Indian government publishes cybersecurity guidelines for power sector

Earlier on the 10th, India’s Ministry of Electricity and the Central Electricity Authority (CEA) released the Power Sector Cybersecurity Guidelines, outlining actions needed to increase the level of cybersecurity readiness in the power sector, with the aim of creating a secure cyber ecosystem. The guidance was developed in consultation with stakeholders and in consultation with cybersecurity expert bodies. These organizations include the Computer Emergency Response Team of India (CERT-In), the National Centre for Critical Information Infrastructure Protection (NCIIPC), the National Society of University Scholars (NSCS) and the Kanpur Institute of Information Technology (IIT-Kanpur).

The CEA has developed guidelines under the Central Electricity Authority (Technical Standards for Grid Connections) (Amendment) Regulations 2019, which all power sector utilities must comply with. This is the first time that cybersecurity guidelines have been developed in the field. It has established a cybersecurity assurance framework, strengthened its regulatory framework, and established mechanisms for early warning of security threats, vulnerability management, and response to security threats. It also secures remote operations and services.

The background of the guideline

India’s electricity regulator believes that cyber intrusions and cyber attacks in any critical sector are malicious. In the power industry, either compromising the power supply system or making the grid unsafe to operate. Any such attack may result in misoperation of equipment, equipment damage, or even cascading grid outages/blackouts. The air gap myth between IT and OT systems is now shattered. The artificial air gap created by deploying a firewall between any IT and OT system can be skipped by any insider or outsider through social engineering. Cyber ​​attacks are carried out through strategies and techniques such as initial intrusion, execution, persistence, privilege escalation, defense evasion, command and control, and flight. After entering the system through privilege escalation, the control of the IT network and the operation of the OT system can even be remotely taken over by any cyber adversary. Sensitive operational data obtained through such intrusions may help adversaries and cyber attackers, state-supported or non-supported, to design more sinister and advanced cyber-attacks.

The Indian government has established the Computer Emergency Response Team of India (CERT-IN) for early warning and response to cyber security incidents and to collaborate at national and international levels to share information to mitigate cyber threats. CERT-IN regularly publishes recommendations for securing computer systems and publishes extensive security guidance. It is recommended that all central government departments and state/federal territory governments regularly conduct cybersecurity audits of their entire network infrastructure (including websites) through CERT-IN dedicated auditors to identify vulnerabilities in cybersecurity practices and take appropriate corrective actions. CERT-IN extends support to enable responsible entities to conduct cybersecurity simulation exercises and assess their readiness to defend against cyberattacks. Responsible entities must submit cyber audit reports of cyber security controls, architecture, vulnerability management, cyber security and regular cyber security exercises to the department CERT and CERT-IN. Panels should review these reports and flag any deficiencies in compliance. CERT-IN also conducts regular seminars and training to raise cybersecurity awareness among all stakeholders.

To ensure cybersecurity in India’s power sector, the Ministry of Electricity of India has created 6 sector-level CERTs, namely emergency response organizations in thermal, hydro, transmission, grid operations, renewable energy and distribution agencies. Each sectoral CERT has prepared its subsector-specific Cyber ​​Crisis Management Plan (C-CMP) model for combating cyberattacks and cyberterrorism. Each departmental CERT distributes their C-CMP model for preparing and implementing an organization-specific C-CMP.

All Responsible Entities, Service Providers, Equipment Suppliers/Producers and Consultants in the Electricity Industry have equal responsibility for ensuring the cybersecurity of India’s electricity supply system. They should act in a timely manner based on every threat intelligence, warning, and other input received from reliable sources to continuously improve their cybersecurity posture.

