SANDEEP SHUKLA IS the Poonam and Prabhu Goel Chair Professor at IIT Kanpur. Along with his colleague Professor Manindra Agrawal, he set up the interdisciplinary Centre for Cybersecurity and Cyber Defence of Critical Infrastructure at the institute, which is shortly expected to launch India’s first industrial-scale cyber security test bed for power and manufacturing equipment. The State University of New York alumnus works closely with the Government. He serves on two panels created by the standing committee on cyber security at the RBI and also advises the Railways on its signalling systems. Recently, Shukla and Agrawal presented a study on cyber crime to the Parliamentary Committee on Finance, warning of an escalation in digital offences following demonetisation and espousing an urgency to fight the menace. Shukla spoke to me on a range of issues related to cyber security. Edited excerpts from an interview:
Five years ago, when the northern power grid suffered a severe disruption of services, there was speculation that it was a cyber attack. As our utilities get increasingly net-linked, how real is the threat of such a strike?
I have looked at the event sequence analysis report of the July 2012 blackout, when the northern, western, eastern and north-eastern grids blacked out because they are synchronous with each other, a cascading failure in which one [disruption led] to the others. The southern grid is not synchronous with the other four sub-grids, so it was not affected. Though there was no indication that the 2012 [event] was induced by cyber attacks, if you analyse the cascade— the outage of one transmission line in Uttar Pradesh and the subsequent overloading of neighbouring lines causing further outages—you can easily see that such a sequence can be induced by coordinated attacks on digital relays.
The relays that monitor transmission lines for indication of faults or abnormal frequency, et cetera, are basically embedded computers. An MIT study in 2012 found that in the US, almost 50 per cent of relays had factory-set default passwords. Thus, they are easy prey to cyber attacks. Also, there is a fear in the US that foreign governments might have installed malware in various [points of the] power system. These advanced persistent threats (APTs) do not trigger until they are told to. We saw large-scale cyber attacks on power grids in Ukraine in 2015 and again in 2016. On the first occasion, it was done by the blackenergy malware and the second was by ransomware.
In our lab-scale test bed, we found that one of the protocol conversion switches… has a privilege escalation vulnerability (where hackers can take advantage of programming errors or design flaws). We informed Computer Emergency Response Team India (CERT-IN) immediately so that they can take steps and inform all industrial control installations to check if they have the problem. While we got a courtesy email back stating that they would look into the matter, four months or so have passed and we have not seen any kind of action—at least to our knowledge.
The National Critical Information Infrastructure Protection Centre and CERT-IN—the two organisations that are supposed to help utilities, banks and companies issue advanced threat warnings and also provide actionable intelligence so that installations are adequately protected—fail to play their roles. CERT in the US is much more proactive. Here in India, these agencies hardly have the manpower or the capacity to be so. They often have to do a lot of fire-fighting after a large incident happens. But that is not enough.
Why do you say that institutions such as CERT-IN are not prepared enough to fight cyber strikes?
Look at how CERT works in the US. Based on a university campus, it enlists the support of researchers to collect threat intelligence. Whenever a large-scale malware endemic happens, CERT in that country identifies signatures and patterns, and within hours, the perpetrators are arrested. If you compare CERT-IN and other institutions fighting cyber crime in India, you will have no difficulty in arriving at that conclusion.
So the fact that we have not been attacked by a foreign power on a large scale to induce cascading blackouts seems to be just sheer luck. Or maybe someone is waiting to strike us at a more opportune time. I am often considered an alarmist, but as a former Intel CEO argued in an eponymous book, ‘Only the paranoid survive’.
Which countries do you think have high cyber offensive capacities and ‘malicious’ designs?
As you might have seen in multiple dumps by the Wikileaks, the CIA has weaponised vulnerabilities in all kinds of systems, and NSA also seems to have been behind the infamous Equation Group that Kaspersky Lab had warned about a few years ago. So the US has certainly created an arsenal of cyber weapons. China is another one—they make the highest number of attacks on IT and critical infrastructure systems around the world. At IIT Kanpur, we have set some honey pots (decoys for hackers) to check where the network at IIT gets most attacks from, and we found that they are from two specific locations in China. Israel is also big in cyber offensives. In 2009, the Stuxnet [virus] had hit the Iranian uranium enrichment plant and it is widely suspected that the US and Israel were behind it.
The recent spate of ransomware attacks, Wannacry, for instance, is a direct result of CIA exploits of Windows SMB v1 (a network file- sharing protocol). Most advanced European countries are also involved in offensive cyber security. Countries often build cyber attack vectors and exploits as deterrents. Russia and east European nations are particularly active in weaponising vulnerabilities of various systems, especially of mobile systems. To my knowledge, India has not done well in offensive or defensive cyber security.
How safe is the Aadhaar database against unauthorised usage? What urgent protective steps should the Government take?
The database does not seem very secure. The entire process of Aadhaar-enabled services are prone to cyber attacks… The biggest worry should be ‘insider attacks’. While talking to many people in India, I find it very frustrating that most companies and government officials do not recognise that insider threats exist. However, myriad surveys have shown that most cyber attacks (about almost 60-70 per cent) happen either by an insider—a highly privileged user within the company—or through an insider and external collaboration (with insiders as unwitting participants). The Axis bank/E- suvidha/e-mudra cases were instances of internal threats. What is most scary, though, are the statements made by officials in the Unique Identification Authority of India— one saying that even if your Aadhaar number is leaked, it is not a danger, or someone else saying that planes also have accidents and likewise cyber attacks would happen— that display a total lack of understanding or complete indifference to privacy and individual security. Linking Aadhaar with all kinds of services is making things worse.
The Government has to do many things. The laws and regulations must change. Two weeks ago, large amounts of individual customer data from Reliance Jio surfaced on the darknet. The company denied that the data was leaked. In the US legal framework, such a denial would be punishable, but here these happen with impunity. The Government also has to invest in multiple centres of excellence for cyber security research. Our academia has an extremely small number of researchers who understand cyber security. Also, startups in the cyber security space are crucial, as large IT companies are not doing very well [on this]. One of the biggest challenges is a lack of expertise and manpower. Cyber security should be taken up by the Government with the same sense of urgency, if not more, as space, atomic energy and so on.