Background
Organizations from different sectors are facing an increased number of cyber attacks in recent years and it is only a matter of time that the power sector would also experience the same. Attempts of cyber intrusion in power sector can be made for either compromising power supply system or rendering grid operations. The artificial air gap between IT and OT systems can be easily shattered by third parties using social engineering. After security breaching, cyber adversaries can take over IT network control and OT system operations. Therefore, ensuring a secured online ecosystem and a better cyber security becomes absolutely necessary for the power sector.
The Central Electrical Authority (CEA) has released a list of guidelines for the power sector to ensure a better cyber security. Six sectoral Indian Computer Emergency Response Teams (CERT-In) namely transmission, hydro, grid operation, RE, thermal and distribution have been created to ensure cyber security in the power sector. Details about CERT-In can be found here.
Guideline Objectives
The guidelines provide a framework of cyber assurance by which strengthening of regulatory framework as well as early warning of security threats can be made possible. CEA wants to achieve certain objections by releasing this list of guidelines, the objectives are as follows:
- Awareness of cyber security
- Secured cyber ecosystem
- Secured remote operations
- Development of cyber assurance and regulatory framework
- Protection of critical information
- Mechanisms for security threat warning and vulnerability management
- Encouragement of open standards
- Promotion of cyber security research
Cyber Security Guidelines 2021
The 14 guidelines mentioned as ‘articles’ are formed by CEA under regulation (10) of Central Electrical Authority (Technical Standards for Connectivity to the Grid) Regulations, 2019. According to CEA, the guidelines should be followed by all responsible entities such as transmission utilities, distribution utilities, regional power committees, equipment manufacturers, service providers, suppliers, etc.
Article 1: Policy of Cyber Security – Cardinal principles and regulations of framing a policy of cyber security are mentioned.
Article 2: CISO Appointment – It includes the rules and regulations of appointing a Chief Information Security Officer (CISO).
Article 3: Identification of CII – It includes regulations of identifying Critical Information Infrastructure or CII.
Article 4: Electronic Security Perimeter – Rules and requirements for setting up electronic security perimeter are mentioned.
Article 5: Requirements of Cyber Security – Conditions for establishing cyber security are mentioned.
Article 6: Assessment of Cyber Risk and Mitigation Plan – It includes procedures for assessment and mitigation plan of cyber risk.
Article 7: Legacy System Phasing – IT technologies updating and replacement plans for power system equipments are mentioned.
Article 8: Cyber Security Training – Procedures and requirements of cyber security training programs are mentioned.
Article 9: Risk Management of Cyber Supply Chain – It includes guidelines for maintaining a secured cyber supply chain.
Article 10: Incident Report and Response Plan of Cyber Security – It discusses procedures of response plans and reports in case of a cyber attack.
Article 11: Cyber Risk Management Plan (C-CMP) – Rules and regulations of preparing a C-CMP are mentioned.
Article 12: Sabotage Reporting – It mentions procedures for reporting sabotage in the cyber security policy.
Article 13: Cyber Assets Security and Testing – Regulations about software and firmware updates, vulnerability assessment and tests of cyber assets are mentioned.
Article 14: Cyber Security Audit – Guidelines for cyber security OT auditor and cyber security audit standards are mentioned.
Prime Infoserv today is the most preferred IT solutions and information security partner in Power Sector in India where we support key Public sector as well as Private sector enterprises in the industry delivering state-of-the-art solution on Managed IT & Security services, NoC, SoC and vulnerability assessment, audit, certification. Do check our website https://primeinfoserv.com for more details or write to us at info@primeinfoserv.com or contact us at +913340085677 for queries.