CYBERSECURITY THREATS FOR THE POWER SECTOR - PART 2

“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.” - Richard Clarke, Former United States top advisor on Cybersecurity.

INTRODUCTION

To measure the development of a nation, electricity consumption is an important tool. The entire Nation’s transport, communications, fuel, and government services are dependent on electricity supply. Hence power systems are extremely vital for the nation.

The power sector is a critical infrastructure whose shutting down due to a cyber-attack could cause severe disruptions to business operations. It could lead to suspension of operations and could cause huge financial losses for every minute lost due to a power failure. Hence it is necessary to secure power systems and insulate them from cyber-attacks. The Central Electric Authority (CEA) of India, recognizing the need to secure the nation’s power sector, issued a set of cyber security guidelines which was released in 2021.

KEY OBJECTIVES FOR ISSUING THE GUIDELINES:

1. Creating a Cyber Security Awareness

2. Strengthening the regulatory framework

3. Protection and resilience of critical information infrastructure

4. Reducing cyber supply chain risks

5. Information sharing and co-operation

Within the text of this article ‘Responsible Entity’ will mean all the stakeholders.

Applicability

All responsible entities as well as system integrators, equipment manufacturers, suppliers/vendors, service providers, and IT Hardware and Software Original Equipment manufacturers (OEMs) are engaged in the Indian power system.

We covered 6 articles issued by the government in our last blog and the remaining 8 articles are being covered today. Read our last blog here.

Highlights

ARTICLE 7: Phasing out Legacy System

All IT technologies in the power system should have the ability to be upgraded. Information Security Division will draw a list of communicable systems entering their end of life and CISO (Chief Information Security Officer) will identify equipment to be phased out. Till the replacement is completed, cyber security measures are to be hardened. Replacement plans need to be approved by the Board of Directors. Devices entering their end-of-life period will be phased out.

ARTICLE 8: Cyber Security training

The responsible entity shall ensure that all employees having access to authorized cyber or authorized physical access to their critical systems shall undergo cyber security training. The Responsible entity should document, establish, and maintain an annual cyber security training program. All personnel should undergo a cyber security program at a training institute approved by CEA.

ARTICLE 9: Cyber Supply Chain Risk management

For every bid to procure Information and Communications Technology (ICT)-based components to be used for power systems as and when the ministry notifies the model contractual clauses on Cybersecurity, these clauses are to be included in every bid.

ARTICLE 10: Response Plan to incidents

CISO of the Responsible entity will ensure that every cyber security incident is monitored by the ISD (Information Security Division). Incidents in both IT (Information Technology) and OT (Operational Technology) are recorded.

ARTICLE 11: Cyber Crisis Management Plan

A Cyber crisis management plan should be prepared and submitted to the sectoral-CERT (Computer Emergency Response Team) for review with intimation to the Ministry of Power. Comments by sectoral-CERT should be used in updating the management plan and submitted to CERT-In (Indian Computer Emergency Response Team). Comments by CERT-In should be included before seeking the approval of the Board of Directors. To be reviewed annually and any changes duly approved by the Board of Directors.

ARTICLE 12: Sabotage Reporting

Procedure to identify and report sabotage in Cyber security policy within 30 days from the issue of guidelines. CISO is to be held responsible for the non-reportage of Sabotage. CISO to prepare a report on identified sabotage and submit it to sectoral-CERT and CERT-In within 24 hours. For every sabotage incident classified on the protected systems, CISO will report to National Critical Information Infrastructure Protection Centre (NCIIPC) within 24 hours. For every sabotage, CISO will take custody of all log records and digital forensic records of all cyber assets, intrusion detection system, intrusion provision system, and Security Information and Event Management (SIEM) and preserve them for 90 days and produce them when demanded by the investigative agencies

ARTICLE 13: Vulnerability testing of Cyber Assets

Vulnerability testing of all cyber assets under their control must be done regularly.

ARTICLE 14: Cyber Security Audit

Information Security Management Systems (ISMS) should be implemented covering all its security systems. The audit should be done every six months and critical and high vulnerabilities should be closed in 1 month and medium and low non-conformity before the next audit.

CONCLUSION

Is your organization equipped with the aforementioned guidelines issued by the government to secure your companies power systems? Are your power systems secure?

Get your Risk Assessment done without delay. Speak with our experts.

Gorisco has wide range of experts who have various solutions at their disposal to help organizations mitigate the risk.

At Gorisco, our motto is 'Embedding Resilience' and we are committed to make the organizations and their workforce resilient. Reach out to us if you have any queries, clarifications or need any support on your initiatives.

To read our other blogs, click here. More importantly, let us know if you liked them or not through your comments.