More than 270 substations operated by state-run Power Grid Corporation of India Ltd, all commissioned before official cybersecurity guidelines were introduced in late 2021, remain without next-generation firewalls, documents reviewed by The Indian Express show.
The estimated cost of installing advanced firewalls—equipped with intrusion detection and prevention systems—across 273 substations is estimated at around Rs 119 crore. Power Grid has told the government this expenditure is “difficult to accommodate” under its operations and maintenance (O&M) due to “very stringent” regulatory limits, the documents reveal.
The matter will be taken up at a meeting of the National Power Committee (NPC) in Shillong on May 16, where members will discuss a mechanism to book or recover the cost of these installations. The meeting will also deliberate on a broader roadmap for implementing firewalls across the national transmission infrastructure, as per the agenda.
The absence of next-generation firewalls at substations poses cybersecurity risks to India’s critical infrastructure, especially against the backdrop of simmering tensions with Pakistan and the evolving capabilities of state and non-state actors. Next-generation firewalls integrate intrusion detection and prevention systems to monitor, detect, and block malicious traffic in real time, offering advanced threat protection beyond traditional firewalls.
In an April 2024 meeting, Power Grid told top officials that no firewall is installed in over 270 of its existing substations that were commissioned before the Central Electricity Authority (CEA) issued cybersecurity guidelines in October 2021.
Then, in a December 2024 meeting, the NPC’s member-secretary noted that “firewall are not installed at existing substations of POWERGRID and some of the other Transmission Service Providers (TSPs) to ensure perimeter security,” according to documents.
A Power Grid representative further stated that there was “no firewall at POWERGRID stations for any type of data communication towards RLDC (Regional Load Dispatch Centre),” and that such installations were also necessary to secure the Inter-State Transmission System (ISTS) communication network.
More recently, in April this year, the company told the CEA that bearing the Rs 119 crore cost for firewall installations under existing O&M norms could negatively impact its financials. “The expenditure of approx. Rs 119 Crs for firewalls under O&M expenses for 273 substations is difficult to accommodate. It will further impact the commercial performance measures,” Power Grid said according to documents.
In the April 2024 meeting, India’s apex grid operator had noted that attacks on the power sector “have grown and are also frequent”. “The systems without adequate security devices at the periphery are prone to be compromised and a possible lateral movement cannot be ruled out which will have an impact on a larger system,” Grid India had said.
Still, while firewalls are widely adopted as an access control method against hackers, they do not guarantee cybersecurity.
“Instances of firewalls being mis-configured and even if the configuration of firewalls are correct, it has vulnerabilities because they are not able to detect insider attacks and connections from the trusted sites. Hence, solutions based solely on firewalls can be inadequate,” CEA noted in documents.
In September 2024, Union Power Minister Manohar Lal inaugurated the Computer Security Incident Response Team for the power sector (CSIRT-Power), which is tasked with detecting threats, enabling rapid response, and improving sector-wide resilience. It also promotes best practices, conducts training, and facilitates collaboration to strengthen overall cybersecurity preparedness.
At the inauguration, the minister said, “The threats we face today are unlike those of the past. Cyberattacks have emerged as a serious and growing concern, capable of causing significant disruptions with far-reaching consequences. The power sector, being at the heart of our national infrastructure, is a prime target for such attacks.”
Earlier, in April 2022, then Union Power Minister RK Singh had said, “Two attempts by Chinese hackers were made to target electricity distribution centres near Ladakh but were not successful… We’ve already strengthened our defence system to counter such cyber attacks”.
