Introduction: The CEA Power-Sector Cyber Security Regime
India's power sector is a designated Critical Information Infrastructure (CII). Generation stations, transmission utilities, load despatch centres, distribution companies (DISCOMs) and system operators depend on Operational Technology (OT) - SCADA, Energy Management Systems (EMS), Remote Terminal Units (RTUs), Intelligent Electronic Devices (IEDs), Programmable Logic Controllers (PLCs) and increasingly IT/OT-converged platforms. A successful cyber attack against this infrastructure can cause cascading grid failures, prolonged blackouts and threats to national security. Against this backdrop the Central Electricity Authority (CEA), acting under statutory powers, issued the Central Electricity Authority (Cyber Security in Power Sector) Guidelines and subsequently the Cyber Security in Power Sector Regulations to mandate baseline cyber security controls across every responsible entity in the power supply chain.
This guide is written for two audiences at once: the auditor or assessor who must evaluate a responsible entity's conformance to the CEA regime, and the implementer or product/OT engineering team that must design, deploy and evidence the controls. It enumerates the regulatory obligations, the control domains, the assessment lifecycle, the maturity expectations and the evidence artefacts an assessor will demand. Throughout, we anchor to the actual terminology used by the CEA framework: Responsible Entity, Chief Information Security Officer (CISO), Cyber Security Policy, Cyber Crisis Management Plan (CCMP), Information Security Management System (ISMS), Cyber Security Requirements for Supply Chain, air-gapping of critical systems, and reporting to CERT-In and the sectoral CERT (CERT-Transmission / CERT-Thermal / CERT-Hydro / CERT-Distribution).
Copyright and source note
The CEA Cyber Security in Power Sector Guidelines/Regulations are official documents of the Central Electricity Authority, Government of India, and are published in the Gazette of India. This guide is an original, independent interpretation prepared for assessment and implementation purposes. It paraphrases obligations and does not reproduce the copyrighted statutory text. Responsible entities must always work from the authoritative gazetted regulation and any amendments, and from directions issued by the CEA, the Ministry of Power, NCIIPC and CERT-In. Where this guide and the official text differ, the official text prevails.
What is CEA Power Sector Cyber Security
The CEA Power-Sector Cyber Security regime is a sector-specific, mandatory cyber security scheme for the Indian electricity supply industry. It began life as the 'Guidelines on Cyber Security in Power Sector' (issued by the CEA in October 2021) and has matured into a binding regulatory instrument, the 'Central Electricity Authority (Cyber Security in Power Sector) Regulations', framed under Section 177 of the Electricity Act, 2003, read with the CEA's mandate and in alignment with the Information Technology Act, 2000 and the National Critical Information Infrastructure Protection Centre (NCIIPC) directives.
Unlike a voluntary certification such as ISO/IEC 27001, the CEA regime is compulsory for defined 'Responsible Entities'. It layers a power-sector-specific OT/ICS security baseline on top of general information security good practice. Its core objectives are: (a) to create a cyber-secure ecosystem across generation, transmission, distribution, load despatch and system operation; (b) to enforce identification and protection of critical and non-critical systems; (c) to institutionalise governance through a CISO and an Information Security Division; (d) to mandate incident detection, reporting and crisis management; and (e) to secure the supply chain of ICT and OT products entering power-sector networks, including a preference for products from 'trusted sources' and testing/evaluation of equipment.
The scheme is enforced through self-assessment, periodic third-party audits by CERT-In empanelled auditors, mandatory incident reporting, vulnerability assessment and penetration testing (VAPT), and oversight by the sectoral CERTs. Non-conformance carries regulatory consequences, since the underlying instrument is statutory.
