Safeguarding power infrastructure: Decoding the Draft CEA Cyber Security Regulations 2024

In an age where the digital and physical realms of the power sector are more engaged than ever, cyber threats loom as a significant risk to national energy security. Recognizing this, the Central Electricity Authority (CEA) under India’s Ministry of Power had released a comprehensive draft of the Cyber Security in Power Sector Regulations, 2024. This regulation marks a paradigm shift from fragmented guidelines to a uniform, enforceable cybersecurity baseline across the entire power sector ecosystem.

This blog post does a deep dive into the proposed CEA regulations, their implications for utilities, generation companies, transmission and distribution licensees, and what CISOs and OT leaders must begin preparing for now.

Understanding the CEA Regulations

Electric power infrastructure is designated as a Critical Information Infrastructure (CII) under Indian law. From operational technology (OT) in substations to energy management systems in control centers, the grid’s increasing digitalization brings a broader attack surface. Threats are no longer theoretical – from malware targeting industrial control systems to nation-state actors probing SCADA networks, the power sector stands exposed.

The 2024 draft regulations aim to bring standardization, accountability, and preparedness across all layers of the electricity value chain.

Who Must Comply?

The regulations apply to a wide range of “Responsible Entities” in the power sector, including but not limited to:

· Generation companies (thermal, hydro, renewable, captive)

· Energy Storage System operators

· Transmission and Distribution Licensees

· Load Dispatch Centers (NLDC, RLDCs, SLDCs)

· Power exchanges, trading entities

· State/Central transmission utilities

· Renewable Energy Management Centers

· Forecasting service providers

· Government training institutes, vendors, and OEMs

Essentially, if your organization handles operational technology that impacts the grid, these regulations are for you.

Governance: Setting up for success

1. Creation of CSIRT-Power

A centralized Computer Security Incident Response Team - Power (CSIRT-Power) will be set up under CEA. It will function as the nodal agency for cyber threat monitoring, incident response, policy formulation, coordination with CERT-In and NCIIPC, and capacity-building.

Sub-sectoral CERTs for generation, transmission, distribution, and grid operations may also be created.

2. Designation of CISOs

Each responsible entity must designate a Chief Information Security Officer (CISO) and an Alternate CISO, both Indian nationals with a power sector or cybersecurity background. This is non-negotiable and is central to cyber accountability.

CISOs will directly report to the organization’s head and serve as nodal officers for all cyber coordination and crisis management.

Core Technical Requirements

3. Cybersecurity Policies and Plans

Each entity must:

· Formulate and maintain a Cybersecurity Policy approved by the Board.

· Implement a Cyber Crisis Management Plan (CCMP), outlining cyber event categorization, stakeholder roles, SOPs, and recovery plans.

Both documents must be reviewed annually or after any major change.

4. Network Security Architecture

The regulation mandates:

· Air-gapping or logical segmentation between OT and IT networks.

· Isolation of critical OT systems from the internet.

· Restricted remote access with multi-factor authentication and strict time limits.

· Firewalls, IDS/IPS, Web Application Firewalls (WAF), and behavior anomaly detection at all critical junctions.

· Prohibition of internet-based control for power system elements.

Real-time operational data cannot be transmitted across national borders, a direct nod to sovereignty concerns.

Security Operations and Monitoring

5. Information Security Division (ISD)

All responsible entities must establish a 24x7 Information Security Division led by the CISO. The ISD will:

· Maintain cyber asset inventories and architecture maps

· Track vulnerabilities and ensure patch management

· Conduct internal testing of compliance

· Retain logs and forensic evidence for at least 180 days

· Include cyber controls in FAT/SAT and procurement SLAs

· Synchronize OT/IT system clocks

· Handle incident response and post-mortem reviews

Minimum staffing, knowledge requirements and certification needs for ISD officers have also been detailed.

Workforce and vendor controls

6. Human risk management

Cybersecurity is a indeed a shared responsibility. Therefore:

· All IT/OT personnel, including contractors and vendors, must undergo certified cybersecurity training.

· NDAs and undertaking agreements are compulsory for access to sensitive environments.

· Disciplinary procedures must be in place for security violations.

CISOs and ISD team members are required to complete 10 person-days of training annually.

7. Vendor Obligations

OEMs, suppliers, and system integrators must:

· Provide Software Bills of Materials (SBOMs) for critical applications to ensure lifeycle transparency and to prevent supply chain poisoning

· Offer tested restoration procedures and patch updates for the contract lifecycle

· Notify clients of end-of-support timelines

· Ensure compliance with Indian testing standards where applicable and cybersecurity standards like IEC 62443-4

· Align with MoP’s Trusted Vendor Scheme and include cybersecurity clauses in all contracts

Cyber risk assessment, security audits, and reporting

8. Mandatory audits

Cybersecurity audits are required:

· Twice a year for IT systems

· Once a year for OT systems

Audits must be conducted by CERT-In empanelled auditors. No three consecutive audits should be conducted by the same agency.

9. Incident reporting

All cyber incidents must be reported to CSIRT-Power, CERT-In, and NCIIPC within the prescribed time.

In case of sabotage, reporting has to be done within 24 hours of detection.

Compliance monitoring and enforcement

10. Self-audits

Every responsible entity must conduct an annual self-audit, report non-compliances by March 31 each year, and submit this to the CISO, Ministry of Power and CSIRT-Power.

The report must include root cause, impact analysis, remedial steps, and preventive measures.

11. Independent audits and penalties

CISO-MoP may order independent third-party compliance audits based on violations or risk indicators. Non-compliance could lead to prosecution under Section 146 of the Electricity Act, 2003 or action under the IT Act.

Physical security mandates

Cybersecurity isn’t just digital. The draft regulation extends into physical access controls, requiring:

· Secured access to critical assets (CCTV, biometrics, mantraps, etc.)

· Revocation of access in high-threat scenarios

· Physical separation of physical security systems from OT networks

Forward-looking provisions

The draft also includes:

· Mechanisms for obsolete system decommissioning

· Cyber supply chain risk management protocols

· Restrictions on Bring-Your-Own-Device (BYOD)

· Digital privacy and data protection clauses

· Promotion of R&D collaboration with academia

Key takeaways for CISOs and power sector leaders

· Do not wait: The regulations give a six-month window post-notification for compliance. Begin with a gap assessment and roadmap.

· CISO’s role has to be matured: Make cyber a boardroom topic. Elevate the CISO’s visibility and independence.

· Strengthen ISD: Structure your security operations around detection, response, and reporting functions with certified talent.

· Assess your vendors: Ensure your supply chain is not the weakest link.

· Segment and Harden OT Networks: No room for delay, segmentation and access controls are now enforceable obligations.

· The focus is on evidence-backed security measures

The 2024 draft CEA Cybersecurity Regulations are indeed a watershed moment for India's power sector. They embed cybersecurity into the operational DNA of every power entity, from renewable developers to transmission utilities.

For CISOs and CTOs, this is a challenge and an incredible opportunity. The compliance demands are high, but the framework provides clarity and institutional support. Getting ahead of the curve now will not only prevent future penalties but position your organization as a secure, resilient pillar of India’s power infrastructure.

Need help aligning your OT security strategy with the CEA cybersecurity regulations? Let’s talk, our experts can help you conduct a regulation-aligned readiness assessment and implement robust defenses across your IT-OT estate