The guest post* is authored by Rupal Panganti, Legal Counsel, Copenhagen Infrastructure Service Co. and assisted by Amishi Jain, Junior Editor, RFMLR

1. INTRODUCTION

Power sector is the backbone of modern infrastructure, supporting everything from healthcare to transportation. As the sector evolves to smarter grids and automated systems, it has become increasingly dependent on digital technologies. Power grids rely on complex control systems, such as a blend of information technology (IT) with operational technology (OT) and Supervisory Control and Data Acquisition (SCADA), for real-time operation. Progressive and efficient as it may be, unfortunately, any technology is exposed to vulnerabilities. Technologies used in these critical systems are a frequent target for cyberattacks. The attackers leverage various methods, such as malicious activities, malware, and viruses, to breach networks, tamper with data, and disrupt the power flow in the transmission system. This can result in large-scale blackouts, damage to equipment or significant disturbances in the power grid. In this light, cybersecurity has become the need of the hour.

The Information Technology Act, 2000 defines the term “cybersecurity” as protecting information, equipment, devices computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction. To manage these risks, the Government of India has established the Indian Computer Emergency Response Team (CERT-IN) for early warning, response and mitigation of cybersecurity threats. Specifically for power sector, the Ministry of Power (MOP) has created six sectoral CERTs: (i) Thermal; (ii) Hydro; (iii) Transmission; (iv) Grid Operation; (v) Renewable Energy; and (vi) Distribution.

In addition to above, the MOP has directed the Central Electricity Authority (CEA) to draft cybersecurity regulations for Indian power sector. While the draft regulations are in place and are soon to come into force, the players in the Indian power sector including transmission utilities, load dispatch centres, generation utilities, distribution utilities, generation aggregators, trading exchanges, regional power committees and regulatory commissions (collectively referred to as the “Responsible Entities”) are required to follow the CEA (Cyber Security in Power Sector) Guidelines, 2021 in the interim. This article provides for a critical analysis of the draft Central Electricity Authority (Cyber Security in Power Sector) Regulations, 2024 (“Cybersecurity Regulations”).  

2. OVERVIEW OF THE CYBERSECURITY REGULATIONS

In August 2024, the CEA, under Section 177 of the Electricity Act 2003, notified the Cybersecurity Regulations. The Cybersecurity Regulations will be applicable to the responsible entities, regional power committees, appropriate commissions, appropriate government and associated power sector government organisations, government recognised training institutes and vendors. The Cybersecurity Regulations are designed to establish a comprehensive framework for prevention, reporting, and mitigation of cyberattacks. This framework includes, but is not limited to, the following key components:

(a)   Governance and Security Framework:

●       The Responsible Entities are required to appoint a Chief Information Security Officer (CISO) and a designated alternate CISO to lead cybersecurity efforts. 

●       An Information Security Division (ISD) to be established headed by the CISO to ensure policy implementation, compliance monitoring, and regular cybersecurity audits.

(b)  Technical Measures:

●       Advanced security technologies, such as intrusion detection/prevention systems (IDS/IPS), firewalls, and encryption protocols, are mandated to strengthen digital defences.

●       Adhering to international standards mentioned under ISO/IEC 27001 and IEC 62443 and conduct regular audits and vulnerability assessments.,

(c)   Incident Management:

●       Entities must develop and maintain a Cyber Crisis Management Plan (CCMP) to effectively handle cybersecurity incidents.

●       Cyber incidents must be reported promptly to CERT-In, CSIRT-Power, and NCIIPC, within specified timelines.

(d)  Supply Chain Security:

●       The introduction of a Trusted Vendor System that ensures all ICT components and services used in the power sector are sourced from secured and verified providers.

(e)   Enforcement and Penalties:

●       Compliance enforced through a combination of self-audits, third-party assessments, and continuous monitoring.

●       Non-compliance may lead to penalties under Section 146 of the Electricity Act, 2003and legal actions under the Information Technology Act, 2000.

3. CYBERSECURITY – WHAT IS THE WORLD DOING ABOUT IT?

Global efforts to enhance cybersecurity in the power sector are driven by widely adopted international standards and frameworks designed to protect critical infrastructure. These guidelines focus on mitigating risks, ensuring resilience, and adapting to evolving cyber threats targeting the electricity grid.

International Organisation for Standardisation (ISO) and International Electrotechnical Commission (IEC) standards form the foundation for robust cybersecurity in the energy sector. ISO 27001 establishes a systematic framework for implementing an Information Security Management System (ISMS), enabling organizations to secure sensitive information effectively. ISO 27019 expands this framework to address the specific needs of energy utilities, particularly for operational technology (OT) and SCADA systems. Meanwhile, IEC 62351 focuses on securing communication protocols within power systems, such as those used in substations. IEC 62443 targets vulnerabilities in industrial automation and control systems, ensuring protection against cyber threats.

