Knowledge Center / CEA Power Sector
Central Electricity Authority · India

CEA Power-Sector Cyber Security

Cyber security in the power/electricity sector under CEA regulations.

Introduction: The CEA Power-Sector Cyber Security Regime

India's power sector is a designated Critical Information Infrastructure (CII). Generation stations, transmission utilities, load despatch centres, distribution companies (DISCOMs) and system operators depend on Operational Technology (OT) - SCADA, Energy Management Systems (EMS), Remote Terminal Units (RTUs), Intelligent Electronic Devices (IEDs), Programmable Logic Controllers (PLCs) and increasingly IT/OT-converged platforms. A successful cyber attack against this infrastructure can cause cascading grid failures, prolonged blackouts and threats to national security. Against this backdrop the Central Electricity Authority (CEA), acting under statutory powers, issued the Central Electricity Authority (Cyber Security in Power Sector) Guidelines and subsequently the Cyber Security in Power Sector Regulations to mandate baseline cyber security controls across every responsible entity in the power supply chain.

This guide is written for two audiences at once: the auditor or assessor who must evaluate a responsible entity's conformance to the CEA regime, and the implementer or product/OT engineering team that must design, deploy and evidence the controls. It enumerates the regulatory obligations, the control domains, the assessment lifecycle, the maturity expectations and the evidence artefacts an assessor will demand. Throughout, we anchor to the actual terminology used by the CEA framework: Responsible Entity, Chief Information Security Officer (CISO), Cyber Security Policy, Cyber Crisis Management Plan (CCMP), Information Security Management System (ISMS), Cyber Security Requirements for Supply Chain, air-gapping of critical systems, and reporting to CERT-In and the sectoral CERT (CERT-Transmission / CERT-Thermal / CERT-Hydro / CERT-Distribution).

Copyright and source note
The CEA Cyber Security in Power Sector Guidelines/Regulations are official documents of the Central Electricity Authority, Government of India, and are published in the Gazette of India. This guide is an original, independent interpretation prepared for assessment and implementation purposes. It paraphrases obligations and does not reproduce the copyrighted statutory text. Responsible entities must always work from the authoritative gazetted regulation and any amendments, and from directions issued by the CEA, the Ministry of Power, NCIIPC and CERT-In. Where this guide and the official text differ, the official text prevails.

What is CEA Power Sector Cyber Security

The CEA Power-Sector Cyber Security regime is a sector-specific, mandatory cyber security scheme for the Indian electricity supply industry. It began life as the 'Guidelines on Cyber Security in Power Sector' (issued by the CEA in October 2021) and has matured into a binding regulatory instrument, the 'Central Electricity Authority (Cyber Security in Power Sector) Regulations', framed under Section 177 of the Electricity Act, 2003, read with the CEA's mandate and in alignment with the Information Technology Act, 2000 and the National Critical Information Infrastructure Protection Centre (NCIIPC) directives.

Unlike a voluntary certification such as ISO/IEC 27001, the CEA regime is compulsory for defined 'Responsible Entities'. It layers a power-sector-specific OT/ICS security baseline on top of general information security good practice. Its core objectives are: (a) to create a cyber-secure ecosystem across generation, transmission, distribution, load despatch and system operation; (b) to enforce identification and protection of critical and non-critical systems; (c) to institutionalise governance through a CISO and an Information Security Division; (d) to mandate incident detection, reporting and crisis management; and (e) to secure the supply chain of ICT and OT products entering power-sector networks, including a preference for products from 'trusted sources' and testing/evaluation of equipment.

The scheme is enforced through self-assessment, periodic third-party audits by CERT-In empanelled auditors, mandatory incident reporting, vulnerability assessment and penetration testing (VAPT), and oversight by the sectoral CERTs. Non-conformance carries regulatory consequences, since the underlying instrument is statutory.

Who Must Comply (Responsible Entities)

The regime applies to every 'Responsible Entity' - broadly, any organisation that owns, operates or maintains a system that is part of, or connected to, the power-sector grid or its supporting information infrastructure. The table below enumerates the principal categories.

