Enhancing Cybersecurity in the Indian Power Sector

The Central Electricity Authority (CEA) under the Ministry of Power, in collaboration with REC Limited and the Expert Group on Smart Metering (EGSM), organised a workshop on cybersecurity for distribution utilities in the power sector.

It gathered experts, industry leaders, and cybersecurity enthusiasts to explore and discuss the latest trends, innovations, and strategies in the realm of cybersecurity. Attendees participated in dynamic discussions covering cybersecurity preparedness, the threat landscape and challenges in incident response, best practices for critical information infrastructure (CII) in the distribution sector, cybersecurity requirements for cloud security, and cyber security testing of firewalls and routers.

The focal point of the event was the Guidelines for Cyber Security in the Power Sector issued by CEA in 2021. These guidelines mandate compliance from all responsible entities, which include transmission utilities, transmission licensees, load dispatch centres, generation utilities, distribution utilities, generation aggregators, regional power committees, and regulatory commissions. The guidelines aim to:

These guidelines also strive to construct a secure cyber ecosystem, fortify regulatory frameworks, ensure the security of remote operations and services, and safeguard the resilience of Critical Information Infrastructures (CII) against cyber threats.

Moreover, they aim to reduce risks associated with cyber supply chains, advocate for the use of open standards, drive research and development initiatives in cybersecurity, and nurture human resources specialised in this field.

Additionally, the guidelines emphasise fostering effective public-private partnerships, encouraging information sharing and cooperative efforts among stakeholders for a more robust cyber defence strategy.

The conference provided a platform for the exchange of knowledge, sharing best practices, and reinforcing collective resilience against cyberattacks in the Indian power sector.

Cyber intrusion attempts and attacks in critical sectors are conducted with malicious intent and aim to compromise the power supply system or undermine the security of grid operations. Such compromises can lead to equipment maloperations and damage, or even trigger cascading grid brownouts or blackouts. Responsible entities involved in the power sector as well as service providers, equipment suppliers, vendors, and consultants, share equal responsibility in ensuring the cybersecurity of the Indian power supply system.

These agencies are expected to promptly respond to each threat intelligence, advisories, and other inputs received from authenticated sources to ensure a continuous enhancement of their cybersecurity posture.

According to the guidelines, responsible entities must be ISO/IEC 27001 certified (including sector-specific controls as per ISO/IEC 27019). They are required to establish a Cyber Security Policy based on the principles issued by the National Critical Information Infrastructure Protection Centre (NCIIPC).

They must conduct an annual review of their Cyber Security Policy by a subject matter expert, and any changes to the policy should only be implemented after obtaining approval from the Board of Directors. Furthermore, responsible entities are required to collaborate with other industry stakeholders and academia to promote research and development activities in cybersecurity.

Additionally, they must ensure that cybersecurity issues are included as agenda items in their Board meetings at least once every three months. They must allocate an adequate annual budget to enhance the cybersecurity posture, with a progressive increase year over year. Every entity must appoint a Chief Information Security Officer (CISO) and ensure compliance with any qualifications specified by the Quality Council of India (QCI).

The entities must establish an Information Security Division (ISD) led by the CISO, which should be functional round-the-clock. The ISD should be staffed by an adequate number of engineers, each possessing a valid certificate demonstrating the successful completion of a cyber security course specific to the power sector from training institutes designated by CEA.