In response to the rise of cyberattacks targeting critical infrastructure worldwide, the Central Electricity Authority (CEA) of India has put forward new regulations aimed at protecting the cybersecurity of the country’s power sector.
These proposed regulations, encapsulated in the Central Electricity Authority (Cyber Security in Power Sector) Regulations, 2024, reflect a comprehensive effort to enhance the cyber resilience of India’s electricity system. Scheduled for enforcement six months after their publication in the Official Gazette, these regulations mark a significant step towards safeguarding India’s vital energy infrastructure.
Central Electricity Authority (Cyber Security in Power Sector) Regulations
The foundation for these Cyber Security in Power Sector regulations is laid under Section 177 of the Electricity Act of 2003, which mandates stringent cybersecurity measures across all segments of the electricity industry. The CEA’s proposed regulations highlight the critical need for enhanced cybersecurity in generating firms, transmission and distribution licensees, and other related entities. This comprehensive approach is a proactive measure against the rising tide of cyber threats that have increasingly targeted essential services globally.
One of the cornerstone elements of the proposed regulations is the establishment of a dedicated Computer Security Incident Response Team (CSIRT) specifically for the power sector. This team will be pivotal in developing security frameworks, coordinating sector-wide defense strategies, and managing incident response and recovery.
It will also be responsible for the creation of Standard Operating Procedures (SOPs), security policies, and best practices for incident response in collaboration with national cybersecurity bodies like CERT-In and NCIIPC.
Chief Information Security Officer (CISO) Mandate
The regulations stipulate that every organization within the power sector must designate a Chief Information Security Officer (CISO) and an alternate CISO. These senior roles must be filled by Indian nationals, ensuring that cybersecurity efforts are led by individuals with a deep understanding of local and sector-specific challenges. The CISO will report directly to the top executives of their respective organizations, emphasizing the strategic importance of cybersecurity in protecting national energy assets.
Cyber Crisis Management Plans (CCMPs)
Each organization is required to develop and maintain a Cyber Crisis Management Plan (CCMP). These plans, crucial for managing and coordinating responses to cyber incidents, must be approved by the organization’s highest management levels. The CCMPs will outline procedures for rapid identification, information exchange, and remediation of cyber threats impacting critical processes.
The regulations outline the necessity for sophisticated security technologies, including firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to detect and mitigate abnormal behaviors. Additionally, mandatory cybersecurity training for all personnel involved in the operation and maintenance of IT and operational technology (OT) systems is emphasized to ensure a well-informed and prepared workforce.
A new feature in the draft regulations is the implementation of a ‘Trusted Vendor System.’ This system requires that all ICT-based equipment and services be procured from verified and trusted sources. This precaution aims to prevent malware infections and maintain the integrity of the power supply system.
Public Consultation and Implementation Timeline
The draft regulations have been made available for public review and feedback on the CEA’s website and at the Chief Engineer (Legal) office in New Delhi. Stakeholders and the general public are invited to submit their comments by September 10, 2024. The regulations will come into force six months following their publication in the Official Gazette, with some provisions potentially being enacted sooner.
Chapter I of the Central Electricity Authority (Cyber Security in Power Sector) Regulations, 2024, outlines the official title and implementation timeline for these regulations, which will take effect six months after their official publication. There may be varying commencement dates for specific regulations within this framework. Chapter II establishes the role of the Computer Security Incident Response Team (CSIRT) – Power, tasked with crucial functions including the collection and analysis of data to bolster cybersecurity and prevent cyber intrusions.
The CSIRT-Power is also responsible for developing and maintaining cybersecurity frameworks, managing incident responses in collaboration with national agencies such as CERT-In and NCIIPC, and fostering cybersecurity research through partnerships with academic institutions. Chapter III details the general cybersecurity requirements for organizations, mandating the appointment of Chief Information Security Officers (CISO) and alternate CISOs, who must be senior management employees and Indian nationals. These roles are crucial for overseeing cybersecurity initiatives and reporting to the top leadership of the organization.
The regulations require entities to maintain comprehensive cybersecurity policies and a Cyber Crisis Management Plan (CCMP), both of which must be approved by the board or head of the organization. Security measures include deploying advanced firewalls, intrusion detection and prevention systems, and ensuring that all IT and operational technology (OT) personnel undergo mandatory cybersecurity training.
Regular audits and assessments are mandated to ensure ongoing compliance. Additionally, the introduction of a Trusted Vendor System aims to safeguard the power sector by ensuring that all ICT equipment and services are procured from verified and trustworthy sources, thereby mitigating supply chain risks.
Cybersecurity Program Overview
The regulations mandate a comprehensive cybersecurity program, encompassing several key areas. They require ongoing cybersecurity awareness and training through regular programs, mock drills, and campaigns to keep personnel updated on risks and best practices. Incident reporting and secure data backups are essential, along with routine audits of IT and OT systems to detect and resolve vulnerabilities.
The Information Security Division (ISD), headed by the Chief Information Security Officer (CISO), must operate 24/7 with adequate resources and necessary certifications. The CISO and Alternate CISO are crucial for managing the cybersecurity framework and liaising with authorities, both needing substantial IT and cybersecurity experience. The regulations also outline strict implementation and compliance measures, including regular self-audits, third-party audits, and adherence to cybersecurity standards.