Introduction

As India’s power sector becomes increasingly dependent on digital technologies and faces a sharp rise in cyber threats, the Central Electricity Authority (CEA)  has released the Draft CEA Cyber Security Regulations, 2024. It is a critical step in strengthening India’s critical power infrastructure. The draft is subject to consultation with various stakeholders, and the final rules have not yet been issued. Building on the CEA (Cyber Security in Power Sector) Guidelines, 2021, the draft expands its scope with a stronger focus on incident response, vendor security, and, operational technology (OT) systems.

These regulations will introduce mandatory cybersecurity audits, define clear roles for CISOs, and set out incident response frameworks. In this blog, we will walk you through the draft overview with key insights for chapter-specific information regarding the draft regulation to help you understand the responsibilities of various stakeholders concerning their specific roles and steps to achieving compliance.

Scope and Applicability

These regulations will apply to all entities in the power sector, including generating companies, transmission licensees, distribution licensees, and control centres. They also require all vendors, contractors, and government organizations dealing with the power sector to adhere to them.

Key Objective of the Proposed Regulations

The key objectives of this 2024 Draft Regulations are aligned with what we often recommend to our clients in critical infrastructure sectors:

1. Structured governance in cyber security programs: Defining and documenting information security frameworks of the organization.
2. Building Cyber Resiliency: The required efficiency to cope, adapt and rapidly recover from a cyber-attack.
3. Formalizing Incident Response: Documentation of action must be taken in case of a cyber-attack for swift implementation.
4. Mandatory Audits and Compliance: Regular incidents in organizations will help them move and progress.
5. Vendor and supply chain management: Extending security requirements across the vendors and supply chain and defining assurance requirements.

Chapter-wise Insights

Chapter I: General Provisions

This chapter defines the regulations’ applicability and clarifies that these rules apply to all stakeholders involved in the supply chain—from power generation and transmission distribution companies to vendors. Important definitions, such as Critical Cyber Assets and Cyber Resilience,​ help everyone understand what types of assets and capabilities need protection.

Chapter II: Composition of Computer Security Incident Response Team (CSIRT-Power)

The creation of CSIRT-Power is one of the most pioneering aspects of the regulation. It will serve as a central point of contact for handling cyber incidents in the power sector. It will help manage and mitigate cyber incidents capable of disrupting the stability and security of power infrastructure. CSIRT-Power will collect and analyse traffic data to identify potential cyber threats, providing a comprehensive view of the threat landscape. CSIRT-Power has already been set up in April 2023.

Additionally, Sectoral Computer Emergency Response Teams (CERTs) have been set up for the thermal, hydro, transmission, distribution, grid operations, and renewable energy sectors. CSIRT-Power collaborates with sectoral CERTs for specific sectors, such as transmission and renewable energy.

Chapter III: General Cybersecurity Requirements

This chapter outlines basic yet fundamental cybersecurity practices entities must adopt. These efforts include designating CISO and Alternate CISO, promulgating a cybersecurity policy, deploying security controls (e.g., firewalls, IDS/IPS, etc.), etc.

Chapter IV: Roles and Responsibilities of Responsible Entities

This chapter clearly defines the cybersecurity responsibilities of power sector entities. Key highlights of these responsibilities are the establishment of a 24/7 active ISD, the need for cybersecurity training for all personnel, acquiring an ISO/IEC 27001 certificate, and ensuring physical and logical segregation between the IT and OT domains.

Chapter V: Functions and Responsibilities of Information Security Division (ISD)

This chapter enlists the ISD’s functions in protecting CIIs and protected systems, including policy implementation, compliance review, incident reporting, and threat intelligence management. The ISD will ensure asset vulnerability management and retain secure documentation. 

ISD will enforce measures at the entity level using security controls such as system hardening, secure remote access, and cybersecurity requirements in procurements and SLAs. The chapter also emphasizes adherence to the directives of NCIIPC, CERT-In, and CSIRT-Power to maintain a robust level of cybersecurity.

Chapter VI: Chief Information Security Officer (CISO) and Alternate CISO

This chapter contains minimum requirements for CISO & Alternate CISO Qualifications. The CISO will have to serve as the nodal officer for cybersecurity, coordinate with authorities, communicate CCMP matters, and make sure cybersecurity documents are secured as per IS 16335.

Chapter VII: Cyber Security Policy

This chapter presents minimum requirements to be included in the cybersecurity policies of all entities in the power sector.

