Cybersecurity Guidelines For Power Sector Released: Mandates Procurement Of Equipment Only From “Trusted Sources”

In the backdrop of several high profile cyberattacks on various critical infrastructure reported around the world, the Central Electricity Authority recently released the new Cybersecurity Guidelines for the power sector.

The guidelines have been prepared after extensive consultation with stakeholders and expert agencies under the direction of the Power Ministry and Ministry of New and Renewable Energy.

Cyberattacks on power grids can disrupt services and supply of essential goods. The cyberattack on Colonial Pipeline in the USA, for example, led to a shortage of gasoline in the eastern parts of the country.

According to the union government, in 2021, “cyber incidents” were reported at the Southern Regional Load Despatch Centre (SRLDC), the Western Regional Load Despatch Centre (WRLDC), Northern Regional Load Despatch Centre (NRLDC) and the North Eastern Regional Load Despatch Centre (NERLDC) of Power System Operation Corporation (POSOCO), NTPC Kudgi and Telangana State Transco.

The new guidelines are applicable to all responsible entities as well as system integrators, equipment manufacturers, suppliers/vendors, service providers, IT hardware and software original equipment manufacturers engaged in the Indian power supply system.

According to the Ministry, these guidelines are a precursor to new regulations and must be adhered to compulsorily.

Highlights of the New Guidelines

Cyber Security Policy – every entity must prepare a cyber security policy and conduct an annual review of the policy by experts. Further, it must ensure that the policy is implemented through its Information Security Division (ISD). Apart from this, the guidelines also state that the entity should ensure that a sufficient portion of their annual budget must be allocated towards cyber security.

Appointment of Chief Information Security Officer (CISO) – a CISO, who has minimum qualifications as laid down by the Quality Council of India (QCI) must be appointed. The CISO will head the information security division (ISD), which should be functional at all times on all days. The ISD will be staffed by an adequate number of engineers trained in cyber security.

Identification of Critical Infrastructure – all critical infrastructure must be identified and a risk profile of them must be prepared and submitted to the National Critical Information Infrastructure Protection Centre (NCIIPC). It should also review the declared critical infrastructure once a year.

Cyber Risk Assessment and Mitigation Plan – a review of cyber risk assessment must be carried out at least once a quarter. During such assessments, the actionable risk treatment and mitigation should be tracked for their effectiveness.

Phasing out Legacy System – The entity must ensure that the ISD prepares a list of all ICT equipment nearing end life or are left without support from Original Equipment Manufacturers (OEM). Thereafter CISO should identify equipment/systems to be phased out from the list.

The entity should also document in their Cyber Security Policy a standard operating procedure for safe and secure disposal of outlived or legacy devices.

Cyber Security Training – an annual cyber security training programme must be conducted for personnel who have authorised cyber or physical access to critical systems.

Cyber Supply Chain Risk Management – the entity must ensure that all the ICT equipment for their critical systems is sourced from the list of the “Trusted Sources” as and when notified by the Ministry of Power or the Central Electricity Authority.

Reporting Cyber Security Incident – the CISO must inform all security incidents to Cyber Emergency Response Team – India (CERT-In). The incident must be handled as per Cyber Security Incident Response Plan detailed in the latest Cyber Crisis Management Programme (C-CMP).

Cyber Crisis Management Plan (C-CMP) – a cyber crisis management plan must be prepared and submitted to the sectoral CERT for review. There should be an annual review and periodic updation of C-CMP.

Sabotage Reporting – The CISO must prepare a detailed report on disturbances or unusual occurrences, identified, suspected or determined to be caused by sabotage in the critical system of the responsible entity, and must submit the report to the sectoral CERT as well as to CERT-In within 24 hours of its occurrence.

The CISO must submit to NCIIPC within 24 hours of occurrence the report on every sabotage classified as cyber incidents on “Protected System”.

Security and Testing of Cyber Assets - The entity should ensure the security of all in-service phase as well as standby cyber assets through regular firmware/software updates and patching, vulnerability management, penetration testing (of combined installations), securing configuration, supplementing security controls.

Cyber Security Audit – a CERT-In empanelled cyber security auditor should audit the systems once in six months. The entity should close all critical and high vulnerabilities within a period of one month and medium as well as low non-conformities before the next audit.