With over five decades of engineering excellence, Bharat Heavy Electricals Limited is an integrated power plant equipment manufacturer in India. It is engaged in designing, manufacturing, constructing, commissioning, and servicing of a wide range of products and services for the core sectors of the economy.
Since its inception in 1964, BHEL has embraced newer technologies for business efficiencies. Currently, the company is getting into the next phase of its growth with automation and modernization of systems.
The implementation of smarter electric power distribution grids and other new technologies led to increased connectivity as well as complexities at BHEL. These technological changes also exposed the public sector company to threats and vulnerabilities that made its IT systems more susceptible to both accidental and deliberate breaches.
Rajiv Garg, Executive Director (CS&IT) at BHEL believes that industrial control organizations, such as BHEL, are attractive targets for cyber-attacks. BHEL identified potential vulnerabilities in its IT infrastructure that could be exploited by unethical hackers and criminals. Therefore, the challenge was to determine the security risk levels in different facilities of BHEL across the country so that appropriate remedial action could be taken.
“Over the course of time, we started to notice external attacks on our networks, internal user errors, and a lack of information security awareness among employees. Therefore, we created a qualified information security team to implement an enhanced security system, incident management system, user awareness campaigns, and support best practices within the organization,” says Garg.
The aim of the project was to explore information security incident management practices within BHEL and understand challenges for improvements.
BHEL used to have a distinguished IT structure, where each unit and division had its own IT team. “But for the Information Security Management System (ISMS) project we decided to create a common qualified IT team across the organization. However, a little customization by individual teams was allowed,” says Garg.
The project had a three-pronged approach.
First, the company formed an unified IT team at the corporate and unit levels, which was led by an information system security officer (ISSO). Second, the teams were given thorough inputs for capability building, and carrying out the vulnerability assessment and penetration tests for BHEL’s critical servers. Third, the top level policy, for information security, was signed and approved by the CMD, which is now regularly followed up by BHEL’s top management.
“We initiated this project in 2005 with only 12 of BHEL’s locations. We invested heavily in our employees’ training on ethical hacking, programming, coding, and managing,” says Garg, “We started with the vulnerability analysis of servers and networks; went through an internal audit; and got an ISO 27001 certification. Currently, we own 22 certificates for approximately 30 locations.”
A major bottleneck was the huge scale of the project, and preparing the core IT team prepare for it. “To manage this, we launched an information security forum, which made the convergence of documentation and implementation easy. This forum regularly reviews the state of security and the vulnerabilities to fill in the gaps,” says Garg.
Since the implementation, BHEL could proactively collaborate with Standardization Testing and Quality Certification, National Technical Research Organization, CERT-IN and National Critical Information Infrastructure Protection Centre. The company also aligned with governmental initiatives like Country Wide Crisis Management and has formulated a crisis management plan.
“Security never directly contributes to the profit, however, it is the backbone of any organization. ISMS helped us in enhancing operational efficiency and made our systems more agile,” says Garg. “Security talks about three things—confidentiality, integrity, and availability, which are required to run the whole security system proficiently. So the ROI was in terms of increased business efficiency instead of a direct monetary impact.”
Different departments of BHEL now have a common understanding of risk management and refer to the same framework of controls. The project also ensured that security is incorporated in general management processes.
Garg believes that BHEL now has an improved effective information security management system, which has increased risk awareness among employees. “In doing so, we believe that information security is best viewed, not solely as a technology challenge, but as an organization governance issue,” concludes Garg.