Chapter VIII: Cyber Crisis Management Plan (CCMP)

This chapter outlines the key requirements of the Cyber Crisis Management Plan (CCMP), which includes event categorization, crisis criteria, stakeholders’ roles, SOPs, communication methods, and recovery plans for critical systems. CERT-In should vet and approve the CCMP.

Chapter IX: Additional Requirements for Vendors

This chapter highlights that vendors are required to deliver regular security updates and patches throughout the lifecycle of their products, ensuring their long-term security against cyber threats. It also includes a recovery and restoration plan along with an intimation of the end of life and end of support of all supplied materials.

Chapter-X Cyber Security Audit

This chapter stresses the need for regular cybersecurity audits to maintain an organization’s overall security posture. IT systems are supposed to be audited bi-annually, whereas OT systems are supposed to be audited annually. The regulations also stress the need to address vulnerabilities through timely and systematic patching.

Chapter-XI Physical Security

This chapter highlights the physical security requirement for all critical cyber and non-cyber assets.

Chapter XII: Critical Information Infrastructure (CIIs) Identification

This chapter contains requirements for CII identification and notification. All entities must provide the information NCIIPC requires to identify CII. Details of new cyber assets need to be submitted within 30 days.

Chapter XIII: Miscellaneous

This chapter explains the monitoring and compliance framework, focusing on third-party audits and self-audits to ensure cybersecurity laws are followed. It describes the rules for sending yearly self-audit reports to CISO-MoP and CSIRT-Power, including non-compliance details and actions to fix issues. It also includes rules for reviewing cybersecurity policies, training staff, and raising awareness through ongoing education. To address operational problems, the authority can still change or relax regulations.

High-level Checklist to Comply with Draft Regulations

The entities in the energy sector can use the following checklist to align their efforts with the Draft Regulations:

Governance

• Appoint an adequately qualified Chief Information Security Officer (CISO) and alternate CISO.
• Establish a documented and approved Cybersecurity Policy.
• Establish an Information Security Division (ISD). The minimum workforce required for setting up an ISD is 04 (Four) officers, including a CISO and 04 officers/officials for shift operations. 

Cyber Crisis Management Plan (CCMP) 

• Create and implement a Cyber Crisis Management Plan approved by the entity’s senior management.
• Ensure communication protocols and reporting formats are in place with CSIRT-Power and CERT-In for incident reporting

Cybersecurity Controls

• Ensure the firewalls, IDS/IPS systems, and Web Application Firewalls are appropriately deployed. 
• Ensure that websites, web portals, or applications have passed cybersecurity audits before hosting on the internet. 
• Restrict remote access, especially remote access to OT infrastructure.

Training and Awareness

• Ensure all individuals, including contractors and vendors, receive obligatory cybersecurity training.
• CISOs and ISD personnel should undergo at least 10 person-days of cybersecurity training yearly.

Vulnerability Management

• Perform a vulnerability assessment and fix/remediate any problems found.
• Make sure important/critical system updates and security fixes are done regularly.

Incident Reporting

• Report cybersecurity incidents to CSIRT-Power, CERT-In, and NCIIPC within prescribed timeframes.

Audits and Assessments

• Conduct bi-annual IT system cybersecurity audits and an annual OT system audit.
• Address all critical and high-risk vulnerabilities within a defined timeframe.
• Send audit reports to relevant authorities within six weeks after finishing the audit.

Conclusion

The Draft CEA Cyber Security Regulations, 2024 will change how the power sector handles cybersecurity.  It sets clear rules for managing cybersecurity, responding to incidents, and ensuring compliance. These regulations will be a step towards safeguarding critical power infrastructure from ever-evolving cyber threats.

How Can Payatu Help?

Compliance with these exhaustive regulations is challenging. Payatu offers professional assistance for compliance and security:

• Policy Development: Customized cybersecurity policies in accordance with regulatory compliance.
• Training: Training programs ensure that all individuals, including employees, contractors, and vendors, receive obligatory training and acquire the required skills and certifications.
• Audit Support: Pre-audit assessment with actionable remediation recommendations.
• Incident Response: Design and implementation of effective response frameworks.
• Ongoing Compliance: Maintaining continued compliance with regulatory updates and standards.

The collaboration with Payatu will enable entities in the energy sector to confidently address the challenges of complying with the Draft CEA Cyber Security Regulations, 2024.

Reference  

1. CEA (Cyber Security in Power Sector) Guidelines, 2021
2. Draft Central Electricity Authority (Cyber Security in Power Sector) Regulations, 2024

---