The Central Electricity Authority (CEA) has notified the draft CEA (Cyber Security Regulations for the power sector) Regulations, 2024.
The scope of these regulations includes all responsible entities, regional power committees, appropriate commissions, governments, and associated organizations in the power sector, including training institutes and vendors. The regulations outline the responsibilities of a Computer Security Incident Response Team (CSIRT)-Power, which includes developing a cyber security framework, responding to incidents, and coordinating with other cyber security bodies like CERT-In and NCIIPC. The regulations also stipulate that entities must establish an Information Security Division dedicated to cyber security, which will be responsible for various tasks such as implementing measures for critical infrastructure protection, reviewing policies, and conducting security assessments. The draft regulations also propose that vendors shall provide documented and tested procedures and recovery plan for restoration of the system from potential cyber crisis scenarios. Vendors shall ensure that the security patches and updates are made available for all system components, supplied by them throughout the entire contractually stipulated operating time.