Category of responsible entityExamples / scope of obligation
Generating companiesThermal, hydro, nuclear (where applicable), gas, and large renewable generation stations operating plant control systems, DCS, turbine governors and generation SCADA
Transmission licensees / STUs / CTUCentral Transmission Utility (Power Grid), State Transmission Utilities, private transmission licensees operating substations, SAS, IEDs and tele-protection
Distribution licensees (DISCOMs)State and private distribution companies operating distribution SCADA/DMS, AMI/smart-metering head-ends, DT monitoring, and consumer-facing IT
Load Despatch CentresNational (NLDC), Regional (RLDC) and State (SLDC) Load Despatch Centres operating EMS/SCADA, AGC, state estimation and market systems
System operatorsGrid controllers and operators of the unified real-time despatch and balancing systems
Renewable / RE management centresRenewable Energy Management Centres (REMCs) for forecasting, scheduling and control
Vendors, OEMs and service providersSuppliers of ICT/OT equipment, integrators, managed service providers and cloud/hosting providers who must meet supply-chain and trusted-source obligations
SLDC/RLDC IT support and CSIRT functionsSectoral CERT constituents (CERT-Transmission, CERT-Thermal, CERT-Hydro, CERT-Distribution) and internal C-SIRTs
  • Applicability is triggered by connection to, or being part of, the power grid or its control/monitoring infrastructure - not by organisation size.
  • Both critical systems (whose compromise affects grid reliability/security) and non-critical business IT systems are in scope, though controls are graded by criticality.
  • Third parties and supply-chain participants inherit flow-down obligations through contracts and the trusted-source requirement.
  • Entities designated as CII by NCIIPC carry additional, stricter obligations under the IT Act.

Structure of CEA Power Sector Cyber Security

The regime is structured as a set of governance obligations plus a graded technical control baseline covering IT and OT/ICS. For assessment purposes it is convenient to decompose it into control domains (families). The table below maps the principal domains, their focus and representative controls. These domains form the spine of the master assessment checklist that follows.

Domain (family)FocusRepresentative controls / obligations
D1 Governance & Cyber Security PolicyLeadership, policy, ISMSBoard-approved cyber security policy; CISO appointment; Information Security Division; ISMS aligned to ISO 27001
D2 Asset Identification & ClassificationInventory, criticalityIdentify critical/non-critical systems; asset register; network architecture documentation
D3 Risk Assessment & ManagementTARA, risk treatmentPeriodic risk assessment; threat and vulnerability analysis; risk treatment plan; residual-risk sign-off
D4 Network Segmentation & ArchitectureIT/OT separationZones and conduits; DMZ; air-gapping of critical control systems; firewalls; unidirectional gateways
D5 Access Control & IdentityAAA, least privilegeRBAC; MFA for remote/privileged access; unique IDs; session control; vendor access governance
D6 Secure Configuration & HardeningBaselines, patchingHardened baselines; change management; patch and vulnerability management for IT and OT
D7 Malware & Endpoint ProtectionAnti-malware, mediaAV/EDR where feasible; removable-media control; application whitelisting on OT
D8 Logging, Monitoring & SOCDetectionCentralised logging; SIEM; SOC/monitoring; NTP time-sync; log retention
D9 Incident Management & ReportingDetect-report-respondIncident response plan; reporting to CERT-In within timelines; sectoral CERT reporting
D10 Cyber Crisis Management Plan (CCMP)Crisis, continuityCCMP aligned to NCIIPC; BCP/DR; crisis drills and tabletop exercises
D11 Supply Chain & Trusted SourceProcurement securityTrusted-source procurement; equipment testing/evaluation; secure SDLC; vendor security clauses
D12 VAPT & Security TestingAssurance testingPeriodic VA/PT of IT and OT (safely); FAT/SAT security testing; red-team where applicable
D13 Physical & Environmental SecurityPhysical protectionAccess control to control rooms/substations; environmental monitoring; tamper protection
D14 Awareness, Training & HR SecurityPeopleRole-based training; awareness; background verification; joiner/mover/leaver process
D15 Audit, Compliance & ReportingAssurance & governancePeriodic third-party audit by CERT-In empanelled auditor; self-assessment; compliance reporting to CEA

Master Assessment Checklist

This is the core of the guide. Each domain is expanded into concrete verification items and the typical evidence an assessor should collect. Do not skip any domain. Every 'What to verify' line is intended to become a test step; every 'Typical evidence' line is the artefact that discharges it. The assessor should sample across sites (plants, substations, load despatch centres) and across both IT and OT environments.

