In India, Power Sector to Now Have Cybersecurity Guidelines

Over the last year, there have been increasing cyberattacks on various critical infrastructures in India. Keeping this in mind Central Electricity Authority (CEA) recently announced Cybersecurity guidelines for the power sector.

Cyberattacks on power grids can directly affect essential goods, services and supplies. For instance, the cyberattack on Colonial Pipes led to a gasoline shortage in the eastern USA. Similar cyber attacks have started in India, including the cyberattacks attempted on multiple regional electricity load despatch units. The hackers could not access the central system, yet the Power ministry took all the preventive measures.

There are on an average of 30 attempts per day to bring down our power infrastructure. As a precaution, the Power Ministry and Ministry of New and Renewable Energy formulated these security guidelines. There were extensive discussions with stakeholders and experts from CERT-In (Cyber Emergency Response Team), NCIIPC (National Critical Information Infrastructure Protection Center), NSCS and IIT-Kanpur. The guidelines will apply to all responsible entities, system integrators, suppliers/vendors, equipment manufacturers, service providers, IT hardware and software OEMs (Original Equipment Manufacturers) and all engaged in the Indian power supply system.

The purpose of the set guidelines is to raise the level of cybersecurity preparedness, promote research and development in cybersecurity and open up the market for cyber testing infra in public and private sector companies. It will lay down the cyber assurance framework, strengthen the regulatory framework and set a mechanism for early warning during security threats. 

The cybersecurity policy will ensure that every company has a cybersecurity policy and includes a sufficient portion for cybersecurity in their annual budget. The guidelines have asked the companies to identify and create a risk profile for all critical infrastructures. They have to share this information with the NCIIPC. It also mentions that the companies will have to purchase all their Information Communication Technologies (ICT) from a list of trusted sources that the ministry will provide. The companies will now have to conduct a quarterly review of their cyber risk assessment. 

The guidelines include instructions for annual cybersecurity training, reporting cyber security and sabotage incidents, creating and submitting a cyber crisis management plan, and appointing a Chief Information Security Officer (CISO). It also mentions instructions for a half-yearly cybersecurity audit by CERT-In empanelled auditor.

These guidelines are all a precautionary measure to avoid a severe cyber-attack and its implications. The government wants to use it to maintain cyber hygiene. With the increasing number of cyber-attacks, it becomes imperative to follow these guidelines to not bring the essential services to a standstill even for a few hours. CERT-IN might only be able to check and review the application and the working of these guidelines post their implementation. Whether or not it will help create a secure cyber barrier is yet to be seen.