New Cybersecurity Guidelines for Indian Power SectorCEA Document Details CISO Appointments, Responsibilities for Cyber Resilience
On the back of recent targeted cyberattacks against power supply systems as well as IT-OT convergence cyber risks, India's Central Electricity Authority, or CEA, has issued cybersecurity guidelines for organizations in the power sector. The guidelines also apply to related entities, including system integrators, suppliers and vendors, and hardware and software original equipment manufacturers.
The guidelines outlined in the Cyber Security in Power Sector Guidelines 2021 report aim to secure OT systems, create a cyber assurance framework, strengthen cyber risk assessment, improve incident response and reporting, cut cyber supply chain risks and boost cybersecurity skills and competencies, according to the CEA report.
The guidelines mandate that all power companies appoint a dedicated CISO and an alternate CISO to ensure adherence to cybersecurity directives, such as incident response and management, as well as to upgrade IT infrastructure.
The CISO must also report all identified sabotage attempts to the National Critical Information Infrastructure Protection Center, or NCIIPC, within 24 hours of occurrence, the CEA says, adding that failure to do so would hold the executive liable.
Organizations in the sector must hold digital forensics records of the affected cyber assets; all logs from the organization's intrusion detection and protection systems, and security information and event management, or SIEM, data for at least 90 days following the incident, the guidelines note.
The Ministry of Power has appointed sectoral Computer Emergency Response Teams, or CERTs, for thermal, hydro, transmission and grid operations. "Responsible entities," such as trading exchanges, regulatory commissions and regional power committees, must conduct mock drills and create a sector-specific cyber crisis management plan to counter cyberattacks and cyber terrorism, the report says.
Additionally, power sector organizations and the responsible entities described above are required to allocate funds to strengthen cybersecurity posture, with an unspecified increase in the budget every year. The responsible entities must also include cybersecurity as a topic of discussion in their board meeting agenda at least once in three months, according to the guidelines.
According to the guidelines, all security leaders must meet qualification specifications prescribed by the Quality Council of India, which is a nonprofit autonomous society run by the Department of Promotion of Industry and Internal Trade to establish an accreditation structure in the country. Alternate CISOs are required to acquire cybersecurity skill sets, which were not defined in the CEA document, within six months from the date of appointment.
Companies are mandated to "regularly" update their respective sectoral CERTs on who their current CISO and alternate CISOs are, and include the information on CEA's ISAC-Power portal.
The companies, as well as responsible entities, must have an information security division, or ISD, headed by the CISO, that is "functional at all times," the guidelines note. Organizations must ensure that the ISDs take timely actions based on the advisories, guidelines and directives issued by the NCIIPC; Cyber Swachhta Kendra, or CSK; and CERT-In, as well as sectoral CERTs, they add.
According to the new guidelines, CISOs must ensure that their organizations have a board-approved cybersecurity policy and a cyber risk assessment and mitigation plan for both IT and OT systems. A review of the risk assessment plan should be conducted at least once every three months, they say.
According to the CEA's cybersecurity guidelines, power sector companies and responsible entities must be ISO/IEC 27001 certified and have a cybersecurity policy based on the guidelines issued by the NCIIPC that will be reviewed annually by a subject matter expert.
Root-cause analysis must be carried out and corrective action must be taken as per the organization's board-approved incident response plan for all cybersecurity incidents that fall under CERT-In's reportable events, the guidelines say. The organization CISO is also required to test the efficacy of the incident response plan through mock drills; share all incident detection, handling and learnings with CERT-In; and update the same on the ISAC-Power portal.
The new set of guidelines appoints the CISO as the custodian for the organization's cyber crisis management plan, risk treatment plan, statement of applicability of controls, and compliance to the regulator’s requirement.
The guidelines mandate that power companies and other responsible entities ensure "hard isolation of OT systems from any internet facing IT system." The companies are allowed to have only one internet-connected IT system per site, which must be separated from the OT environment, under the control of their CISOs.
Organizations are also required to maintain an electronic security perimeter to protect all critical assets. A vulnerability assessment of each access point must be carried out at least once in six months, the guidelines add.
CISOs are required to identify equipment that is nearing end-of-life or that is no longer supported by OEMs, and present a replacement plan to their respective company boards for approval.
Downloading and uploading data must only be done through identifiable whitelisted devices, which should be equipped with vulnerability and malware detection measures, the guidelines say. Digital logs must be maintained and retained under the custody of CISOs for at least six months, along with a list of whitelisted IP addresses for each firewall.
Communication among OT systems can only be done via secure channels, preferably POWERTEL, the telecom division of the power transmission utility, through fiber optic cables, the guidelines note.
All information and communication tools, or ICTs, should be sourced through trusted sources specified by the Central Electricity Authority, they add.
CISOs of organizations must also deploy intrusion detection and prevention systems to identify behavioral anomalies in IT and OT systems, they say.
Software and firmware updates must be carried out using validated OEM patches, even as CISOs maintain firewall logs for six months and analyze all critical and high-severity incidents, according to the guidelines.
CISOs are required to maintain all documents pertaining to factory acceptance tests and site acceptance tests, which must also include comprehensive cybersecurity tests of all components, equipment and systems at the organization.
Attacks in the Sector
The guidelines follow several targeted attacks in the sector in the recent past.
In March 2021, IT systems of power generation and distribution units in the states of Maharashtra, Assam, Delhi and Tamil Nadu were reportedly targeted by a China-based hacker group.
In July, Mint reported that the Power System Operation Corp., or POSOCO, said that the national load dispatch center, five regional load dispatch centers and 34 state load dispatch centers reported at least 30 cybersecurity events every day.
The same month, India Today reported that U.S.-based threat intelligence firm Black Lotus Labs said Pakistan-based hackers were using a new malware to target power companies.