Cyber Threats to Pakistan’s National Power Grid

As Pakistan continues to experience an expansion of its cyber environment and engagement in the global IT market, the nation remains exposed to a plethora of cyber threats, including cybercrime, espionage, and cyber warfare. The targeting of the country’s vital infrastructure, including power and energy systems, military and government networks, and financial institutions, has resulted in a number of cyber-attacks that have led to power outages, financial losses, and disruptions to essential services. The incorporation of technology in Pakistan’s electrical power infrastructure has become an indispensable aspect of contemporary society as it enables the efficient management and distribution of electricity; however, it also escalates the potential ramifications of a cyber-attack on these systems in the absence of adequate security measures. Nevertheless, the potential consequences of a cyber-attack on these systems are often overlooked and undervalued due to a lack of awareness and comprehension of the potential risks and a lack of investment and resources devoted to cybersecurity.

The World Economic Forum (WEF) has acknowledged the increasing frequency and severity of cyber-attacks on critical infrastructure as a “cyber pandemic,” with an increase of 300% in the U.S. itself, particularly in the wake of the COVID-19 pandemic. Targets of these attacks include Operational Technology (OT) which connects Industrial Control Systems (ICS) and critical systems that are interlinked and connected widely. These attacks on ICS can potentially disrupt essential services, causing chaos and financial losses for individuals and organizations. The susceptibility of vital infrastructure to cyber incursions, including power grids, presents a formidable threat to the stability and security of nations. Nevertheless, many countries, among them Pakistan, have yet to fully comprehend and tackle the potential ramifications of a cyber-attack on their power grids. Research has indicated a discernible increase in the recurrence and intricacy of cyber-attacks directed at power grids, with nation-state actors being identified as possessing both the technical acumen and strategic intent to carry out such nefarious activities. The power grid, a term synonymous with the electrical grid, represents a labyrinthine network of various technological mechanisms and equipment that generate electricity. These mechanisms are intricately linked within a grid infrastructure, and the grid’s operations are constantly monitored through security systems devised to identify any deviation or irregularity in the power flow. A nefarious interference with the power grid can substantially harm all devices interlinked within the grid and those not actively engaged with the grid.

As scholars, it is crucial for us to inquire into the underlying causes and potential consequences of a nationwide blackout, with specific regard to how these factors may vary in relation to the duration of the event. A nationwide blackout, as defined, constitutes a comprehensive disruption of the national power infrastructure, leading to a widespread cessation of electricity supply. The implications of such an occurrence can diverge significantly, depending upon the origin of the blackout and its duration. Among the most common ramifications of a nationwide blackout are:

1. Disruption of essential services: Hospitals, water treatment plants, and other critical infrastructure may be affected, leading to the interruption of essential services such as healthcare, water supply, and communication.
2. Loss of power to homes and businesses: Millions of people may be left without power, making it difficult or impossible to cook, heat, or cool homes and businesses.
3. Economic disruption: Businesses may be forced to shut down, leading to lost productivity and revenue. This can also result in job losses, reduced GDP, and other economic impacts.
4. Traffic and transportation issues: Traffic lights, trains, and other public transportation may stop functioning, causing delays and accidents.
5. Safety concerns: People may be at risk of injury or death due to the lack of power to essential services such as hospitals, elevators, and emergency response systems.
6. Security concerns: A nationwide blackout can also provide opportunities for criminals and hostile actors to carry out attacks, looting, or other malicious activities.

From a global perspective, Russia, the United States, and China possess highly advanced cyber capabilities and have been known to engage in nation-state cyber-attacks. Russia has been associated with a number of high-profile cyber-attacks, including the 2015 assault on the Ukraine power grid, which was the first known instance of a cyber-attack resulting in a power outage. This attack utilized a combination of spear-phishing emails and malware to infiltrate the network and manually operated breakers to shut off power to over 225,000 customers. Russia has also been accused of hacking into the power grid systems of the United States to gain access to control systems. The United States boasts a well-funded and highly skilled cyber-military division known as the United States Cyber Command, which is responsible for defending U.S. military networks and conducting cyber operations. The U.S. government has also invested heavily in protecting critical infrastructure, including the power grid. In 2007, the U.S. Department of Homeland Security (DHS) conducted a demonstration called the Aurora Generator test, which simulated a cyber-attack on a power generator, causing it to malfunction and shut down, resulting in a power outage. This test was significant in that it marked one of the first demonstrations to show that a cyber-attack on the power grid could cause a physical disruption of the power system. China is acknowledged to possess a sophisticated cyber espionage program and has been accused of hacking into power grid systems and other critical infrastructure in the United States. Additionally, China has been actively developing its cyber-warfare capabilities and has been linked to several cyber-attacks targeting the power grid and other critical infrastructure.

