CERT-IN Guidelines For Cyber Security In Power Sector

Introduction

• According to regulation (10) of the Central Electricity Authority (Technical Standards for Connectivity to the grid) (Amendment) regulations, 2019, CEA is required to create guidelines on cybersecurity in the power sector.

• The CEA has created guidelines for cyber security in the power sector that incorporate the fundamental ideas.

• The CEA (Cyber Security in the Power Sector) Guidelines 2021 have been released in accordance with the provisions of the regulation for compliance by all entities listed in clause 2.3 (Applicability of the Guidelines).

Who is this Guideline Applicable To?

All Responsible Entities Who Are Engaged With Indian Power Supply:

• System Integrators
• Equipment Manufactures
• Suppliers/ Vendors
• Service Providers
• IT Hardware And Software OEMs Engaged

What principle should be followed according to CEA Guideline?

• The Entities have to follow these terms while framing cyber security policy

1. Their OT Systems are completely isolated from any IT system that is connected to the internet

2. If necessary, they may only keep one internet-facing IT system at any of their sites or locations, which is isolated from all OT zones and kept in a separate room under the security and supervision of the CISO

3. Only identifiable whitelisted devices are used to download or upload any data or information from their internet-facing IT system, and both are then scanned for vulnerabilities and malware in accordance with established SOPs. For all such activities, digital logs are kept and kept in the care of the CISO for at least six months. The log must be available for forensic analysis if the investigating agency requests it.

4. The CISO manages a list of whitelisted IP addresses for each firewall, and each firewall is set up to only permit communication with the whitelisted IP addresses.

5. In order to communicate between OT devices/systems, POWERTEL's secure channel over fiber optic cable is preferred. The communication channel's security configuration must also be guaranteed.

6. All ICT-based hardware and software used in infrastructure and systems that are required to be CII are sourced from the list of "Trusted Sources" as and when it is compiled by Mop/CEA.

• The Entities should be ISO/IEC 27001 certified.

• The Responsible Entity shall ensure that their Cyber Security Policy is reviewed annually by a subject matter expert, and changes may only be made with the Board of Directors' proper approval.

• The Cyber Security Policy must include specific information about the process of Access Management for all cyber assets that the Responsible Entity owns or controls.

• Through its Information Security Division, the Responsible Entity shall be solely responsible for implementing the Cyber Security Policy (ISD).

• If a company is unable to adhere to any of the Cyber Security Policy's provisions, the CISO must document the reason(s) for the necessary exemption, if any. Any exceptions must be approved by compensatory control provisions to reduce any remaining cyber security risks before being granted.

• While obtaining ISO 27001 certification, the CISO must record the exemptions requested in the statement of applicability controls. All exemptions must comply with the Responsible Entity's cyber security policy, as well as the justification for them.

• The Cyber Security Policy will make use of cutting-edge cyber security technologies and pertinent procedures at various layers to reduce the risks associated with cyber security.

• To encourage R&D in the field of cyber security, the Responsible Entity shall collaborate with other industry stakeholders as well as academic institutions. Every three months, the Entity responsible must make sure that board meetings include a discussion of cyber security issues.

Why do you need to Implement these Guidelines?

• The Central Electricity Authority (Technical Standards for Connectivity to the Grid) (Amendment) Regulations, 2019's Section 3(10) on Cyber Security requires all utilities in the power sector to abide by a set of guidelines for cyber security in order to create a secure online environment.

• This is the first-time a thorough guideline on cyber security in the power sector has been developed.

• In order to increase the level of cyber security preparedness for the power sector, the guideline lays out the necessary actions for preparedness across various utilities.

What is the goal of the CEA Guideline?

• The goal of the Guidelines is to establish a secure online environment.

• It establishes a framework for cyber assurance, fortifies the legal framework, implements mechanisms for security threat early warning, vulnerability management, and response to security threats, secures remote operations and services.

• safeguards critical information infrastructure, lowers supply chain risks, promotes the use of open standards, and fosters the development of domestic human resources.

Are these Guidelines Mandatory?

• These guidelines emphasize the establishment of cyber hygiene, the training of all IT and OT Personnel on cyber security, the designating of Cyber Security Training Institutes as well as Cyber Testing labs in the Country, and they are mandatory requirements that must be met by all stakeholders.

• When a system for trusted product and service is in place, the Guideline requires ICT-based procurement from identified "Trusted Sources" and identified "Trusted Products," or else the product must be tested for malware/hardware Trojans before being deployed for use in power supply system networks.

• It will encourage cyber security research and development and open up the market for the establishment of cyber testing infrastructure in the public and private sectors of the nation.

How can CyberNX Help you in these Guideline?

To be a part of these guidelines,

• Having ISO27001 Certification indicates that your organization is following all the practices to secure and classify data.

• You need to have a Security Operation Center for Pro-Active Monitoring of your Data and your systems.

• Vulnerability Assessment and Penetration Testing to audit into your Infrastructure to prevent any kind of threats, cyber-attacks and Vulnerability.

Don't wait for a cyber-attack to happen. Protect your power sector organization now with CyberNx's comprehensive cyber security solutions. Contact us today to schedule a free consultation and learn how we can help you comply with CERT-IN guidelines for cyber security.

