The Centre is preparing to roll out a comprehensive cybersecurity framework for the power sector, marking the most extensive upgrade in the grid’s digital defense architecture since 2021. Drafted by the Central Electricity Authority (CEA) — the technical advisory arm of the Ministry of Power — the new rules, titled Draft Central Electricity Authority (Cyber Security in Power Sector) Regulations, 2025, are expected to come into effect in April 2026 after public consultation.
The proposed regulations require every entity connected to the electricity grid — from state utilities and power exchanges to renewable generators and IT service providers — to adopt a board-approved cybersecurity policy, appoint a Chief Information Security Officer (CISO), and align systems with standards issued by the National Critical Information Infrastructure Protection Centre (NCIIPC) and the Ministry of Power.
“This framework goes beyond protecting critical installations,” said an official involved in drafting the regulations. “It extends responsibility to the entire ecosystem, including vendors, equipment suppliers, and software integrators.”
Lessons From Border-Linked Cyber Threats
The overhaul comes after heightened cyber activity during India-Pakistan border tensions in May 2025, when intelligence agencies reportedly thwarted over two lakh attempted attacks on India’s power infrastructure. Many of these intrusions targeted grid control systems and renewable energy installations connected through the internet.
Officials said the ministry had “intensified digital surveillance” earlier this year after reports of attempted breaches in Supervisory Control and Data Acquisition (SCADA) networks and remote monitoring systems.
“These incidents exposed vulnerabilities created by the convergence of operational technology (OT) and information technology (IT),” said one senior official. “The grid is no longer just steel and circuits — it’s software, sensors, and cloud-linked devices that need constant protection.”
Expanding the Security Perimeter
The new draft rules significantly widen the regulatory perimeter. They bring under the cybersecurity ambit not just transmission utilities and grid operators, but also private renewable energy firms, equipment manufacturers, and third-party contractors.
Each participant in the power value chain will be required to implement encryption, access control, and real-time activity logging on critical systems. The rules will also introduce supply-chain security provisions, holding vendors and integrators accountable for any breach linked to their systems or devices.
Officials said the regulations will be enforced through a risk-based compliance regime that allows the government to impose financial penalties and revoke clearances for entities that fail to comply.
“The lesson from recent years is clear,” said a policy analyst tracking the draft. “Resilience must extend from the control room to the smallest inverter in a solar park.”
Securing India’s Energy Future
India’s energy grid has rapidly digitized — integrating smart meters, renewable inverters, and automated control systems. While this modernization enhances efficiency, it has also made the network more susceptible to cyber espionage, data theft, and sabotage. A coordinated digital attack could potentially manipulate turbine operations or alter grid frequency, triggering widespread blackouts.
Officials noted that cyberattacks on power infrastructure are no longer theoretical. In 2020 and 2021, cybersecurity agencies traced attempted intrusions to state-linked groups targeting Indian utilities, highlighting the geopolitical dimension of the threat.
The government’s latest initiative reflects a broader strategy to integrate cyber defense with national energy policy. “Power is not just an economic asset,” a senior energy official said. “It’s a security frontier. Safeguarding the grid is safeguarding the nation.”
If enacted as planned, the 2025 Cybersecurity Regulations could mark a turning point — embedding cybersecurity governance into the DNA of India’s power sector, ensuring that every megawatt of electricity is backed by a megabyte of protection.
