| Work Detail |
The Central Electricity Authority (CEA) has released a draft version of the Central Electricity Authority (Cyber Security in Power Sector) Regulations, 2024, following Section 177 of the Electricity Act, 2003. These draft regulations are open for public comment until 10th September 2024. Interested parties can review the draft on the CEA’s website or inspect it at the Chief Engineer (Legal) office in New Delhi during business hours.
The proposed regulations, once finalized, will come into effect six months after their publication in the Official Gazette, although certain provisions may have different commencement dates. The scope of these regulations includes all responsible entities, regional power committees, appropriate commissions, governments, and associated organizations in the power sector, including training institutes and vendors.
Definitions in the regulations cover various terms such as accreditation, asset, certification, and cyber assets. Accreditation refers to verifying an organization’s capability to conduct required tests and assessments. Certification involves third-party attestation of conformity with certain standards, while cyber assets include programmable electronic devices connected over networks.
The regulations outline the responsibilities of a Computer Security Incident Response Team (CSIRT)-Power, which includes developing a cyber security framework, responding to incidents, and coordinating with other cyber security bodies like CERT-In and NCIIPC. CSIRT-Power will also establish standard operating procedures and security policies, issue alerts, and work on improving the cyber security posture of the sector.
Entities affected by these regulations must designate a Chief Information Security Officer (CISO) who will report directly to senior management and ensure that all cyber security measures are in place. They must also have a documented Cyber Security Policy, deploy necessary security devices, conduct cyber risk assessments, and ensure that remote access to cyber assets is secured. Additionally, periodic cyber security audits and awareness programs are required.
The regulations also stipulate that entities must establish an Information Security Division (ISD) dedicated to cyber security, which will be responsible for various tasks such as implementing measures for critical infrastructure protection, reviewing policies, and conducting security assessments. The ISD must maintain a record of all IT and OT assets, implement cyber security controls, and report incidents to CSIRT-Power and other relevant bodies.
The Cyber Security Policy mandated by the regulations should include asset management processes, risk assessment and treatment plans, personnel risk assessment, vulnerability management, access control, and backup policies. It must also address data protection and privacy, including encryption and secure use of external devices.
Overall, these regulations aim to enhance the cyber security framework in the power sector, ensuring that all responsible entities adhere to stringent security measures and are prepared to handle cyber incidents effectively. |