Table Of Content

• Introduction
• Who Is This Guideline Applicable To?
• What Principle Should Be Followed According To CEA Guideline?
• Why Do You Need To Implement These Guidelines?
• What Is The Goal Of The CEA Guideline?
• Are These Guidelines Mandatory?
• How Can CyberNX Help You In These Guideline?

Introduction

• According to regulation (10) of the Central Electricity Authority (Technical Standards for Connectivity to the grid) (Amendment) regulations, 2019, CEA is required to create guidelines on cybersecurity in the power sector.

• The CEA has created guidelines for cyber security in the power sector that incorporate the fundamental ideas.

• The CEA (Cyber Security in the Power Sector) Guidelines 2021 have been released in accordance with the provisions of the regulation for compliance by all entities listed in clause 2.3 (Applicability of the Guidelines).

Who is this Guideline Applicable To?

All Responsible Entities Who Are Engaged With Indian Power Supply:

• System Integrators
• Equipment Manufactures
• Suppliers/ Vendors
• Service Providers
• IT Hardware And Software OEMs Engaged

What principle should be followed according to CEA Guideline?

• The Entities have to follow these terms while framing cyber security policy

1. Their OT Systems are completely isolated from any IT system that is connected to the internet

2. If necessary, they may only keep one internet-facing IT system at any of their sites or locations, which is isolated from all OT zones and kept in a separate room under the security and supervision of the CISO

3. Only identifiable whitelisted devices are used to download or upload any data or information from their internet-facing IT system, and both are then scanned for vulnerabilities and malware in accordance with established SOPs. For all such activities, digital logs are kept and kept in the care of the CISO for at least six months. The log must be available for forensic analysis if the investigating agency requests it.

4. The CISO manages a list of whitelisted IP addresses for each firewall, and each firewall is set up to only permit communication with the whitelisted IP addresses.

5. In order to communicate between OT devices/systems, POWERTEL's secure channel over fiber optic cable is preferred. The communication channel's security configuration must also be guaranteed.

6. All ICT-based hardware and software used in infrastructure and systems that are required to be CII are sourced from the list of "Trusted Sources" as and when it is compiled by Mop/CEA.

• The Entities should be ISO/IEC 27001 certified.

• The Responsible Entity shall ensure that their Cyber Security Policy is reviewed annually by a subject matter expert, and changes may only be made with the Board of Directors' proper approval.

• The Cyber Security Policy must include specific information about the process of Access Management for all cyber assets that the Responsible Entity owns or controls.

• Through its Information Security Division, the Responsible Entity shall be solely responsible for implementing the Cyber Security Policy (ISD).

• If a company is unable to adhere to any of the Cyber Security Policy's provisions, the CISO must document the reason(s) for the necessary exemption, if any. Any exceptions must be approved by compensatory control provisions to reduce any remaining cyber security risks before being granted.

• While obtaining ISO 27001 certification, the CISO must record the exemptions requested in the statement of applicability controls. All exemptions must comply with the Responsible Entity's cyber security policy, as well as the justification for them.

• The Cyber Security Policy will make use of cutting-edge cyber security technologies and pertinent procedures at various layers to reduce the risks associated with cyber security.

• To encourage R&D in the field of cyber security, the Responsible Entity shall collaborate with other industry stakeholders as well as academic institutions. Every three months, the Entity responsible must make sure that board meetings include a discussion of cyber security issues.

Why do you need to Implement these Guidelines?

• The Central Electricity Authority (Technical Standards for Connectivity to the Grid) (Amendment) Regulations, 2019's Section 3(10) on Cyber Security requires all utilities in the power sector to abide by a set of guidelines for cyber security in order to create a secure online environment.

• This is the first-time a thorough guideline on cyber security in the power sector has been developed.

• In order to increase the level of cyber security preparedness for the power sector, the guideline lays out the necessary actions for preparedness across various utilities.

What is the goal of the CEA Guideline?

• The goal of the Guidelines is to establish a secure online environment.

• It establishes a framework for cyber assurance, fortifies the legal framework, implements mechanisms for security threat early warning, vulnerability management, and response to security threats, secures remote operations and services.

• safeguards critical information infrastructure, lowers supply chain risks, promotes the use of open standards, and fosters the development of domestic human resources.

Are these Guidelines Mandatory?

• These guidelines emphasize the establishment of cyber hygiene, the training of all IT and OT Personnel on cyber security, the designating of Cyber Security Training Institutes as well as Cyber Testing labs in the Country, and they are mandatory requirements that must be met by all stakeholders.

• When a system for trusted product and service is in place, the Guideline requires ICT-based procurement from identified "Trusted Sources" and identified "Trusted Products," or else the product must be tested for malware/hardware Trojans before being deployed for use in power supply system networks.

• It will encourage cyber security research and development and open up the market for the establishment of cyber testing infrastructure in the public and private sectors of the nation.

How can CyberNX Help you in these Guideline?

To be a part of these guidelines,

• Having ISO27001 Certification indicates that your organization is following all the practices to secure and classify data.

• You need to have a Security Operation Center for Pro-Active Monitoring of your Data and your systems.

• Vulnerability Assessment and Penetration Testing to audit into your Infrastructure to prevent any kind of threats, cyber-attacks and Vulnerability.

Don't wait for a cyber-attack to happen. Protect your power sector organization now with CyberNx's comprehensive cyber security solutions. Contact us today to schedule a free consultation and learn how we can help you comply with CERT-IN guidelines for cyber security.