Sh. Sengupta discusses the organization’s layered security approach, the integration of AI in cybersecurity, and the importance of robust disaster recovery plans in safeguarding India’s power grid.
Can you provide an overview of the IT department’s structure at Grid Controller of India Limited?
Grid Controller of India Limited (under the Ministry of Power) is a Miniratna organization responsible for overseeing the national and regional power grids. The IT department is structured to support the organization’s core business of real-time power system operation and includes two key verticals:
Operational Technology (OT) Infrastructure:
Supervisory Control and Data Acquisition (SCADA) Systems: These systems interact with power system utilities across India to acquire data on power system parameters, allowing grid operators to make real-time decisions.
Phasor Measurement Units (PMU): Used to analyze critical events in the grid.
Renewable Energy Monitoring Center: Established to monitor renewable energy in accordance with government directives.
Meter data Collection System: Automates meter reading processes and supports decision-making functions.
IT Infrastructure:
Distributed Architecture: IT infrastructure is distributed across five Regional Load Dispatch Centers (RLDCs) and the National Load Dispatch Center (NLDC). Disaster recovery sites are set up, with one RLDC often serving as the backup for another.
Server and Data Centers: The IT infrastructure includes hyper-converged infrastructure with storage, hosting various critical and non-critical applications in different zones.
Web-Based Energy Scheduling System: This system is declared as Critical Information Infrastructure by the Ministry.
What measures are in place to protect GRID-INDIA’s IT infrastructure from cyber threats?
GRID-INDIA has implemented a comprehensive multi-layered security framework to protect its IT infrastructure. The organization’s approach begins with Security by Design and Default, where security measures are integrated into the infrastructure’s core design. This includes disaster recovery and backup systems to ensure resilience against potential disruptions.
Since 2011, GRID-INDIA has maintained ISO 27001 Certification, reflecting its adherence to internationally recognized information security standards. This certification underscores the organization’s commitment to maintaining robust security practices across its operations.
Physical security is a critical aspect of GRID-INDIA’s overall security strategy. Most of its locations are safeguarded through authorised Security service provider either through the Central Industrial Security Force (CISF) or from DGR Sponsored agency, with advanced access controls that include biometric systems to prevent unauthorized entry.
On the logical access control front, GRID-INDIA employs Active Directory to manage system access. Multi-factor authentication, layered firewalls, and VLAN segmentation are used to create additional security layers, ensuring that only authorized personnel can access critical systems.
To reinforce its security posture, GRID-INDIA has established a comprehensive information security policy. This policy mandates regular risk assessments and audits, ensuring ongoing compliance with the Cybersecurity Guidelines issued by CERT-IN.
The organization’s Security Operations Center (SOC) operates around the clock, monitoring the cybersecurity landscape in real-time. The SOC is equipped with advanced tools such as Security Information and Event Management (SIEM), automation, orchestration, User Entity Behavior Analysis (UEBA), and Network Behavior Analysis (NBA). These AI-driven technologies enable continuous learning and proactive threat detection, ensuring that potential security incidents are identified and mitigated swiftly.
Vulnerability Assessments and Penetration Testing (VAPT) are integral components of GRID-INDIA’s security strategy. The organization conducts bi-annual VAPT for its entire IT infrastructure and annual VAPT for its Operational Technology (OT) infrastructure to identify and address potential vulnerabilities.
To ensure top-level oversight of security measures, GRID-INDIA has established an Information Security Management Forum. Each Regional Load Dispatch Center (RLDC) has a designated Chief Information Security Officer (CISO) responsible for managing information security at the regional level. Additionally, an Information Security Steering Committee, headed by the chairman and managing director of GRID-INDIA, provides strategic guidance and oversight.
Lastly, GRID-INDIA leverages AI-based systems for behavior analysis, enhancing both security and operational efficiency. These AI systems are also used for functional requirements such as forecasting and blockchain activities, further strengthening the organization’s security framework and its ability to respond to evolving threats.
How do you manage software development and deployment within the company?
We have a well-defined software development policy in place, currently undergoing revision. Our organization is unique in the power sector, both in India and globally, due to the vast scale of our operations. India hosts the largest power grid globally and is the third-largest utility in terms of thermal power generation, making our management processes highly specialized.
To manage our extensive and unique power grid, we have developed numerous in-house software applications tailored to the specific functional requirements of our organization. These requirements are typically not met by off-the-shelf software solutions. We categorize our software needs into two major classifications Day-to-Day Business Functions and Unique Business Requirements.
For the development of software to meet our unique business needs, we follow a two-stage process. Platform and Methodology Selection, in which Committees are formed to decide on the platform and development methodology⁷ Large-scale developments are usually outsourced to prominent agencies such as PwC, Accenture, TCS, or C-DAC. These agencies are selected through a tender process, including the issuance of RFPs.
And, second one is in-house Development and Maintenance, in which the selected agency or GRID-INDIA’S Internal resources, in collaboration with our core team, handles the development and maintenance of the software. Our core team translates power system requirements into IT specifications, which the vendor then automates. For smaller or highly specialized requirements, our in-house IT team, which includes highly skilled engineers, handles the development and maintenance.
How do you ensure compliance with national and international IT regulations?
Grid Controller of India is committed to complying with both national and international IT regulations. The organization adheres to the Information Technology Act, 2008, and is currently exploring its obligations under the upcoming Digital Personal Data Protection (DPDP) Act. Compliance is also ensured with the Indian Electricity Grid Code (IEGC), which includes a dedicated chapter on cybersecurity. Furthermore, the organization follows the IT Rules 2018 for protected systems, as well as guidelines issued by the Central Electricity Authority (CEA) and the Indian Computer Emergency Response Team (CERT-In).
The organization has established a dedicated Information Security Division and appointed Chief Information Security Officers (CISOs) at each Regional Load Dispatch Center and at the central layer. An Information Security Steering Committee, headed by the Chairman of Grid Controller of India, monitors the implementation of cybersecurity measures. The organization also engages in regular mock drills and continuous monitoring to ensure preparedness against cyber threats.
How do you balance technological advancement with environmental responsibility?
Balancing technological advancement with environmental responsibility is a core focus for our management. We are proud to have achieved net-zero emissions this year, reflecting our commitment to sustainability. As a designated agency managing the Renewable Purchase Obligation (RPO) portal, we diligently meet our renewable energy commitments. Many of our Regional Load Dispatch Centers (RLDCs) have implemented solar installations, further supporting our environmental goals.
We are also ISO 14001 certified, demonstrating our adherence to stringent environmental management standards. This certification ensures that we comply with environmental norms and guidelines at every location. Our IT infrastructure practices contribute to our environmental responsibility; all IT consumables are disposed of through authorized agencies, and we strive to minimize our ecological footprint.
Sustainability is a continuous journey for us. Our management prioritizes environmental responsibility, and we have made significant strides in reducing paper usage. Most of our operations are now paperless, with HR, finance, and administrative functions fully transitioned to e-office and application-based systems. This commitment not only enhances our efficiency but also reinforces our dedication to environmental stewardship.