The Indian government has recently released guidelines focused on cybersecurity within the power sector. This is an unprecedented move that officially establishes comprehensive guidance for cyber security in this critical industry. These new guidelines signal a first step toward more robust regulations within the Central Electricity Authority (CEA, Ministry of Power).
Framework and Guideline Development
The Central Electricity Authority (CEA) developed these guidelines as part of the Central Electricity Authority (Technical Standards for Connectivity to the Grid) (Amendment) Regulations, 2019. The new standards includes facets such as a cybersecurity assurance framework, mechanisms for early warnings against potential security threats, vulnerability management, responses to security threats, and safeguards for remote operations and services.
Scope of Cybersecurity Guidelines
The new regulations apply to a broad scope of entities involved in the Indian power system. This includes system integrators, equipment manufacturers, service providers, vendors, Information Technology (IT) hardware and software OEMs (Original Equipment Manufacturers), and responsible entities. The term ‘responsible entities’ covers power generation utilities, distribution utilities, transmission companies, and load dispatch centres, among other groups involved in the sector.
Key Guidelines Explained
Several key points of the new guidelines include the insistence on procuring trusted sources. In essence, Information & Communication Technology-based procurement must come from identified ‘trusted sources’ and ‘trusted products’. If not, the product will need to undergo malware and hardware trojan testing before use in the power supply system network.
The guidelines also specify the need for a Chief Information Security Officer (CISO) to be appointed in every responsible entity. They also require the creation of an Information Security Division, to be overseen by the CISO.
Furthermore, the entities are compelled to establish a procedure to identify and communicate any disturbances suspected or proven to be caused by sabotage. Reporting such incidents to the sectoral CERT and Computer Emergency Response Team – India (CERT-In) should take place within a 24 hour window.
Significance of the New Cybersecurity Guidelines
Not only do these guidelines bolster the cybersecurity framework in the power sector, but they are also anticipated to propel research and development within the cybersecurity field. The move is expected to open up market opportunities for establishing cyber testing infrastructure across both public and private sectors within India.