The Central Electrical Authority, Ministry of Power, Government of India has recently released a set of comprehensive guidelines for cyber security in the power sector. The guidelines, which have been prepared in consultation and guidance of experts from National Critical Information Infrastructure Protection Centre (NCIIPC), Indian Computer Emergency Response Team (CERT-In), IIT Kanpur and Ministry of power, Government of India, aim to create an entire environment or an ecosystem of cybersecurity preparedness and increase the security mechanisms implemented by all the stakeholders involved in status quo and will be involved the future. The guidelines which are framed under the provision of Section 3(10) on Cyber Security in the “Central Electricity Authority (Technical Standards for Connectivity to the Grid) (Amendment) Regulations, 2019”, are accessible through the portal of Press information Bureau or through the Website of Central Electrical authority. The present blog will take one through the reasons behind these guidelines and a few measures put in place by them and the stakeholders on which they will be applicable as well.
Rationale for Guidelines
Gone are the times when we used to live in societies where Information Technology and Operational Technology operated in Different. The critical infrastructure supporting and meeting the exponentially growing demand for Water, Sanitation services and Electricity has to rely on modern technology to make their operations more efficient and capable enough to handle much bigger machinery and at a much larger scale. This requires solutions like optimised and specifically designed Software solutions, communication networks and efficient data storage and processing solutions. However, there are also several challenges with the use of these technologies such as enabling communication systems and network connectivity for operations could potentially mean that the systems are connected to the internet which then further opens up to several challenges such as compromise of systems, compromise of data of the systems, disabling of critical monitoring sensors and alarms.
A similar situation was observed this year when Mumbai Faced Power Outages and Mumbai Cyber-cell reported that they were caused to due to ‘A Sabotage’ and cyber-attack by another country. Therefore, it is necessary to have necessary guidelines and systems in place which make sure that these potential threats and vulnerabilities don’t exist, people are adequately trained and equipped in handling the high-risk situations and make sure the systems are running smoothly and at the same time if there is any sabotage, proper policies are in place to handle the situation, contain the problem and make sure it doesn’t happen again.
The new guidelines exactly aim to do this and bring in several requirements and compliance standards and a few of them are given below:
- Unless otherwise specified in the guidelines, they will apply to all the Responsible entities, which means all the following entities present in the power sector:
- a) Transmission Utilities as well as Transmission Licensees,
- b) Load despatch centres (State, Regional and National),
- c) Generation utilities (Hydro, Thermal, Nuclear, RE),
- d) Distribution Utilities
- e) Generation Aggregators,
- f) Trading Exchanges,
- g) Regional Power Committees, and
- h) Regulatory Commissions.
- For all the Operational Technological systems, the guidelines lay down that they shall always remain disconnected from the Internet. In a scenario where the Internet is required, a separate device will be used which will be isolated from all the other devices or the network. These operational technology systems include:
- a) Grid Control and Management Systems,
- b) Power Plant Control Systems,
- c) Central Systems used to monitor and control of distributed generation and loads e.g.
virtual power plants, storage management, central control rooms for hydroelectric
plants, photovoltaic/wind power installations,
- d) Systems for fault management and workforce management,
- e) Metering and measurement management systems,
- f) Data archiving systems,
- g) Parameterisation, configuration and programming systems,
- h) Supporting systems required for the operation of the above-mentioned systems,
- All the responsible entities shall be certified with relevant International Certification standards such as ISO 270001, ISO 27019. This means there will be proper roles defined for the top-level management, clearly drawn up risk assessment and treatment plans and criteria, identification of all critical business processes, all relevant assets along with their vulnerabilities etc.
- All the Responsible entities will need to formulate an Electric Security Perimeter as per IEC 62443 and all the assets communicating outside the protocol are needed to be identified and sent to NCIIPC. The responsible entities must also conduct ‘cyber-vulnerability assessment’ of all the access points to this perimeter every 6 months or after any major systems architecture update.
- All responsible entities must also establish Information Security Division (ISD), with enough trained personnel to make the division 24X7X365 operational.
- All the Responsible entities must act timely on guidance issued by the NCIIPC, CERT-in and other relevant authorities.
- All the software, firmware used in any or all devices need to be updated with the latest versions and security patches at all times.
- Internal and External Audits need to be conducted at all relevant times.
- Proper Risk Assessment plans, Crisis Management Plans and Mitigation plans need to be ready and updated at all times.
- Training of relevant personnel and asset managers need to be conducted annually or at relevant times. These could include training for certifications of personnel under ISO 27001, 27002,27019, IS 16335 etc.
- A clear policy is required to be formulated and implemented with regard to Supply chain Risk management. This policy shall also be present in all the future Bids and Service and Licensing Agreements.
- As per the guidelines Sabotage is defined as a forced intrusion in an un-manned/manned facility and taking control of the operation of a Critical System through a communicating device. All responsible entities are required to present a clear policy for the identification and reporting of any such sabotage(s). The report of any identified sabotage must be provided within 24 hours of such incident and non-compliance to the same or towards the procedure laid down can make the CISO (Chief Information Security Officer) liable for the incident.
- All the relevant policies, plans, Logs and audit reports are also needed to be shared with the relevant authorities in relevant time periods.
Besides these procedures and requirements, these Guidelines also lay down the comprehensive system and procedure for doing the Cyber-Security Testing on all the relevant components and equipment and also maintain a log/report of all these tests. It will be the responsibility of the ISD to maintain logs and reports of these tests. The complete procedure and requirements are laid down in the Annexure A of the Guidelines (Cyber security Guidelines of the Power sector) which specifically talk about FAT (Factory Acceptance Test) and SAT (Site Acceptance Test) and the international standard which needs to be followed to conduct the testing.
The present blog only presents a few highlights and overview of the Extensive and Comprehensive Guidelines and does not act as a guiding factor for the implementation of any cyber security practices. The relevant entities need to deploy specific personnel, resources and employ relevant people as well comply with same.