More than 270 substations operated by the state-run Power Grid Corporation of India Ltd, all commissioned before official cybersecurity guidelines were introduced in late 2021, remained without next-generation firewalls at least till December 2024, documents reviewed by The Indian Express show.
The estimated cost of installing advanced firewalls — equipped with intrusion detection and prevention systems — across 273 substations is estimated at around Rs 119 crore. In April this year, Power Grid told the National Power Committee (NPC) this expenditure is “difficult to accommodate” under its operations and maintenance (O&M) budget due to “very stringent” regulatory limits, the documents reveal. It added that firewall-related “works/projects are under various stages of finalisation/implementation”.
The matter will be taken up at a meeting of the NPC in Shillong on May 16, where members will discuss a mechanism to book or recover the cost of these installations. The meeting will also deliberate on a broader roadmap for implementing firewalls across the national transmission infrastructure, as per the agenda. The NPC is constituted under the Union Ministry of Power, with a focus on ensuring uniformity in grid management practices across India.
In response to a query sent by The Indian Express, Power Grid said—”It may be noted that firewalls are already in place at Control Centres. Further, adequate security measures such as air gap arrangement etc. are also in place at all POWERGRID sub-stations. Further, technical requirement is under discussion with all stakeholders. Further, it may be noted that there is no budgetary constraint.”
The absence of next-generation firewalls at substations could pose cybersecurity risks to India’s critical infrastructure, especially against the backdrop of simmering tensions with Pakistan and the evolving capabilities of state and non-state actors. Next-generation firewalls integrate intrusion detection and prevention systems to monitor, detect, and block malicious traffic in real time, offering advanced threat protection beyond traditional firewalls.
In an April 2024 meeting, Power Grid told top officials that no firewall is installed in over 270 of its existing substations that were commissioned before the Central Electricity Authority (CEA) issued cybersecurity guidelines in October 2021.
Then, in a December 2024 meeting, the NPC’s member-secretary noted that “firewall are not installed at existing substations of Power Grid and some of the other Transmission Service Providers (TSPs) to ensure perimeter security,” according to documents.
Story continues below this ad
In the meeting, a Power Grid representative further stated that there was “no firewall at Power Grid stations for any type of data communication towards RLDC (Regional Load Dispatch Centre),” and that firewall installations were also necessary to secure the Inter-State Transmission System (ISTS) communication network.
More recently, in April this year, the company told the CEA that bearing the Rs 119 crore cost for firewall installations under existing O&M norms could negatively impact its financials. “The expenditure of approx. Rs 119 crore for firewalls under O&M expenses for 273 substations is difficult to accommodate. It will further impact the commercial performance measures,” Power Grid said according to documents.
As of April 30, 2025, Power Grid operated a total of 283 substations, according to its website.
In the April 2024 meeting, India’s apex grid operator had noted that attacks on the power sector “have grown and are also frequent”. “The systems without adequate security devices at the periphery are prone to be compromised and a possible lateral movement cannot be ruled out which will have an impact on a larger system,” Grid India had said.
Story continues below this ad
Still, while firewalls are widely adopted as an access control method against hackers, they do not guarantee cybersecurity.
“(There are) instances of firewalls being mis-configured and even if the configuration of firewalls are correct, it has vulnerabilities because they are not able to detect insider attacks and connections from the trusted sites. Hence, solutions based solely on firewalls can be inadequate,” the CEA noted in its documents.
The CEA also believes air gap arrangements are inadequate. “The much hyped air gap myth between IT (information technology) and OT (operational technology) Systems now stands shattered. The artificial air gap created by deploying firewalls between any IT and OT System can be jumped by any insider or an outsider through social engineering,” it said in its CEA (Cyber Security in Power Sector) Guidelines, 2021.
In September 2024, Union Power Minister Manohar Lal inaugurated the Computer Security Incident Response Team for the power sector (CSIRT-Power), which is tasked with detecting threats, enabling rapid response, and improving sector-wide resilience. It also promotes best practices, conducts training, and facilitates collaboration to strengthen overall cybersecurity preparedness.
Story continues below this ad
At the inauguration, the minister said, “The threats we face today are unlike those of the past. Cyberattacks have emerged as a serious and growing concern, capable of causing significant disruptions with far-reaching consequences. The power sector, being at the heart of our national infrastructure, is a prime target for such attacks.”
Earlier, in April 2022, then Union Power Minister RK Singh had said, “Two attempts by Chinese hackers were made to target electricity distribution centres near Ladakh but were not successful… We’ve already strengthened our defence system to counter such cyber attacks”.