CEA proposes draft regulations for cybersecurity in the power sector

The Central Electricity Authority (CEA) has proposed draft regulations titled “Draft Central Electricity Authority (Cybersecurity in Power Sector) Regulations 2024” to enhance cybersecurity across India’s power sector. The CEA is currently seeking public comments on these draft regulations.

Key Proposals:

Creation of CSRIT-Power: The draft regulations propose the establishment of a “Computer Security Incident Response Team (CSRIT) – Power” under the CEA. This entity will be responsible for collecting traffic data from all “responsible entities” in the power sector. CSRIT-Power will focus on enhancing cybersecurity, identifying, analyzing, and preventing cyber intrusions, and implementing the cybersecurity framework and protocols for the sector.

Information Security Division (ISD): All responsible entities must establish an Information Security Division (ISD) led by a Chief Information Security Officer (CISO). The ISD will be operational 24/7, ensuring adequate workforce and infrastructure to maintain cybersecurity.

Vendor Requirements: Vendors must provide documented and tested procedures for system recovery in case of a cyber crisis. They must also ensure the availability of security patches and updates for all system components throughout the contractually stipulated operating period.

Responsible Entities:

“Responsible entities” include a wide range of power sector entities that deploy operational technologies (OT) with or without IT systems. This includes generating companies, renewable energy sources, energy storage systems, transmission and distribution licensees, load dispatch centers, and other relevant power sector entities.

These draft regulations aim to bolster the cybersecurity framework within India’s power sector, ensuring that all stakeholders are adequately prepared to handle potential cyber threats.