In North America, the NERC Critical Infrastructure Protection (CIP) standards are mandatory for bulk power systems. These standards address asset identification, access controls, incident response, and supply chain risk management to ensure the operational security of electric utilities. Similarly, in the U.S, NISTIR 7628 offers comprehensive guidelines for securing smart grids, emphasizing risk management and advanced threat modelling techniques.

Europe has strengthened its cybersecurity framework through  NIS2 Directive, which mandates rigorous risk assessments, incident reporting, and supply chain security for essential energy operators. IEEE standards complement these efforts globally by embedding cybersecurity capabilities in devices and systems, such as intelligent electronic devices (IEDs) and substation automation.

Collectively, these frameworks reflect a global consensus on the need for proactive cybersecurity practices to safeguard power infrastructure, ensuring reliability, operational integrity, and resilience against sophisticated threats.

4. WHAT CAN WE DO BETTER IN INDIA?

   
   

India has adopted various aforementioned international standards to come up with robust cybersecurity framework by way of the Cybersecurity Regulations.  However, there are key areas where the regulations could be improved for clarity, effectiveness, and align with international best practices.

(a)   Qualifications of Information Security Division:

While Schedule I specifies the minimum staffing requirements for the Information Security Division (ISD), the regulations could benefit from further clarity on role-specific qualifications and expertise. The ISD is mandated to have a minimum of four officers, including the CISO, with additional officials for operational tasks like audits, mock drills, and compliance monitoring. However, expanding the guidelines to specify qualifications in areas of incident response, cyber risk management, and security architecture would ensure the CISO is supported by a highly skilled and well-rounded team, particularly in larger, more complex organizations.

(b)  Centralised Reporting

There is a pressing need for a centralized body to coordinate cybersecurity issues in the power sector. Currently, multiple entities such as CERT-In, CERT-Power, the CISO of the Ministry of Power (CISO-MoP), and NCIIPC oversee different aspects of cybersecurity, leading to potential overlaps and inefficiencies. Establishing a unified, central body with clear jurisdiction would streamline coordination, eliminate redundancy, and ensure a cohesive response to incidents.

(c)   Penalties

The Cybersecurity Regulations refer to penalties under the Information Technology Act, 2000, and the Electricity Act, 2003, without detailing the corresponding offences. This lack of clarity could lead to overlapping enforcement or gaps in accountability. It would be more effective to define penalties within the Cybersecurity Regulations, tailored to specific violations, to avoid ambiguity. The essentiality of definition is further underscored while discussing non-compliance of security standards so that clear demarcations, regarding network segmentation and encryption standards, can be drawn. While penalising for breach of cyber security, it becomes essential to define cyber security in terms of the power sector with respect to the Electricity Act, 2007. This will assist in better jurisdictional governance when sector specific systems, such as the SCADA system, are narrowed down under a more pin-pointed definition.

(d)  Supply Chain Security

The Cybersecurity Regulations could strengthen its provisions by explicitly addressing supply chain risks, especially for imported IT and OT components. While the Trusted Vendor System is a step in the right direction, it could include stricter compliance framework for foreign vendors and periodic audits of supply chain security similar to Supply Chain Cybersecurity Principles of the U.S. Department of Energy.

(e)   Periodic Review

The Cybersecurity Regulations should mandate regular reviews and updates to adapt the evolving cyber threats. A periodic review mechanism, for instance an annual review, would ensure the regulations remain relevant and robust. Incorporating these changes would make the regulations more actionable and aligned with global standards, ensuring enhanced resilience in India’s critical power infrastructure.

5. CONCLUSION

   
   

India is moving towards a future driven by smart grids and advanced automation, which are essential for efficiently meeting the country’s growing energy demands. The introduction of the Cybersecurity Regulations is a positive step, providing a solid foundation to address the challenges of cybersecurity. However, effective implementation of these regulations will require significant effort and a skilled workforce. As India transitions to smarter energy solutions, robust cybersecurity measures will be crucial to ensuring uninterrupted progress and supporting the nation's continued development.

Clearer guidelines on qualifications for ISD, establishment of centralized reporting bodies, penalty structures, periodic reviews are some measures to strengthen a framework that has scope for improvement. International standards and practices provide a proactive structure for the Indian framework, in an era of high vulnerability to cybercrimes. It becomes imperative to strengthen the security of critical infrastructures, such as power sector.

*The views expressed by the author are personal and not linked to her affiliation.