In the current situation in India, while many cybersecurity directives and guidelines exist, none are specific to the power sector. The Ministry of Electricity has directed the CEA to develop regulations on cybersecurity in the electricity sector. The CEA was instructed to develop and publish Guidelines on Cybersecurity for the Electricity Sector in accordance with Regulation 10 on Cybersecurity of the Central Electricity Authority (Technical Standards for Grid Connections) (Amendment) Regulations 2019.

main purpose

Purpose of publishing guidelines:

a) Build cyber security awareness

b) establishing a secure cyber ecosystem;

c) establish a cyber assurance framework,

d) strengthening the regulatory framework;

e) Create security threat warning, vulnerability management and security threat response mechanisms;

f) ensure the security of remote operations and services;

g) strengthening the protection and resilience of critical information infrastructure;

h) reduce cyber supply chain risks;

i) encourage the use of open standards,

j) promote cybersecurity research and development;

k) Human resource development in the field of cybersecurity;

l) develop effective public-private partnerships;

m) information sharing and cooperation;

n) implement the national cybersecurity policy;

System-wide to which the guideline applies

The scope of systems targeted by this guide includes three parts, system operation and operational management control systems, communication systems, and auxiliary, automation and remote control technologies. Specifically:

1. System operation and operation management control system

a) grid control and management systems;

b) power plant control system;

c) central systems for monitoring and control of distributed generation and loads, such as power plants, storage management, central control rooms for hydropower plants, photovoltaic/wind power installations;

d) fault management and staff management systems;

e) metrology and measurement management systems;

f) data filing systems,

g) parameterization, configuration and programming systems;

h) supporting systems required to operate the above systems;

2. Communication system

a) routers, switches and firewalls;

b) network components related to communication technology;

c) Wireless digital systems.

d) Communication between control centres for data exchange on ICCP (IEC 61850/60850-5/TASE.2/).

3. Auxiliary, automation and remote control technology

a) control and automation components;

b) control and field equipment;

c) remote control device,

d) Programmable logic controller/remote terminal unit, including digital sensors and actuators,

e) protective devices,

f) safety components,

g) digital metering devices;

h) synchronizing devices,

i) excitation system,

Main Terms

The main content of the guide is divided into 14 articles and four appendices.

Article 1: Network Security Policy

Article 2: (Chief Information Security Officer) CISO Appointment

Article 4: Identifying Critical Information Infrastructure (CII)

Article 4: Electronic Security Boundaries

Article 5: Network Security Requirements

Article 6: Cyber ​​Risk Assessment and Mitigation Plan

Article 7: Gradual abolition of legacy systems

Article 8: Network Security Training

Article 9: Network Supply Chain Risk Management

Article 10: Cybersecurity Incident Reporting and Response Plan

Article 11: Cyber ​​Crisis Management Plan (C-CMP)

Article 12: Deliberately undermining the whistleblower rate

Article 13: Security and Detection of Network Assets

Article 14: Network Security Audit

The implementation of the guidelines will activate the network security application ecosystem

The specification applies to all responsible entities and system integrators, equipment manufacturers, suppliers and producers, service providers and IT hardware and software OEMs (Original Equipment Manufacturers) in the Indian electricity supply system. The guidance requires information and communication technology (ICT)-based procurement from identified “trusted sources” and “trusted products”, which must be tested for malware and hardware trojans before they can be used in power system networks. This initiative will promote research and development in cybersecurity and open the market for the establishment of network testing infrastructure in the country’s public and private sectors.

Given that the power sector is already deploying emerging technologies in its core business, cybersecurity measures need to be strengthened. In August 2021, the government approved a revised distribution sector plan to improve the operations of all distribution companies and sectors (DISCOMs) by using artificial intelligence (AI)-based solutions to facilitate supply infrastructure. With the help of AI, the government aims to analyze data generated through IT/OT equipment such as system meters, demand forecasts, time of day (ToD) rates, renewable energy (RE) integration and other predictive analytics. In addition, prepaid smart meters prepare monthly energy accounting reports generated by the system, helping DISCOMs to make informed decisions in reducing losses. Funds under the program will also be used to develop AI-driven applications. The government expects this to boost the development of start-ups in the delivery industry across the country.

The Links:   NL10276BC28-11A NL128102AC31-02E MIG200J6CMB1W