D1 - Governance and Cyber Security Policy

What to verifyTypical evidence
A board/top-management-approved cyber security policy exists and is currentSigned policy document; board/management approval minutes; review dates
A CISO has been appointed with defined authority and reporting lineAppointment letter; role charter; org chart showing reporting to top management
An Information Security Division / cyber security cell is established and resourcedTeam structure; RACI; budget allocation; staffing records
An ISMS aligned to ISO/IEC 27001 is defined and operatingISMS scope statement; Statement of Applicability; internal audit reports; certificate if held
Roles, responsibilities and accountability for cyber security are documentedRACI matrix; job descriptions; delegation of authority
Policy is communicated and enforced across IT and OTAcknowledgement records; intranet publication; training attendance

D2 - Asset Identification and Classification

What to verifyTypical evidence
A complete inventory of IT and OT assets exists and is maintainedAsset register (hardware, software, firmware versions); CMDB extract; update log
Critical systems are identified and separately classified from non-critical systemsCriticality classification methodology; list of critical systems; sign-off
Network architecture and data-flow diagrams are documented and currentNetwork diagrams; zone/conduit maps; data-flow diagrams with dates
Ownership is assigned for every asset and information setAsset-owner mapping; information classification labels
OT assets (RTUs, IEDs, PLCs, SCADA/EMS/DMS servers) are inventoried with firmware detailOT asset list with make/model/firmware; substation and plant coverage

D3 - Risk Assessment and Management

What to verifyTypical evidence
A documented risk assessment methodology is defined and applied periodicallyRisk methodology; risk assessment schedule; latest risk register
Threats, vulnerabilities and impacts are assessed for critical systems (TARA-style)Threat models; vulnerability findings; impact ratings; likelihood scoring
A risk treatment plan with owners and timelines existsRisk treatment plan; remediation tracker; due dates
Residual risks are formally accepted at appropriate authorityRisk acceptance records signed by CISO/management
Risk assessment is repeated after major change or incidentChange-triggered assessments; post-incident risk reviews

D4 - Network Segmentation and Architecture

What to verifyTypical evidence
IT and OT networks are logically and/or physically separatedNetwork diagrams; VLAN/firewall configs; segmentation test results
Critical control systems are air-gapped or isolated as mandatedAir-gap declaration; physical inspection notes; documented exceptions with compensating controls
A DMZ mediates all IT-to-OT data exchangeDMZ design; data historian/broker placement; firewall rulebase
Firewalls/unidirectional gateways enforce zone-to-conduit rulesFirewall rule review; data-diode configuration; deny-by-default evidence
Remote access to OT is controlled through jump hosts and brokered channelsRemote-access architecture; jump-server logs; VPN configuration
Wireless and external connectivity into OT is restricted and monitoredWireless survey; rogue-AP scans; external connection register

D5 - Access Control and Identity Management

What to verifyTypical evidence
Every user and service account is uniquely identifiable (no shared accounts)Account inventory; identity provider export; shared-account exceptions
Role-based access control enforces least privilegeRBAC matrix; entitlement review reports; segregation-of-duties analysis
Multi-factor authentication protects remote and privileged accessMFA policy; MFA enrolment reports; privileged access management (PAM) logs
Periodic access recertification is performedAccess review sign-offs; revocation records for movers/leavers
Vendor and third-party access is time-bound, logged and supervisedVendor access requests; approvals; session recordings/logs
Default and vendor credentials are changed on OT devicesPassword change evidence; device configuration review

D6 - Secure Configuration, Hardening and Patch Management

What to verifyTypical evidence
Hardened configuration baselines exist for IT and OT assetsBaseline/hardening standards; benchmark reports (CIS/vendor)
A change management process governs all configuration changesChange tickets; CAB minutes; emergency change records
Patch and vulnerability management covers IT and OT with risk-based timelinesPatch schedule; patch compliance reports; OT patch-window/mitigation records
Unsupported/end-of-life systems are identified and mitigatedEOL register; compensating-control documentation; migration roadmap
Configuration integrity is monitored for critical devicesConfiguration backup; integrity-check evidence; drift alerts

D7 - Malware and Endpoint Protection

What to verifyTypical evidence
Anti-malware/EDR is deployed on IT endpoints and OT where feasibleAV/EDR console coverage report; signature/engine currency
Removable media use is controlled and scanned before use in OTMedia control policy; scanning kiosk logs; USB port-control settings
Application whitelisting is applied on OT hosts where supportedWhitelisting configuration; allowed-application list
Malware defence updates are tested before deployment to OTOffline update/staging process; test records

