Draft CEA Cybersecurity Regulation 2024: A Step to Secure India’s Power Sector

Introduction

As India’s power sector becomes increasingly dependent on digital technologies and faces a sharp rise in cyber threats, Central Electricity Authority (CEA)  has released Draft CEA Cyber Security Regulations, 2024, are an important step in strengthening India’s critical power infrastructure. This draft is subject to multiple stakeholder consultations, and the final regulations are yet to be released. These regulations will introduce mandatory cybersecurity audits, define clear roles for CISOs, and emphasize incident response frameworks while securing vendor and supply chain ecosystems. Building on the 2021 Guidelines on Cyber Security, the draft expands its scope with a stronger focus on incident response, vendor security, and operational technology (OT) systems.  In this blog, we will walk you through the drafts overview with key insights for chapter-specific information with regard to the draft Regulation to understand the responsibilities of various stakeholders concerning their specific roles and steps to achieving compliance.

Scope and Applicability

All entities in the power sector including generating companies, transmission licensees, distribution licensees and control centers will be bound by these regulations. Also, all vendors, contractors and government organizations dealing with the power sector are required to adhere.

key Objective of the proposed regulations

The key objectives of this 2024 Draft Regulations are aligned with what we often recommend to our clients in critical infrastructure sectors:

  1. Structured governance in cyber security programs: Defining and documenting information security frameworks of the organization.
  2. Building Cyber Resiliency: The required efficiency to cope, adapt and rapidly recover from a cyber-attack.
  3. Formalizing Incident Response: Documentation of action required to be taken in case of a cyber-attack for swift implementation.
  4. Mandatory Audits and Compliance: Regular incidents in organizations that will help them in movement and progression.
  5. Vendor and supply chain management: Extending security requirements across the vendors and supply chain and defining assurance requirements.

Chapter-Wise Insights

Chapter I: General Provisions

This chapter defines the applicability of the regulations and makes it very clear that the regulations apply to all stakeholders involved in the supply chain—from generation companies to vendors. Inclusion of key definitions, such as Critical Cyber Assets and Cyber Resilience, serves to align everyone on what types of assets and capabilities need protection​.

Chapter II: Composition of Computer Security Incident Response Team (CSIRT-Power)

The creation of CSIRT-Power is one of the most pioneering aspects of the regulation. This will constitute a central point of contact for handling cyber incidents across the power sector. It will serve immensely in managing and mitigating cyber incidents capable of disrupting the stability and security of power infrastructure. It will be responsible for collecting and analyzing traffic data to identify potential cyber threats, providing a comprehensive view of the threat landscape. CSIRT-Power has already established in April 2023  exclusively for the Power Sector. Additionally, Sectoral Computer Emergency Response Teams (CERTs) have been established for Thermal, Hydro, Transmission, Distribution, Grid Operation, and Renewable Energy sectors. It collaborates with sectoral CERTs for specific domains such as transmission and renewable energy.

Chapter III : General Cybersecurity Requirements

This chapter outlines basic, yet fundamental cybersecurity practices Entities must adopt. These efforts include designating CISO and Alternate CISO, promulgating a Cybersecurity policy, deploying security controls (e.g., firewalls, IDS/IPS, etc.), and so on.

Chapter IV: Roles and Responsibilities of Responsible Entities

Cybersecurity responsibilities for power sector entities are well defined. This encompasses the requirement to have a 24/7 active ISD in place, the need for cybersecurity training for all personnel, as well as ensuring physical and logical segregation between IT domain and OT domain.

Chapter V: Cyber Security for Critical Information Infrastructure (CII)

Any compromise of CII can have serious implications, thus this Chapter focused on the protection of CII.

Chapter VI: Cyber Security Audits

This chapter focuses on Regular cybersecurity audits which are critical to maintaining the overall security posture of an organization. The IT systems must be audited bi-annually, while OT systems must be audited annually. The rules also emphasize the need to patch vulnerabilities in a regular and timely manner.

