In News
- Recently, the Central Electricity Authority (Technical Standards for Connectivity to the Grid) (Amendment) Regulations, 2019 has framed Guidelines on Cyber Security in Power Sector to be adhered by all Power Sector utilities.
Background
- October 2020:
- Mumbai faced major power outages that brought key services to a halt.
- A US cybersecurity firm had said the failure was due to a cyberattack by Red Echo, a hacker group allegedly affiliated with the Chinese government.
About Guidelines
- The guideline lays down actions required to ramp up security measures across various utilities to raise preparedness in the power sector.
- This is the first time that a comprehensive guideline has been formulated on cyber security in the power sector.
- Inputs from Various Agencies: The government has said it has drafted the guidelines after taking inputs from cybersecurity agencies like CERT-In, NCIIPC, NSCS, IIT Kanpur.
- Application:
- The cybersecurity guidelines will apply to all “responsible entities” including-
- power generation utilities,
- distribution utilities,
- transmission companies and
- load dispatch centres among others.
- The guidelines are also applicable to system integrators, equipment makers, vendors, service providers, IT hardware and software OEMs engaged in power supply systems.
- The cybersecurity guidelines will apply to all “responsible entities” including-
- Chief Information Security Officer (CISO):
- Some of the key requirements include the appointment of a Chief Information Security Officer (CISO) at each “responsible entity”.
- Setting up of an Information Security Division headed by the CISO.
- Procedure to Identify: The entities will also be required to incorporate a procedure for identifying and reporting of any disturbances suspected or confirmed to be caused by sabotage and submit the report to the sectoral Computer Emergency Response Team (CERT) and the Indian CERT within 24 hours.
- The guidelines mandates ICT (Information and Communication Technology)-based procurement from identified “Trusted Sources” and identified “Trusted Products”.
- In case the procurement is not from a trusted source, the product needs to be tested for Malware/Hardware Trojan before deployment for use in power supply systems.
Significance
- The guidelines for cybersecurity in the power sector will help to create a secure power cyber ecosystem.
- The guidelines will place mechanisms for security threat early warning, strengthen the protection and resilience of critical information infrastructure, and reduce cyber supply chain risks.
- The rules will help promote cybersecurity research and development, and create a market for cyber testing infrastructure in both public and private sectors in the country.
- It will promote research and development in cybersecurity and open up the market for setting up cyber testing infra in public as well as private sectors in the country.
Cyber Security – Vulnerabilities
- Operational Security: IoT basis services require continuity and high availability.
- Privacy: Valuable data required protection.
- Software Patching: Many IoT devices like human users who can install security updates.
- Identity of Things: In the absence of universal standards, its implementation requires a unique approach to manage authentication in access.
Future Technology To Be Designed with Security
- Smart: Security innovation must deliver more capable solutions to keep pace with threats.
- Open: Platforms and security standards must be open to promote collaboration and accelerate adoption.
- Trusted: Technology and security providers must be trustworthy in the creation and operation of their products.
- Strong: Products and services must be hardened to resist compromise and make security transparent to users.
- Ubiquitous: Security must protect data wherever it exists or is used, for all parties and devices across the computer landscape.
Image Courtesy: niti.gov
Conclusion
- The ministry of power noted that these norms must be met by all stakeholders to maintain cyber hygiene.
- The guidelines are a precursor to cybersecurity regulations that the Central Electricity Authority (CEA) is working on.
Source: IE