D8 - Logging, Monitoring and Security Operations

What to verifyTypical evidence
Security-relevant events are logged across IT and OTLogging policy; sample logs; source coverage matrix
Logs are centralised and correlated in a SIEM/monitoring platformSIEM architecture; ingestion list; correlation rules
A SOC or monitoring capability provides continuous detectionSOC operating model; shift roster; alert-handling records
Time synchronisation (NTP) is enforced across systemsNTP configuration; time-drift monitoring
Log retention meets policy and regulatory expectationsRetention policy; storage evidence; archival records
Use-cases exist for OT-specific attack detectionOT detection rules; anomaly-detection deployment

D9 - Incident Management and Reporting

What to verifyTypical evidence
A documented incident response plan with severity classification existsIR plan; playbooks; severity matrix
Cyber incidents are reported to CERT-In within mandated timelinesIncident register; CERT-In reporting acknowledgements; timestamps
Incidents are reported to the relevant sectoral CERTSectoral CERT (CERT-Transmission/Thermal/Hydro/Distribution) correspondence
Incidents are investigated, root-caused and closed with lessons learnedRCA reports; corrective actions; closure records
An internal C-SIRT / response team is defined and reachable 24x7C-SIRT roster; contact tree; escalation matrix
Post-incident forensics and evidence preservation are provided forForensic procedure; chain-of-custody templates

D10 - Cyber Crisis Management Plan (CCMP)

What to verifyTypical evidence
A CCMP aligned to the NCIIPC template is approved and currentApproved CCMP document; version/date; NCIIPC alignment mapping
Business continuity and disaster recovery plans cover critical systemsBCP/DR plans; RTO/RPO definitions; DR site details
Crisis drills, tabletop exercises and DR tests are conducted periodicallyExercise reports; DR test results; participation records
Crisis roles, escalation and external communication are definedCrisis org chart; escalation matrix; media/regulator communication plan
Grid restoration/black-start coordination considers cyber scenariosRestoration procedures; cyber-scenario integration evidence

D11 - Supply Chain and Trusted Source Security

What to verifyTypical evidence
ICT/OT equipment is procured from trusted sources as mandatedTrusted-source declarations; procurement policy; approved-vendor list
Equipment is tested/evaluated for cyber security before deploymentType-test/lab-evaluation reports; FAT/SAT security test records
Security requirements are embedded in contracts and tendersContract security clauses; RFP cyber requirements; SLAs
Software/firmware integrity and provenance are verifiedCode-signing/hash verification; SBOM where available
Vendor security posture is assessed periodicallyVendor risk assessments; audit rights exercised; questionnaires
Secure development practices are required of suppliersSecure SDLC evidence; vulnerability disclosure/patch commitments

D12 - Vulnerability Assessment and Penetration Testing

What to verifyTypical evidence
VA/PT of IT systems is performed periodically by qualified testersVAPT reports; scope; tester empanelment (CERT-In)
OT/ICS is tested safely (offline/lab or carefully scoped)OT test methodology; lab/test-bed evidence; risk-controlled approach
Findings are tracked to closure with retestRemediation tracker; retest reports; closure sign-off
Security testing is integrated into acquisition (FAT/SAT)FAT/SAT security checklists; results
Red-team/adversary-simulation is performed where appropriateRed-team scope and report; detection-response validation

D13 - Physical and Environmental Security

What to verifyTypical evidence
Physical access to control rooms, data centres and substations is controlledAccess-control logs; badge system reports; visitor register
Critical equipment is protected against tampering and environmental threatsTamper seals; environmental monitoring (temp/humidity/fire); CCTV coverage
OT device ports and cabinets are physically securedPort-locking evidence; locked-cabinet inspection notes
Physical security incidents feed the incident processIntegrated logging of physical alarms with SOC

D14 - Awareness, Training and HR Security

What to verifyTypical evidence
Role-based cyber security training is delivered, including for OT staffTraining plan; attendance; OT-specific curriculum
General awareness (phishing, media handling) is run periodicallyAwareness campaign records; phishing-simulation results
Background verification is performed for sensitive rolesBGV records; policy
Joiner-mover-leaver process controls access lifecycleOnboarding/offboarding checklists; access provisioning/de-provisioning logs
Competency of cyber and OT security personnel is maintainedCertifications; skill matrix; refresher records

D15 - Audit, Compliance and Regulatory Reporting

What to verifyTypical evidence
Periodic third-party audit by a CERT-In empanelled auditor is conductedAudit engagement letter; audit report; auditor empanelment proof
Self-assessment against CEA requirements is performed and documentedSelf-assessment questionnaire; gap analysis
Compliance status is reported to the CEA / sectoral authority as requiredCompliance submissions; correspondence with CEA/NCIIPC
Non-conformities are tracked in a corrective-action planCAP/CAPA register; closure evidence
Management reviews cyber security performance periodicallyManagement review minutes; KPI dashboards

Scoping the Assessment

Scoping determines which sites, systems and networks are examined and to what depth. Because power-sector entities operate geographically distributed OT alongside corporate IT, scoping decisions materially affect assurance.

  • Enumerate all sites: generation stations, substations, load despatch centres (NLDC/RLDC/SLDC), REMCs, control centres and corporate data centres.
  • Classify each system as critical or non-critical using the entity's documented criticality methodology; critical systems attract the strictest controls and air-gapping expectations.
  • Include both IT and OT boundaries and the interfaces between them (DMZ, data historians, unidirectional gateways).
  • Include third-party connections: vendor remote access, managed services, cloud and market-system interfaces.
  • Define sampling strategy for distributed assets (e.g., representative substations per voltage class, per region).
  • Document exclusions with justification; unjustified exclusions are themselves a finding.
  • Confirm applicability of NCIIPC CII designation, which extends scope and stringency.
OT safety first
Never run intrusive testing against live control systems. Scope OT testing to offline replicas, test-beds, maintenance windows, or passive techniques. An assessment that risks tripping a substation or generation unit is unacceptable - assurance must never compromise grid reliability or human safety.

Implementation Approach (Phased)

Implementers should treat CEA conformance as a programme, not a project. The following phased approach is designed for a typical responsible entity moving from ad-hoc to conformant.

Phase 1 - Establish Governance and Baseline (Months 0-3)

  • Activities: appoint CISO; constitute Information Security Division; approve cyber security policy at board level; define ISMS scope.
  • Activities: initial asset discovery for IT and OT; identify critical systems.
  • Deliverables: approved policy, CISO appointment, ISMS scope, preliminary asset register, criticality classification.

Phase 2 - Risk Assessment and Architecture (Months 3-6)

  • Activities: perform risk/TARA assessment on critical systems; design zones-and-conduits architecture; plan IT/OT segmentation and air-gapping.
  • Activities: define hardening baselines and access-control model.
  • Deliverables: risk register and treatment plan, target network architecture, segmentation design, hardening standards, RBAC/PAM design.

Phase 3 - Technical Control Deployment (Months 6-12)

  • Activities: implement segmentation, DMZ, firewalls, unidirectional gateways; deploy MFA/PAM; roll out endpoint protection and media control; stand up centralised logging and SOC/SIEM.
  • Activities: implement patch/vulnerability management and configuration integrity monitoring.
  • Deliverables: segmented and hardened environment, PAM/MFA in production, SIEM/SOC operational, patch and vulnerability programme running.

Phase 4 - Incident, Crisis and Supply Chain (Months 9-15)

  • Activities: finalise incident response plan and CERT-In/sectoral-CERT reporting workflow; approve CCMP aligned to NCIIPC; embed trusted-source procurement and vendor security clauses; run BCP/DR and tabletop exercises.
  • Deliverables: IR plan and playbooks, approved CCMP, DR test evidence, updated procurement contracts, vendor risk process.

Phase 5 - Assurance, Audit and Continuous Improvement (Months 15+)

  • Activities: conduct VAPT; perform self-assessment; commission third-party audit by CERT-In empanelled auditor; remediate findings; report compliance to CEA.
  • Deliverables: VAPT and audit reports, corrective-action plan, compliance submission, management review cycle established.

Maturity / Capability Model

The CEA regime is compliance-graded rather than a formal maturity scheme, but assessors and implementers benefit from a five-level capability lens to describe where an entity sits and to plan improvement. Each level below is expressed for power-sector control environments.

LevelNameCharacteristics
L1Initial / Ad-hocNo CISO or policy; unknown OT inventory; IT/OT flat network; incidents unreported; no VAPT
L2DevelopingPolicy drafted, CISO named; partial asset register; some segmentation; reactive patching; ad-hoc reporting
L3DefinedFull asset/criticality classification; documented zones-and-conduits; RBAC/MFA; SIEM live; IR plan and CCMP approved; VAPT started
L4ManagedAir-gapping/isolation enforced; PAM and monitoring mature; metrics-driven; timely CERT-In reporting; supply-chain controls operating
L5OptimisedContinuous OT threat detection; adversary simulation; automated compliance evidence; supply-chain assurance and DR fully exercised; independent audit clean

Assessment and Audit Approach

A CEA conformance assessment should follow a disciplined lifecycle, respecting OT safety throughout.