The recent blackout that occurred in Pakistan on Jan. 23, 2023, has brought to light the vulnerability of the country’s power grid to potential cyber-attacks. This is not the first incident of such an attack, and the last was witnessed in January of 2021, when the nation of 220 million stood still, engulfed in total and utter darkness. In the more recent instance, the Ministry of Energy initially attributed the outage to a technical failure and then sought to downplay the outage as an intentional turn-off as part of the energy-saving initiative in the face of the current energy crisis. An examination of analogous case studies on prolonged power grid failures has identified a distinct causal factor. While previous instances of widespread blackouts have been attributed to “technical” causes, a closer examination reveals that the underlying technicality lies within the realm of cyber security and that the recent incident may have resulted from a malicious cyber-attack. The “cascading effect” on the grid that followed can be described as a power outage occurring in one area and causing a domino effect, leading to power outages in other areas. This can happen for several reasons, such as equipment failure, human error, or a cyber-attack. When a power plant or transmission line goes down, the sudden loss of power can cause power to be redirected to other areas, leading to an overload and causing additional power plants or transmission lines to fail. This chain reaction can quickly spread throughout the power grid, causing a widespread blackout. Moreover, if the grid is not configured with adequate protection and control mechanisms, the cascading effect can cause damage to the grid infrastructure that may take weeks or months to repair. However, it is not only the physical failures that pose a threat to the power grid and the cyber threats. Several cyber threats can affect Pakistan’s power grid, including:

1. Advanced Persistent Threats (APTs): APTs are targeted attacks typically launched by nation-state actors with the intent of gaining prolonged access to a network or system, which can be leveraged to steal sensitive information, disrupt operations, or cause physical damage to critical infrastructure. 
2. Distributed Denial of Service (DDoS) attacks: DDoS attacks inundate networks or systems with traffic through compromised devices, potentially causing unavailability of power grid operations or physical damage to infrastructure.
3. Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) attacks: ICS and SCADA attacks target the systems and networks that regulate and oversee critical infrastructure, such as power plants and transmission lines, which can lead to physical damage or impede power grid operations. 
4. Phishing and social engineering attacks: These attacks utilize email and phone phishing to deceive individuals into revealing sensitive information or installing malware, which can be employed to pilfer sensitive information or gain access to power grid systems. 
5. Ransomware attacks: These attacks, which use malware to encrypt a network or system’s files and demand a ransom in exchange for the decryption key, can disrupt power grid operations or cause physical damage to infrastructure.

Recent case studies of prolonged power grid failures have led to reevaluating the underlying causes of such incidents. While traditional explanations have often cited technical issues as the primary cause, there is growing evidence to suggest that the technicality of these failures may be rooted in the cyber realm. This is particularly evident in the case of the Indian state-sponsored Advanced Persistent Threat (APT) group known as “SideWinder,” which is suspected of being responsible for the recent power outage in Pakistan. The group has also been referred to as “Razor Tiger,” “T-APT-04”, and “RattleSnake”. Although conclusive attribution will still need to be conducted, fragmented evidence of the attack has surfaced. This evidence includes the dissemination of Pakistan’s NTDC’s Grid Station Information System (GSIS) dashboard screenshots on Telegram groups. These screenshots reveal informative details of the affected power grid’s Asset Management System (AMS). Before this incident, SideWinder had been identified as having targeted Pakistan’s National Electric Power Regulatory Authority (NEPRA) through malware known as “WarHawk.” Specifically, this malware was employed to infiltrate the NEPRA official website and spread malware by distributing a legitimate government advisory.