Chapter VII: Vendor and Supply Chain Security

This chapter presents a trusted vendor system requiring vendors to provide a Software Bill of Materials (SBOM) and certify their products against IEC 62443 standards. Its goal is to secure the supply chain, which is sometimes the weakest link in cybersecurity.

Chapter VIII: Incident Response and Reporting

Outlines processes for reporting cybersecurity incidents and establishes timeframes for reporting to CSIRT-Power and CERT-In.

Chapter IX: Additional Requirements for Vendors

This chapter highlights that vendors are required to deliver regular security updates and patches throughout the lifecycle of their products, ensuring their long-term security against cyber threats

High level checklist to comply with Draft Regulations

The entities in the energy sector can use the following checklist to align their efforts with the Draft Regulations:

Governance

  • Appoint adequately qualified Chief Information Security Officer (CISO) and alternate CISO.
  • Establish a documented and approved Cybersecurity Policy.
  • Establish an Information Security Division (ISD) with minimum workforce required for setting up an ISD is 04 (Four) officers including CISO and 04 officers/officials for shift operations. 

Cyber Crisis Management Plan (CCMP) 

  • Create and implement a Cyber Crisis Management Plan approved by senior management of the entity.
  • Ensure communication protocols and reporting formats are in place with CSIRT-Power and CERT-In for incident reporting

Cybersecurity Controls

  • Make sure the firewalls, IDS/IPS systems, and Web Application Firewalls are deployed appropriately. 
  • Make sure that websites, web portals, or applications have passed cybersecurity audits before hosting on the internet. 
  • Restrict remote access, especially remote access of OT infrastructure.

Training and Awareness

  • Ensure all individuals, including contractors and vendors, receive obligatory cybersecurity training.
  • CISOs and ISD personnel should undergo at least 10 person-days of cybersecurity training yearly.

Vulnerability Management

  • Perform a vulnerability assessment and fix/remediate any problems found.
  • Make sure important/critical system updates and security fixes are done on a regular basis.

Incident Reporting

  • Report cybersecurity incidents to CSIRT-Power, CERT-In, and NCIIPC within prescribed timeframes.

Audits and Assessments

  • Conduct bi-annual IT system cybersecurity audits and an annual OT system audit.
  • Address all critical and high-risk vulnerabilities within stipulated timeframe.
  • Send audit reports within six weeks after finishing the audit.

Conclusion

The Draft CEA Cyber Security Regulations, 2024, will change how the power sector handles cybersecurity.  It sets clear rules for managing cybersecurity, responding to incidents, and ensuring compliance. These rules aim to safeguard important power infrastructure from changing cyber threats.

How Payatu Can help

Compliance with these exhaustive regulations is challenging. Payatu offers professional assistance for compliance and security:

  • Policy Development: Customized cybersecurity policies in accordance with regulatory compliance.
  • Training: Training programs to ensure all individuals, including employees, contractors and vendors, receive obligatory acquire required skills and certifications.
  • Audit Support: Pre-audit assessment with actionable remediation recommendations.
  • Incident Response: Design and implementation of effective response frameworks.
  • Ongoing Compliance: Maintaining continued compliance with regulatory updates and standards.

The collaboration with Payatu will give the entities in the energy sector confidently address the challenges in complying with Draft CEA Cyber Security Regulations, 2024.

Reference  

  1. https://cea.nic.in/wp-content/uploads/notification/2024/08/Draft_CEA_Cyber_Security_in_Power_Sectyor_Regulations_2024_English_Version.pdf
  2. https://cea.nic.in/wp-content/uploads/notification/2021/10/Guidelines_on_Cyber_Security_in_Power_Sector_2021-2.pdf

 

Subscribe to our Newsletter
Subscription Form

Youtube Linkedin Facebook Twitter Instagram Telegram
DOWNLOAD THE DATASHEET

Fill in your details and get your copy of the datasheet in few seconds

DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in your inbox

Ebook Download

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Mobile Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Web App Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trade Ledger takes privacy and security of it’s customers and system very seriously. We needed an independent audit to check our systems, and wanted to partner with a team that understands the compliance environment of banks.
MARTIN MECCAN
MARTIN MECCANCEO - TradeLedger Australia

Trusted by