The Central Electricity Authority (CEA) has issued guidelines for Cyber Security in power systems especially against the backdrop of cyber intrusion attempts and cyber-attacks in any critical sector are carried out with a malicious intent. The guidelines are aimed at creating cyber security awareness, a secure cyber ecosystem and creating a cyber-assurance framework, strengthening the regulatory framework and creating mechanisms for security threat early warning, vulnerability management and response to security threats.
Further, it also focuses on securing remote operations and services, protection and resilience of critical information infrastructure, reducing cyber supply chain risks and operationalization of the National Cyber Security Policy. CEA said the guidelines were needed to further strengthen cyber security as the gain of sensitive operational data through intrusions may help the Nation/State sponsored or non-sponsored adversaries and cyber attackers to design more sinister and advanced cyber-attacks.
CEA in the guidelines has proposed a formulation of Cyber Crisis Management Plan for dealing with cyber related incidents for a coordinated, multi-disciplinary and broad-based approach for rapid identification, information exchange, swift response and remedial actions to mitigate and recover from malicious cyber related incidents impacting critical processes. It has also proposed Security Architecture which is a framework and guidance to implement and operate a system using the appropriate security controls with the goal to maintain the system's quality attributes like confidentiality, integrity, availability, accountability and assurance.
As the life cycle of the power system equipment/system is longer than that of IT Systems deployed therein, the Responsible Entity (RE) shall ensure that all IT technologies in the Power System Equipment/System should have the ability to be upgraded. The RS shall ensure that the Information Security Division shall draw the list of all communicable equipment/systems nearing end life or are left without support from OEM. Thereafter CISO shall identify equipment/systems to be phased out from the list drawn, firm up their replacement plan and put up the replacement plan for approval before the Board of Directors. This is aimed at hardening cyber security.