  1. Initiation and scoping: agree scope, sites, sampling, criticality classification and safety constraints with the responsible entity.
  2. Documentation review: examine policy, ISMS artefacts, asset register, risk register, network diagrams, CCMP, IR plan and prior audit/VAPT reports.
  3. Control walkthroughs: interview CISO, OT engineers, SOC and procurement to understand design of controls in each domain.
  4. Technical validation (IT): review firewall rulebases, IAM/PAM configs, SIEM coverage, patch compliance and VAPT results.
  5. Technical validation (OT - safe methods): inspect segmentation and air-gapping, sample OT device hardening, review offline/test-bed VAPT and FAT/SAT evidence.
  6. Site sampling: visit representative generation stations, substations and a load despatch centre; verify physical and OT controls in situ.
  7. Evidence evaluation: assess sufficiency and currency of evidence against each checklist item; note conformity, partial conformity or non-conformity.
  8. Findings and risk rating: classify gaps by severity and grid-reliability impact; identify critical non-conformances.
  9. Reporting: issue an auditor-grade report with executive summary, domain-by-domain findings, evidence references and prioritised recommendations.
  10. Corrective action and retest: agree a corrective-action plan with owners/timelines and retest closure; feed results into CEA/sectoral compliance reporting.

Evidence Request List

Assessors should request the following, organised by category. Implementers can pre-assemble these into an evidence pack to accelerate audits.

Governance and policy

  • Approved cyber security policy and review records
  • CISO appointment and Information Security Division charter
  • ISMS scope, Statement of Applicability, internal audit reports

Asset and architecture

  • IT and OT asset registers with firmware versions
  • Criticality classification and list of critical systems
  • Network and data-flow diagrams; zones-and-conduits maps

Risk and controls

  • Risk methodology, risk register and treatment plan
  • Hardening baselines and configuration standards
  • Firewall rulebases, PAM/MFA configuration, SIEM coverage matrix

Incident, crisis and continuity

  • Incident response plan, playbooks and incident register
  • CERT-In and sectoral-CERT reporting evidence
  • Approved CCMP; BCP/DR plans; drill and DR-test reports

Supply chain and testing

  • Trusted-source declarations and approved-vendor list
  • Equipment test/evaluation and FAT/SAT security records
  • VAPT reports (IT and OT) with remediation trackers

People and physical

  • Training and awareness records; phishing-simulation results
  • Background-verification and joiner-mover-leaver records
  • Physical access logs, CCTV and environmental monitoring evidence

Roles and Responsibilities

RoleResponsibility
Board / Top ManagementApprove cyber security policy and budget; accept residual risk; oversee compliance
Chief Information Security Officer (CISO)Own the cyber security programme; ensure CEA conformance; liaise with CERT-In/NCIIPC/CEA
Information Security DivisionOperate ISMS, controls, monitoring and remediation across IT and OT
OT / Plant / Substation EngineersImplement and maintain OT hardening, segmentation and safe patching; support assessments
SOC / C-SIRTDetect, triage and respond to incidents; ensure timely regulatory reporting
Procurement / Supply ChainEnforce trusted-source procurement, contract security clauses and vendor assessments
Internal AuditPerform self-assessment and validate corrective actions
Third-party Auditor (CERT-In empanelled)Independent assessment of conformance and issuance of audit report
Sectoral CERTCoordinate incident information and sector-wide response

KPIs to Track

  • Percentage of critical systems with completed risk assessment and treatment.
  • Percentage of IT/OT assets in the maintained inventory (inventory coverage).
  • Patch/vulnerability remediation timeliness against SLA (by severity).
  • MFA and PAM coverage for privileged and remote access.
  • SIEM/log source coverage for critical systems.
  • Mean time to detect and mean time to respond to incidents.
  • Percentage of incidents reported to CERT-In within mandated timelines.
  • VAPT findings closed within target and open critical/high count.
  • Percentage of procurement from trusted sources; vendor assessments completed.
  • Training completion and phishing-simulation failure rate.
  • Number and outcome of crisis drills / DR tests conducted.
  • Open non-conformities from last third-party audit and closure rate.

Readiness Checklist

  • Board-approved cyber security policy in force and reviewed
  • CISO appointed and Information Security Division resourced
  • Complete IT and OT asset inventory with criticality classification
  • Documented risk assessment, treatment plan and residual-risk acceptance
  • IT/OT segmentation with DMZ; critical systems air-gapped or isolated
  • MFA and PAM enforced for privileged and remote access
  • Hardening baselines and risk-based patch/vulnerability management operating
  • Centralised logging, SIEM and SOC/monitoring live for critical systems
  • Incident response plan with CERT-In and sectoral-CERT reporting workflow
  • Approved CCMP aligned to NCIIPC; BCP/DR tested via drills
  • Trusted-source procurement and vendor security clauses in place
  • VAPT (IT and OT-safe) completed with findings tracked to closure
  • Third-party audit by CERT-In empanelled auditor completed
  • Self-assessment and compliance reporting to CEA submitted

Common Gaps

  • Incomplete OT asset inventory - RTUs, IEDs and PLCs missing firmware detail.
  • Flat or weakly segmented IT/OT networks; DMZ present in design but bypassed in practice.
  • 'Air-gapped' critical systems undermined by undocumented remote-access or removable media.
  • Shared/default credentials on OT devices and missing MFA for vendor access.
  • Patch and vulnerability management stalled on OT due to availability constraints, without documented compensating controls.
  • Logging present but critical OT sources not ingested; no OT-specific detection use-cases.
  • Incident reporting to CERT-In late or inconsistent; sectoral-CERT reporting overlooked.
  • CCMP exists on paper but never exercised; DR untested.
  • Trusted-source and supply-chain testing obligations not evidenced in procurement.
  • VAPT limited to IT; OT excluded entirely rather than tested safely.
  • Self-assessment done once and not maintained; corrective actions not tracked to closure.
  • CISO role nominal, without authority, budget or reporting line to top management.

CEA Power Sector Mapped to Other Frameworks

The CEA regime shares substantial ground with international and Indian frameworks. This mapping helps entities reuse existing evidence and helps assessors triangulate.

CEA domain / themeRelated framework references
Governance, policy, ISMSISO/IEC 27001 (ISMS); NIST CSF Govern/Identify
Asset identification & criticalityISO/IEC 27001 A.5.9; NIST CSF Identify; IEC 62443-2-1 asset management
Network segmentation, zones & conduitsIEC 62443-3-2/3-3 zones and conduits; NIST SP 800-82 (ICS)
Access control & identityISO/IEC 27001 A.5/A.8; NIST CSF Protect; IEC 62443 FR1 (IAC)
Logging, monitoring & SOCISO/IEC 27001 A.8.15/A.8.16; NIST CSF Detect; IEC 62443 FR6
Incident management & reportingISO/IEC 27035; CERT-In directions (2022); NIST CSF Respond
Cyber Crisis Management PlanNCIIPC CCMP guidance; ISO 22301 (BCM); NIST CSF Recover
Supply chain & trusted sourceISO/IEC 27036; NIST SP 800-161; IEC 62443-4-1 secure product development
OT/ICS security baselineIEC 62443 series; NIST SP 800-82; NERC CIP (analogous US power scheme)
Audit & assuranceCERT-In empanelled audit; ISO/IEC 27001 certification; NCIIPC CII audits
How CyberSigma helps
CyberSigma is a CERT-In empanelled and PCI QSA advisory partner with deep OT/ICS and power-sector experience. We help responsible entities achieve and evidence CEA Cyber Security in Power Sector conformance end to end: gap assessment against every domain above; CISO-as-a-service and ISMS build-out; OT asset discovery and criticality classification; zones-and-conduits and air-gap architecture design; SIEM/SOC and OT threat detection; safe OT VAPT and FAT/SAT security testing; CCMP and DR exercises aligned to NCIIPC; trusted-source supply-chain assurance; and independent third-party audit with a prioritised, grid-safe corrective-action roadmap. Talk to CyberSigma to move from ad-hoc to audit-ready without ever putting grid reliability at risk.

Frequently asked questions

Does CEA cover OT security?
Yes — the CEA power-sector cyber guidelines emphasise protecting operational technology (SCADA/ICS) alongside IT, given the criticality of the grid.

Need help with CEA Power Sector?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.