India’s Central Electricity Authority (CEA) issued the Cyber Security in Power Sector Guidelines 2021 in October 2021. The comprehensive guidelines are intended to help all power sector entities in India take measured steps to improve their overall cybersecurity posture and protect critical infrastructure from cyber attacks through specific interventions. The guidelines cover a wide gamut of topics, including: Information security management It outlines a set of requirements for establishing an information security management system (ISMS) in power sector entities. OT/ICS Asset management The guidelines offer inputs on how to identify, classify, and manage assets in the power sector. OT/ICS Risk assessment The guidelines elaborate on ways to conduct risk assessments on IT and operational technology (OT) systems used by responsible entities in the sector OT/ICS Security controls The guidelines list a number of security controls that should be implemented by the power sector entities. Incident response The guidelines also offer guidance in responding to cyber incidents in the power sector. The CEA cybersecurity guidelines 2021 can serve as an important foundational platform for securing power sector entities in India. By adopting these guidelines, responsible entities can address various cybersecurity gaps and plan and deploy interventions on priority to secure their infrastructure. Highlights of the guidelines: Responsible entities Responsible entities, as per the guidelines are those entities that serve various roles in the power sector and are sector participants with significant exposure to cyber threats. These entities include power generation companies, transmission companies, distribution companies, OEMs and system operators. Information security management system The guidelines require responsible entities to establish and maintain an ISMS. The ISMS should be based on the international standard ISO 27001. OT/ICS and IoT Asset management The guidelines require responsible entities to identify, classify, and manage all assets in the power sector. This includes IT assets, OT assets, and physical assets. OT/ICS and IT Risk assessment The guidelines require responsible entities to conduct risk assessments of IT and OT systems. The risk assessments should be based on the international standards ISO/IEC 27005 and IEC 62443. OT/ICS Security controls The guidelines list several security controls that should be implemented in power sector entities. These controls include access control, data encryption, and incident response. OT/ICS Incident response The guidelines provide guidance on responding to various types of cyber incidents covering steps such as detection, containment, eradication, and recovery. Access controls: All REs must put in place controls that enable access management in a secure manner Complying with CEA guidelines: Sectrio can help power entities comply with CEA guidelines in a structured manner. With its extensive experience in critical infrastructure (specifically the power sector), Sectrio can enable power companies to address the requirements suggested by the guidelines as well as be prepared to comply with the power sector cybersecurity regulation, which is on the horizon. Here are a few ways in which Sectrio can help power sector entities in India: CEA Requirement How Sectrio helps address this mandate Continued scanning of all systems for any vulnerability/malware as per the SOP laid down, and for all such activities, digital logs are maintained and retained under the custody of CISO for at least 6 months. Sectrio’s vulnerability management module and threat detection modules can meet this need. The first one detects any vulnerability arising from a lack of patches, misconfigurations, or the addition of a device with pre-existing vulnerabilities. The assessments will be comprehensive across locations and assets, providing a detailed report on the findings with logs as well. The Responsible Entity shall have a Cyber Security Policy drawn upon the guidelines issued by NCIIPC. Sectrio can help power companies develop a comprehensive cyber security policy, including governance, RACI matrix, and other rules aligned to NCIIPC guidelines RE must secure cyber assets through updates, patching, testing, configuration security, and additional controls Sectrio can ensure early detection of exploits, and it can also flag assets that are not secure, unpatched, misconfigured, or not inventoried. Potential gaps can also be highlighted along with exposed and exploitable threat surfaces. Cyber Risk Assessment and Mitigation Plan – Document and implement a Cyber Risk Assessment and Mitigation Plan Such a plan can be put in place by Sectrio’s team in collaboration with the relevant team from the power company. The plan will also have a roadmap component to ensure the scaling of all security measures. REs must implement ISMS and audit IT and OT systems yearly with CERT-In empaneled cyber security OT auditors. Sectrio is a CERT-In empaneled cyber security OT auditor, and we also have extensive experience in conducting similar work. Identification of Critical Information Infrastructure (CII) Res must provide information on their cyber assets, critical business processes & information infrastructure to NCIIPC Sectrio’s solution can help inventory assets covering information on each asset in detail available in one click. Only identifiable whitelisted devices are used to download or upload any data or information from their internet-facing IT system. Sectrio’s solution can help inventory assets and their digital footprint and identify their functions and activities on the network. The CISO manages a list of whitelisted IP addresses for each firewall, and each firewall is set up to only permit communication with the whitelisted IP addresses. Our solution can help identify any deviation from the set communicated communication rules through a white list. It can also identify and block communications to a blacklisted or suspicious IP as well. The Cyber Security Policy must include specific information about the process of Access Management for all cyber assets that the Responsible Entity owns or controls. Access management at a device level can be controlled to ensure that only permitted services and devices are allowed to interact. Through its Information Security Division, the Responsible Entity shall be solely responsible for implementing the Cyber Security Policy (ISD). Sectrio can work with the responsible entity for implementing the CSD and improving its implementation. Sabotage reporting: responsible entity must incorporate procedures for identifying, reporting, and preserving records of cyber sabotage Sabotage attempts through cyberattacks can be blocked by Sectrio’s solution. This