The Central Electricity Authority (CEA) of India has unveiled the draft Cyber Security Regulations for the power sector, 2024, marking a significant step in bolstering cybersecurity within the nation’s critical infrastructure. The draft regulations aim to cover a broad range of entities, including regional power committees, appropriate commissions, and government bodies, as well as training institutes and vendors involved in the power sector. These regulations are designed to address and mitigate the growing cyber threats facing the industry.
Central to the regulations is the establishment of a Computer Security Incident Response Team (CSIRT)-Power. This team will be responsible for developing a comprehensive cybersecurity framework, responding to security incidents, and coordinating with other cybersecurity organizations such as CERT-In and NCIIPC. The CSIRT-Power’s role is crucial in maintaining the integrity and security of the power sector’s digital infrastructure.
In addition to the CSIRT, the regulations mandate that all entities within the sector set up an Information Security Division. This division will oversee the implementation of critical infrastructure protection measures, review and update cybersecurity policies, and conduct regular security assessments. Such measures are intended to ensure that all aspects of cybersecurity are thoroughly managed and continuously improved.
Vendors supplying components to the power sector are also required to adhere to stringent cybersecurity standards under the new regulations. They must provide documented procedures and recovery plans to address potential cyber crisis scenarios. Furthermore, vendors are obligated to ensure that security patches and updates are made available for all their system components throughout the duration of the contract. This comprehensive approach is aimed at safeguarding the power sector from emerging cyber threats and enhancing overall resilience.
Reference: