With over five decades of engineering excellence, Bharat Heavy Electricals Limited is an integrated power plant equipment manufacturer in India. It is engaged in designing, manufacturing, constructing, commissioning, and servicing of a wide range of products and services for the core sectors of the economy.\nSince its inception in 1964, BHEL has embraced newer technologies for business efficiencies. Currently, the company is getting into the next phase of its growth with automation and modernization of systems.\nThe challenge\nThe implementation of smarter electric power distribution grids and other new technologies led to increased connectivity as well as complexities at BHEL. These technological changes also exposed the public sector company to threats and vulnerabilities that made its IT systems more susceptible to both accidental and deliberate breaches.\nRajiv Garg, Executive Director (CS&IT) at BHEL believes that industrial control organizations, such as BHEL, are attractive targets for cyber-attacks. BHEL identified potential vulnerabilities in its IT infrastructure that could be exploited by unethical hackers and criminals. Therefore, the challenge was to determine the security risk levels in different facilities of BHEL across the country so that appropriate remedial action could be taken.\n\u201cOver the course of time, we started to notice external attacks on our networks, internal user errors, and a lack of information security awareness among employees. Therefore, we created a qualified information security team to implement an enhanced security system, incident management system, user awareness campaigns, and support best practices within the organization,\u201d says Garg.\nThe solution\nThe aim of the project was to explore information security incident management practices within BHEL and understand challenges for improvements.\nBHEL used to have a distinguished IT structure, where each unit and division had its own IT team. \u201cBut for the Information Security Management System (ISMS) project we decided to create a common qualified IT team across the organization. However, a little customization by individual teams was allowed,\u201d says Garg.\nThe project had a three-pronged approach.\nFirst, the company formed an unified IT team at the corporate and unit levels, which was led by an information system security officer (ISSO). Second, the teams were given thorough inputs for capability building, and carrying out the vulnerability assessment and penetration tests for BHEL\u2019s critical servers. Third, the top level policy, for information security, was signed and approved by the CMD, which is now regularly followed up by BHEL's top management.\n\u201cWe initiated this project in 2005 with only 12 of BHEL\u2019s locations. We invested heavily in our employees\u2019 training on ethical hacking, programming, coding, and managing,\u201d says Garg, \u201cWe started with the vulnerability analysis of servers and networks; went through an internal audit; and got an ISO 27001 certification. Currently, we own 22 certificates for approximately 30 locations.\u201d\nA major bottleneck was the huge scale of the project, and preparing the core IT team prepare for it. \u201cTo manage this, we launched an information security forum, which made the convergence of documentation and implementation easy. This forum regularly reviews the state of security and the vulnerabilities to fill in the gaps,\u201d says Garg.\nThe benefits\nSince the implementation, BHEL could proactively collaborate with Standardization Testing and Quality Certification, National Technical Research Organization, CERT-IN and National Critical Information Infrastructure Protection Centre. The company also aligned with governmental initiatives like Country Wide Crisis Management and has formulated a crisis management plan.\n\u201cSecurity never directly contributes to the profit, however, it is the backbone of any organization. ISMS helped us in enhancing operational efficiency and made our systems more agile,\u201d says Garg. \u201cSecurity talks about three things\u2014confidentiality, integrity, and availability, which are required to run the whole security system proficiently. So the ROI was in terms of increased business efficiency instead of a direct monetary impact.\u201d\nDifferent departments of BHEL now have a common understanding of risk management and refer to the same framework of controls. The project also ensured that security is incorporated in general management processes.\nGarg believes that BHEL now has an improved effective information security management system, which has increased risk awareness among employees. \u201cIn doing so, we believe that information security is best viewed, not solely as a technology challenge, but as an organization governance issue,\u201d concludes Garg.