For the defenders of the grid in Pakistan, it is crucial to understand that nation-state actors and APTs are intentionally seeking the initiative to conduct cyber operations below the threshold of an armed conflict. These operations, short of an armed conflict, provide strategic benefits by allowing nation-states or organizations to gather intelligence, disrupt a target’s operations, or influence their decision-making without escalating the situation to a full-scale military conflict in, through, and from cyberspace. This allows these nation-state actors and state-sponsored APTs to persistently redistribute power in the international system by influencing the strategic decision calculus of an opponent and allowing cumulative gains to be made.

Additionally, it allows for a more covert and deniable approach, making it more difficult for the targeted nation or group to respond or attribute the attack to a specific source. We, as authors, also posit that Pakistan’s critical infrastructure, specifically the power grid, serves as a convenient “cyber test bed” for testing and examining various techniques in cyber warfare. This is primarily due to inadequate laws and regulations to safeguard against cyber-attacks and the power grid’s apparent ease of access and susceptibility. Furthermore, the potential for significant real-world consequences stemming from a successful cyber-attack on the infrastructure further exacerbates the vulnerability of Pakistan’s power grid. This notion is supported by various reports and studies highlighting Pakistan’s weak cybersecurity framework, lack of regulations, and inadequate incident response capabilities.

As cyber threats continue to evolve and target critical infrastructure, organizations in the industrial control systems and energy sectors must remain vigilant in their defensive strategies to protect against advanced persistent threat (APT) groups and other malicious actors. However, it is crucial to consider the defense mechanisms and understand the potential causes and effects of cyber-attacks on Pakistan’s critical infrastructure, particularly its power grid. The consequences of such incidents can be severe and far-reaching, and proactive measures must be taken to mitigate these risks. One such measure is the regular assessment of potential vulnerabilities and the development of adequate incident response plans. Furthermore, education and awareness campaigns can increase public understanding of the potential risks and consequences of cyber-attacks. International partnerships and collaborations can aid in sharing information and best practices.

It is also important to note that identifying and attributing cyber-attacks is a complex task that requires significant resources and expertise. The testimony of cybersecurity experts may be the only way to confirm the occurrence of a cyber-attack in the absence of conclusive evidence. Despite recognizing the potential threat of cyber-attacks on critical infrastructure and establishing government bodies such as the National Cyber Security Authority (NCSA) and the National Response Center for Cyber Crimes (NR3C), Pakistan’s cyber security infrastructure remains in a nascent stage of development. A significant increase in resources and investment must be directed toward advancing cybersecurity measures to enhance the nation’s resilience to cyber-attacks and improve its ability to respond and recover from such incidents. Additionally, fostering a culture of proactive risk management and disaster anticipation is crucial in mitigating the impact of a potential cyber-attack on the power grid.

[Representational image by Pixabay]

*Dr. Hammaad Salik is a consultant to the Prime Minister’s Task Force on Knowledge Economy (Pakistan) and a Strategic Warfare Group (SWG) member advisory. The author aims to provide accurate and transparent cyber information to the general public. Expertise includes Cyber Warfare Operations, Kinetic Cyber Warfare, AI, and Cyber Conflict Management. The author can be reached at [email protected].

*Rao Ibrahim Zahid is a Prime Minister’s Task Force on Knowledge Economy (Pakistan) consultant and a member advisory Strategic Warfare Group (SWG). The author tends to research to provide awareness for a developing Pakistan. Expertise includes International Relations, Cyber Warfare, Cyber Conflict Management, Cyber Threat Intelligence, AI, and Air Defense analysis. The author can be reached at [email protected].

*Babar Khan Akhunzada is a cyber wizard and entrepreneur, the Founder of SecurityWall, a cyber security firm focused on Digital Risk Protection and a Hybrid Auditing approach serving top-international firms and government organizations. Babar is acknowledged by tech giants within Silicon Valley for security contributions. The author is a well-known speaker who gives his thoughts and analyses on Application Security, Cyber Warfare, OSINT, Cyber Policy, Forensics, and Red Teaming. He was listed among 25 Under 25 Young Achievers and featured in international media. The author can be reached at [email protected]. 

The views and opinions expressed in this article are those of the author.