Who Must Comply (Responsible Entities)
The regime applies to every 'Responsible Entity' - broadly, any organisation that owns, operates or maintains a system that is part of, or connected to, the power-sector grid or its supporting information infrastructure. The table below enumerates the principal categories.
| Category of responsible entity | Examples / scope of obligation |
|---|
| Generating companies | Thermal, hydro, nuclear (where applicable), gas, and large renewable generation stations operating plant control systems, DCS, turbine governors and generation SCADA |
| Transmission licensees / STUs / CTU | Central Transmission Utility (Power Grid), State Transmission Utilities, private transmission licensees operating substations, SAS, IEDs and tele-protection |
| Distribution licensees (DISCOMs) | State and private distribution companies operating distribution SCADA/DMS, AMI/smart-metering head-ends, DT monitoring, and consumer-facing IT |
| Load Despatch Centres | National (NLDC), Regional (RLDC) and State (SLDC) Load Despatch Centres operating EMS/SCADA, AGC, state estimation and market systems |
| System operators | Grid controllers and operators of the unified real-time despatch and balancing systems |
| Renewable / RE management centres | Renewable Energy Management Centres (REMCs) for forecasting, scheduling and control |
| Vendors, OEMs and service providers | Suppliers of ICT/OT equipment, integrators, managed service providers and cloud/hosting providers who must meet supply-chain and trusted-source obligations |
| SLDC/RLDC IT support and CSIRT functions | Sectoral CERT constituents (CERT-Transmission, CERT-Thermal, CERT-Hydro, CERT-Distribution) and internal C-SIRTs |
- Applicability is triggered by connection to, or being part of, the power grid or its control/monitoring infrastructure - not by organisation size.
- Both critical systems (whose compromise affects grid reliability/security) and non-critical business IT systems are in scope, though controls are graded by criticality.
- Third parties and supply-chain participants inherit flow-down obligations through contracts and the trusted-source requirement.
- Entities designated as CII by NCIIPC carry additional, stricter obligations under the IT Act.
Structure of CEA Power Sector Cyber Security
The regime is structured as a set of governance obligations plus a graded technical control baseline covering IT and OT/ICS. For assessment purposes it is convenient to decompose it into control domains (families). The table below maps the principal domains, their focus and representative controls. These domains form the spine of the master assessment checklist that follows.
| Domain (family) | Focus | Representative controls / obligations |
|---|
| D1 Governance & Cyber Security Policy | Leadership, policy, ISMS | Board-approved cyber security policy; CISO appointment; Information Security Division; ISMS aligned to ISO 27001 |
| D2 Asset Identification & Classification | Inventory, criticality | Identify critical/non-critical systems; asset register; network architecture documentation |
| D3 Risk Assessment & Management | TARA, risk treatment | Periodic risk assessment; threat and vulnerability analysis; risk treatment plan; residual-risk sign-off |
| D4 Network Segmentation & Architecture | IT/OT separation | Zones and conduits; DMZ; air-gapping of critical control systems; firewalls; unidirectional gateways |
| D5 Access Control & Identity | AAA, least privilege | RBAC; MFA for remote/privileged access; unique IDs; session control; vendor access governance |
| D6 Secure Configuration & Hardening | Baselines, patching | Hardened baselines; change management; patch and vulnerability management for IT and OT |
| D7 Malware & Endpoint Protection | Anti-malware, media | AV/EDR where feasible; removable-media control; application whitelisting on OT |
| D8 Logging, Monitoring & SOC | Detection | Centralised logging; SIEM; SOC/monitoring; NTP time-sync; log retention |
| D9 Incident Management & Reporting | Detect-report-respond | Incident response plan; reporting to CERT-In within timelines; sectoral CERT reporting |
| D10 Cyber Crisis Management Plan (CCMP) | Crisis, continuity | CCMP aligned to NCIIPC; BCP/DR; crisis drills and tabletop exercises |
| D11 Supply Chain & Trusted Source | Procurement security | Trusted-source procurement; equipment testing/evaluation; secure SDLC; vendor security clauses |
| D12 VAPT & Security Testing | Assurance testing | Periodic VA/PT of IT and OT (safely); FAT/SAT security testing; red-team where applicable |
| D13 Physical & Environmental Security | Physical protection | Access control to control rooms/substations; environmental monitoring; tamper protection |
| D14 Awareness, Training & HR Security | People | Role-based training; awareness; background verification; joiner/mover/leaver process |
| D15 Audit, Compliance & Reporting | Assurance & governance | Periodic third-party audit by CERT-In empanelled auditor; self-assessment; compliance reporting to CEA |
Master Assessment Checklist
This is the core of the guide. Each domain is expanded into concrete verification items and the typical evidence an assessor should collect. Do not skip any domain. Every 'What to verify' line is intended to become a test step; every 'Typical evidence' line is the artefact that discharges it. The assessor should sample across sites (plants, substations, load despatch centres) and across both IT and OT environments.
D1 - Governance and Cyber Security Policy
| What to verify | Typical evidence |
|---|
| A board/top-management-approved cyber security policy exists and is current | Signed policy document; board/management approval minutes; review dates |
| A CISO has been appointed with defined authority and reporting line | Appointment letter; role charter; org chart showing reporting to top management |
| An Information Security Division / cyber security cell is established and resourced | Team structure; RACI; budget allocation; staffing records |
| An ISMS aligned to ISO/IEC 27001 is defined and operating | ISMS scope statement; Statement of Applicability; internal audit reports; certificate if held |
| Roles, responsibilities and accountability for cyber security are documented | RACI matrix; job descriptions; delegation of authority |
| Policy is communicated and enforced across IT and OT | Acknowledgement records; intranet publication; training attendance |
D2 - Asset Identification and Classification
| What to verify | Typical evidence |
|---|
| A complete inventory of IT and OT assets exists and is maintained | Asset register (hardware, software, firmware versions); CMDB extract; update log |
| Critical systems are identified and separately classified from non-critical systems | Criticality classification methodology; list of critical systems; sign-off |
| Network architecture and data-flow diagrams are documented and current | Network diagrams; zone/conduit maps; data-flow diagrams with dates |
| Ownership is assigned for every asset and information set | Asset-owner mapping; information classification labels |
| OT assets (RTUs, IEDs, PLCs, SCADA/EMS/DMS servers) are inventoried with firmware detail | OT asset list with make/model/firmware; substation and plant coverage |
D3 - Risk Assessment and Management
| What to verify | Typical evidence |
|---|
| A documented risk assessment methodology is defined and applied periodically | Risk methodology; risk assessment schedule; latest risk register |
| Threats, vulnerabilities and impacts are assessed for critical systems (TARA-style) | Threat models; vulnerability findings; impact ratings; likelihood scoring |
| A risk treatment plan with owners and timelines exists | Risk treatment plan; remediation tracker; due dates |
| Residual risks are formally accepted at appropriate authority | Risk acceptance records signed by CISO/management |
| Risk assessment is repeated after major change or incident | Change-triggered assessments; post-incident risk reviews |
D4 - Network Segmentation and Architecture
| What to verify | Typical evidence |
|---|
| IT and OT networks are logically and/or physically separated | Network diagrams; VLAN/firewall configs; segmentation test results |
| Critical control systems are air-gapped or isolated as mandated | Air-gap declaration; physical inspection notes; documented exceptions with compensating controls |
| A DMZ mediates all IT-to-OT data exchange | DMZ design; data historian/broker placement; firewall rulebase |
| Firewalls/unidirectional gateways enforce zone-to-conduit rules | Firewall rule review; data-diode configuration; deny-by-default evidence |
| Remote access to OT is controlled through jump hosts and brokered channels | Remote-access architecture; jump-server logs; VPN configuration |
| Wireless and external connectivity into OT is restricted and monitored | Wireless survey; rogue-AP scans; external connection register |
D5 - Access Control and Identity Management
| What to verify | Typical evidence |
|---|
| Every user and service account is uniquely identifiable (no shared accounts) | Account inventory; identity provider export; shared-account exceptions |
| Role-based access control enforces least privilege | RBAC matrix; entitlement review reports; segregation-of-duties analysis |
| Multi-factor authentication protects remote and privileged access | MFA policy; MFA enrolment reports; privileged access management (PAM) logs |
| Periodic access recertification is performed | Access review sign-offs; revocation records for movers/leavers |
| Vendor and third-party access is time-bound, logged and supervised | Vendor access requests; approvals; session recordings/logs |
| Default and vendor credentials are changed on OT devices | Password change evidence; device configuration review |
D6 - Secure Configuration, Hardening and Patch Management
| What to verify | Typical evidence |
|---|
| Hardened configuration baselines exist for IT and OT assets | Baseline/hardening standards; benchmark reports (CIS/vendor) |
| A change management process governs all configuration changes | Change tickets; CAB minutes; emergency change records |
| Patch and vulnerability management covers IT and OT with risk-based timelines | Patch schedule; patch compliance reports; OT patch-window/mitigation records |
| Unsupported/end-of-life systems are identified and mitigated | EOL register; compensating-control documentation; migration roadmap |
| Configuration integrity is monitored for critical devices | Configuration backup; integrity-check evidence; drift alerts |
D7 - Malware and Endpoint Protection
| What to verify | Typical evidence |
|---|
| Anti-malware/EDR is deployed on IT endpoints and OT where feasible | AV/EDR console coverage report; signature/engine currency |
| Removable media use is controlled and scanned before use in OT | Media control policy; scanning kiosk logs; USB port-control settings |
| Application whitelisting is applied on OT hosts where supported | Whitelisting configuration; allowed-application list |
| Malware defence updates are tested before deployment to OT | Offline update/staging process; test records |
D8 - Logging, Monitoring and Security Operations
| What to verify | Typical evidence |
|---|
| Security-relevant events are logged across IT and OT | Logging policy; sample logs; source coverage matrix |
| Logs are centralised and correlated in a SIEM/monitoring platform | SIEM architecture; ingestion list; correlation rules |
| A SOC or monitoring capability provides continuous detection | SOC operating model; shift roster; alert-handling records |
| Time synchronisation (NTP) is enforced across systems | NTP configuration; time-drift monitoring |
| Log retention meets policy and regulatory expectations | Retention policy; storage evidence; archival records |
| Use-cases exist for OT-specific attack detection | OT detection rules; anomaly-detection deployment |
D9 - Incident Management and Reporting
| What to verify | Typical evidence |
|---|
| A documented incident response plan with severity classification exists | IR plan; playbooks; severity matrix |
| Cyber incidents are reported to CERT-In within mandated timelines | Incident register; CERT-In reporting acknowledgements; timestamps |
| Incidents are reported to the relevant sectoral CERT | Sectoral CERT (CERT-Transmission/Thermal/Hydro/Distribution) correspondence |
| Incidents are investigated, root-caused and closed with lessons learned | RCA reports; corrective actions; closure records |
| An internal C-SIRT / response team is defined and reachable 24x7 | C-SIRT roster; contact tree; escalation matrix |
| Post-incident forensics and evidence preservation are provided for | Forensic procedure; chain-of-custody templates |
D10 - Cyber Crisis Management Plan (CCMP)
| What to verify | Typical evidence |
|---|
| A CCMP aligned to the NCIIPC template is approved and current | Approved CCMP document; version/date; NCIIPC alignment mapping |
| Business continuity and disaster recovery plans cover critical systems | BCP/DR plans; RTO/RPO definitions; DR site details |
| Crisis drills, tabletop exercises and DR tests are conducted periodically | Exercise reports; DR test results; participation records |
| Crisis roles, escalation and external communication are defined | Crisis org chart; escalation matrix; media/regulator communication plan |
| Grid restoration/black-start coordination considers cyber scenarios | Restoration procedures; cyber-scenario integration evidence |
D11 - Supply Chain and Trusted Source Security
| What to verify | Typical evidence |
|---|
| ICT/OT equipment is procured from trusted sources as mandated | Trusted-source declarations; procurement policy; approved-vendor list |
| Equipment is tested/evaluated for cyber security before deployment | Type-test/lab-evaluation reports; FAT/SAT security test records |
| Security requirements are embedded in contracts and tenders | Contract security clauses; RFP cyber requirements; SLAs |
| Software/firmware integrity and provenance are verified | Code-signing/hash verification; SBOM where available |
| Vendor security posture is assessed periodically | Vendor risk assessments; audit rights exercised; questionnaires |
| Secure development practices are required of suppliers | Secure SDLC evidence; vulnerability disclosure/patch commitments |
D12 - Vulnerability Assessment and Penetration Testing
| What to verify | Typical evidence |
|---|
| VA/PT of IT systems is performed periodically by qualified testers | VAPT reports; scope; tester empanelment (CERT-In) |
| OT/ICS is tested safely (offline/lab or carefully scoped) | OT test methodology; lab/test-bed evidence; risk-controlled approach |
| Findings are tracked to closure with retest | Remediation tracker; retest reports; closure sign-off |
| Security testing is integrated into acquisition (FAT/SAT) | FAT/SAT security checklists; results |
| Red-team/adversary-simulation is performed where appropriate | Red-team scope and report; detection-response validation |
D13 - Physical and Environmental Security
| What to verify | Typical evidence |
|---|
| Physical access to control rooms, data centres and substations is controlled | Access-control logs; badge system reports; visitor register |
| Critical equipment is protected against tampering and environmental threats | Tamper seals; environmental monitoring (temp/humidity/fire); CCTV coverage |
| OT device ports and cabinets are physically secured | Port-locking evidence; locked-cabinet inspection notes |
| Physical security incidents feed the incident process | Integrated logging of physical alarms with SOC |
D14 - Awareness, Training and HR Security
| What to verify | Typical evidence |
|---|
| Role-based cyber security training is delivered, including for OT staff | Training plan; attendance; OT-specific curriculum |
| General awareness (phishing, media handling) is run periodically | Awareness campaign records; phishing-simulation results |
| Background verification is performed for sensitive roles | BGV records; policy |
| Joiner-mover-leaver process controls access lifecycle | Onboarding/offboarding checklists; access provisioning/de-provisioning logs |
| Competency of cyber and OT security personnel is maintained | Certifications; skill matrix; refresher records |
D15 - Audit, Compliance and Regulatory Reporting
| What to verify | Typical evidence |
|---|
| Periodic third-party audit by a CERT-In empanelled auditor is conducted | Audit engagement letter; audit report; auditor empanelment proof |
| Self-assessment against CEA requirements is performed and documented | Self-assessment questionnaire; gap analysis |
| Compliance status is reported to the CEA / sectoral authority as required | Compliance submissions; correspondence with CEA/NCIIPC |
| Non-conformities are tracked in a corrective-action plan | CAP/CAPA register; closure evidence |
| Management reviews cyber security performance periodically | Management review minutes; KPI dashboards |
Scoping the Assessment
Scoping determines which sites, systems and networks are examined and to what depth. Because power-sector entities operate geographically distributed OT alongside corporate IT, scoping decisions materially affect assurance.
- Enumerate all sites: generation stations, substations, load despatch centres (NLDC/RLDC/SLDC), REMCs, control centres and corporate data centres.
- Classify each system as critical or non-critical using the entity's documented criticality methodology; critical systems attract the strictest controls and air-gapping expectations.
- Include both IT and OT boundaries and the interfaces between them (DMZ, data historians, unidirectional gateways).
- Include third-party connections: vendor remote access, managed services, cloud and market-system interfaces.
- Define sampling strategy for distributed assets (e.g., representative substations per voltage class, per region).
- Document exclusions with justification; unjustified exclusions are themselves a finding.
- Confirm applicability of NCIIPC CII designation, which extends scope and stringency.
OT safety first
Never run intrusive testing against live control systems. Scope OT testing to offline replicas, test-beds, maintenance windows, or passive techniques. An assessment that risks tripping a substation or generation unit is unacceptable - assurance must never compromise grid reliability or human safety.
Implementation Approach (Phased)
Implementers should treat CEA conformance as a programme, not a project. The following phased approach is designed for a typical responsible entity moving from ad-hoc to conformant.
Phase 1 - Establish Governance and Baseline (Months 0-3)
- Activities: appoint CISO; constitute Information Security Division; approve cyber security policy at board level; define ISMS scope.
- Activities: initial asset discovery for IT and OT; identify critical systems.
- Deliverables: approved policy, CISO appointment, ISMS scope, preliminary asset register, criticality classification.
Phase 2 - Risk Assessment and Architecture (Months 3-6)
- Activities: perform risk/TARA assessment on critical systems; design zones-and-conduits architecture; plan IT/OT segmentation and air-gapping.
- Activities: define hardening baselines and access-control model.
- Deliverables: risk register and treatment plan, target network architecture, segmentation design, hardening standards, RBAC/PAM design.
Phase 3 - Technical Control Deployment (Months 6-12)
- Activities: implement segmentation, DMZ, firewalls, unidirectional gateways; deploy MFA/PAM; roll out endpoint protection and media control; stand up centralised logging and SOC/SIEM.
- Activities: implement patch/vulnerability management and configuration integrity monitoring.
- Deliverables: segmented and hardened environment, PAM/MFA in production, SIEM/SOC operational, patch and vulnerability programme running.
Phase 4 - Incident, Crisis and Supply Chain (Months 9-15)
- Activities: finalise incident response plan and CERT-In/sectoral-CERT reporting workflow; approve CCMP aligned to NCIIPC; embed trusted-source procurement and vendor security clauses; run BCP/DR and tabletop exercises.
- Deliverables: IR plan and playbooks, approved CCMP, DR test evidence, updated procurement contracts, vendor risk process.
Phase 5 - Assurance, Audit and Continuous Improvement (Months 15+)
- Activities: conduct VAPT; perform self-assessment; commission third-party audit by CERT-In empanelled auditor; remediate findings; report compliance to CEA.
- Deliverables: VAPT and audit reports, corrective-action plan, compliance submission, management review cycle established.
Maturity / Capability Model
The CEA regime is compliance-graded rather than a formal maturity scheme, but assessors and implementers benefit from a five-level capability lens to describe where an entity sits and to plan improvement. Each level below is expressed for power-sector control environments.
| Level | Name | Characteristics |
|---|
| L1 | Initial / Ad-hoc | No CISO or policy; unknown OT inventory; IT/OT flat network; incidents unreported; no VAPT |
| L2 | Developing | Policy drafted, CISO named; partial asset register; some segmentation; reactive patching; ad-hoc reporting |
| L3 | Defined | Full asset/criticality classification; documented zones-and-conduits; RBAC/MFA; SIEM live; IR plan and CCMP approved; VAPT started |
| L4 | Managed | Air-gapping/isolation enforced; PAM and monitoring mature; metrics-driven; timely CERT-In reporting; supply-chain controls operating |
| L5 | Optimised | Continuous OT threat detection; adversary simulation; automated compliance evidence; supply-chain assurance and DR fully exercised; independent audit clean |
Assessment and Audit Approach
A CEA conformance assessment should follow a disciplined lifecycle, respecting OT safety throughout.
- Initiation and scoping: agree scope, sites, sampling, criticality classification and safety constraints with the responsible entity.
- Documentation review: examine policy, ISMS artefacts, asset register, risk register, network diagrams, CCMP, IR plan and prior audit/VAPT reports.
- Control walkthroughs: interview CISO, OT engineers, SOC and procurement to understand design of controls in each domain.
- Technical validation (IT): review firewall rulebases, IAM/PAM configs, SIEM coverage, patch compliance and VAPT results.
- Technical validation (OT - safe methods): inspect segmentation and air-gapping, sample OT device hardening, review offline/test-bed VAPT and FAT/SAT evidence.
- Site sampling: visit representative generation stations, substations and a load despatch centre; verify physical and OT controls in situ.
- Evidence evaluation: assess sufficiency and currency of evidence against each checklist item; note conformity, partial conformity or non-conformity.
- Findings and risk rating: classify gaps by severity and grid-reliability impact; identify critical non-conformances.
- Reporting: issue an auditor-grade report with executive summary, domain-by-domain findings, evidence references and prioritised recommendations.
- Corrective action and retest: agree a corrective-action plan with owners/timelines and retest closure; feed results into CEA/sectoral compliance reporting.
Evidence Request List
Assessors should request the following, organised by category. Implementers can pre-assemble these into an evidence pack to accelerate audits.
Governance and policy
- Approved cyber security policy and review records
- CISO appointment and Information Security Division charter
- ISMS scope, Statement of Applicability, internal audit reports
Asset and architecture
- IT and OT asset registers with firmware versions
- Criticality classification and list of critical systems
- Network and data-flow diagrams; zones-and-conduits maps
Risk and controls
- Risk methodology, risk register and treatment plan
- Hardening baselines and configuration standards
- Firewall rulebases, PAM/MFA configuration, SIEM coverage matrix
Incident, crisis and continuity
- Incident response plan, playbooks and incident register
- CERT-In and sectoral-CERT reporting evidence
- Approved CCMP; BCP/DR plans; drill and DR-test reports
Supply chain and testing
- Trusted-source declarations and approved-vendor list
- Equipment test/evaluation and FAT/SAT security records
- VAPT reports (IT and OT) with remediation trackers
People and physical
- Training and awareness records; phishing-simulation results
- Background-verification and joiner-mover-leaver records
- Physical access logs, CCTV and environmental monitoring evidence
Roles and Responsibilities
| Role | Responsibility |
|---|
| Board / Top Management | Approve cyber security policy and budget; accept residual risk; oversee compliance |
| Chief Information Security Officer (CISO) | Own the cyber security programme; ensure CEA conformance; liaise with CERT-In/NCIIPC/CEA |
| Information Security Division | Operate ISMS, controls, monitoring and remediation across IT and OT |
| OT / Plant / Substation Engineers | Implement and maintain OT hardening, segmentation and safe patching; support assessments |
| SOC / C-SIRT | Detect, triage and respond to incidents; ensure timely regulatory reporting |
| Procurement / Supply Chain | Enforce trusted-source procurement, contract security clauses and vendor assessments |
| Internal Audit | Perform self-assessment and validate corrective actions |
| Third-party Auditor (CERT-In empanelled) | Independent assessment of conformance and issuance of audit report |
| Sectoral CERT | Coordinate incident information and sector-wide response |
KPIs to Track
- Percentage of critical systems with completed risk assessment and treatment.
- Percentage of IT/OT assets in the maintained inventory (inventory coverage).
- Patch/vulnerability remediation timeliness against SLA (by severity).
- MFA and PAM coverage for privileged and remote access.
- SIEM/log source coverage for critical systems.
- Mean time to detect and mean time to respond to incidents.
- Percentage of incidents reported to CERT-In within mandated timelines.
- VAPT findings closed within target and open critical/high count.
- Percentage of procurement from trusted sources; vendor assessments completed.
- Training completion and phishing-simulation failure rate.
- Number and outcome of crisis drills / DR tests conducted.
- Open non-conformities from last third-party audit and closure rate.
Readiness Checklist
- Board-approved cyber security policy in force and reviewed
- CISO appointed and Information Security Division resourced
- Complete IT and OT asset inventory with criticality classification
- Documented risk assessment, treatment plan and residual-risk acceptance
- IT/OT segmentation with DMZ; critical systems air-gapped or isolated
- MFA and PAM enforced for privileged and remote access
- Hardening baselines and risk-based patch/vulnerability management operating
- Centralised logging, SIEM and SOC/monitoring live for critical systems
- Incident response plan with CERT-In and sectoral-CERT reporting workflow
- Approved CCMP aligned to NCIIPC; BCP/DR tested via drills
- Trusted-source procurement and vendor security clauses in place
- VAPT (IT and OT-safe) completed with findings tracked to closure
- Third-party audit by CERT-In empanelled auditor completed
- Self-assessment and compliance reporting to CEA submitted
Common Gaps
- Incomplete OT asset inventory - RTUs, IEDs and PLCs missing firmware detail.
- Flat or weakly segmented IT/OT networks; DMZ present in design but bypassed in practice.
- 'Air-gapped' critical systems undermined by undocumented remote-access or removable media.
- Shared/default credentials on OT devices and missing MFA for vendor access.
- Patch and vulnerability management stalled on OT due to availability constraints, without documented compensating controls.
- Logging present but critical OT sources not ingested; no OT-specific detection use-cases.
- Incident reporting to CERT-In late or inconsistent; sectoral-CERT reporting overlooked.
- CCMP exists on paper but never exercised; DR untested.
- Trusted-source and supply-chain testing obligations not evidenced in procurement.
- VAPT limited to IT; OT excluded entirely rather than tested safely.
- Self-assessment done once and not maintained; corrective actions not tracked to closure.
- CISO role nominal, without authority, budget or reporting line to top management.
CEA Power Sector Mapped to Other Frameworks
The CEA regime shares substantial ground with international and Indian frameworks. This mapping helps entities reuse existing evidence and helps assessors triangulate.
| CEA domain / theme | Related framework references |
|---|
| Governance, policy, ISMS | ISO/IEC 27001 (ISMS); NIST CSF Govern/Identify |
| Asset identification & criticality | ISO/IEC 27001 A.5.9; NIST CSF Identify; IEC 62443-2-1 asset management |
| Network segmentation, zones & conduits | IEC 62443-3-2/3-3 zones and conduits; NIST SP 800-82 (ICS) |
| Access control & identity | ISO/IEC 27001 A.5/A.8; NIST CSF Protect; IEC 62443 FR1 (IAC) |
| Logging, monitoring & SOC | ISO/IEC 27001 A.8.15/A.8.16; NIST CSF Detect; IEC 62443 FR6 |
| Incident management & reporting | ISO/IEC 27035; CERT-In directions (2022); NIST CSF Respond |
| Cyber Crisis Management Plan | NCIIPC CCMP guidance; ISO 22301 (BCM); NIST CSF Recover |
| Supply chain & trusted source | ISO/IEC 27036; NIST SP 800-161; IEC 62443-4-1 secure product development |
| OT/ICS security baseline | IEC 62443 series; NIST SP 800-82; NERC CIP (analogous US power scheme) |
| Audit & assurance | CERT-In empanelled audit; ISO/IEC 27001 certification; NCIIPC CII audits |
How CyberSigma helps
CyberSigma is a CERT-In empanelled and PCI QSA advisory partner with deep OT/ICS and power-sector experience. We help responsible entities achieve and evidence CEA Cyber Security in Power Sector conformance end to end: gap assessment against every domain above; CISO-as-a-service and ISMS build-out; OT asset discovery and criticality classification; zones-and-conduits and air-gap architecture design; SIEM/SOC and OT threat detection; safe OT VAPT and FAT/SAT security testing; CCMP and DR exercises aligned to NCIIPC; trusted-source supply-chain assurance; and independent third-party audit with a prioritised, grid-safe corrective-action roadmap. Talk to CyberSigma to move from ad-hoc to audit-ready without ever putting grid reliability at risk.