CEA proposes stricter cyber security norms to shield India’s power grid – ET CISO
https://etimg.etb2bimg.com/thumb/msid-112671881,imgsize-41302,width-1200,height=765,overlay-etciso/ot-security/cea-proposes-stricter-cyber-security-norms-to-shield-indias-power-grid.jpg
In an assertive move to fortify India’s power sector against escalating cyber threats, the Central Electricity Authority (CEA) has released a draft of the Central Electricity Authority (Cyber Security in Power Sector) Regulations. Set to come into effect six months following their publication in the Official Gazette, these regulations are designed to strengthen the cyber resilience of the nation’s power infrastructure. Stakeholders and the public have been invited to submit their comments on these proposals by September 10, 2024.
The newly proposed regulations, as stipulated under Section 177 of the Electricity Act, 2003, demand robust cyber security measures across all facets of the power sector. This includes generating companies, transmission and distribution licensees, and other associated entities. These stringent measures are poised to establish a secured operational environment in response to the growing incidence of cyber attacks targeting critical infrastructure globally.
A cornerstone of the proposed regulations is the creation of a specialized Computer Security Incident Response Team (CSIRT) for the power sector. This team will be responsible for orchestrating a cohesive cyber defense strategy across the sector, laying down security frameworks, and acting as the central agency for incident response and recovery.
Entities within the power sector are mandated to appoint a Chief Information Security Officer (CISO) and an alternate CISO, ensuring that these key positions are occupied by Indian nationals who are senior management employees. The regulations specify that these officers must directly report to the top executives of their organizations, thus emphasizing the critical nature of their roles in safeguarding national energy assets.
Moreover, the draft details obligatory Cyber Crisis Management Plans (CCMP) that each entity must develop and maintain. These plans must be approved by the highest level of management within the organizations and are essential for the coordination and management of cyber incidents.
On the technical front, the regulations prescribe comprehensive security protocols. These include the deployment of advanced firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) that are capable of detecting behavioral anomalies. There is also a significant emphasis on training, with a requirement that all personnel involved in the operation and maintenance of both IT and operational technology (OT) systems undergo mandatory cyber security training.
The CEA’s draft regulations also introduce a ‘Trusted Vendor System,’ mandating that all ICT-based equipment and services be procured from vetted and reliable sources. This measure is intended to prevent the introduction of malware through third-party components and to ensure the integrity of the power supply system.