CEA’s guidelines for cyber security in power systems
The Central Electricity Authority (CEA) has issued guidelines for Cyber Security in power systems especially against the backdrop of cyber intrusion attempts and cyber-attacks in any critical sector are carried out with malicious intent. The guidelines are aimed at creating cyber security awareness, a secure cyber ecosystem and creating a cyber-assurance framework, strengthening the regulatory framework and creating mechanisms for security threat, early warning, vulnerability management and response to security threats.
Further, it also focuses on securing remote operations and services, protection and resilience of critical information infrastructure, reducing cyber supply chain risks and operationalisation of the National Cyber Security Policy. CEA said the guidelines were needed to further strengthen cyber security as the gain of sensitive operational data through intrusions may help the Nation/State-sponsored or non-sponsored adversaries and cyber attackers to design more sinister and advanced cyber-attacks.
CEA in the guidelines has proposed a formulation of a Cyber Crisis Management Plan for dealing with cyberrelated incidents for a coordinated, multi-disciplinary and broad-based approach for rapid identification, information exchange, swift response and remedial actions to mitigate and recover from malicious cyber-related incidents impacting critical processes. It has also proposed Security Architecture which is a framework and guidance to implement and operate a system using the appropriate security controls with the goal to maintain the system's quality attributes like confidentiality, integrity, availability, accountability and assurance.
As the life cycle of the power system equipment/system is longer than that of IT systems, the responsible entity (RE) shall ensure that all IT technologies in the power system equipment/system should have the ability to be upgraded. The RE shall ensure that the Information Security Division shall draw the list of all communicable equipment/systems nearing end life or are left without support from Original Equipment Manufacturer (OEM).