The Centre plans to roll out a fresh set of cyber security regulations for the power sector, proposing sweeping upgrades in how India’s electricity network needs to defend itself against the threat of cyberattacks.
The move follows security threats following recent India-Pakistan border tensions due May 2025 during which India thwarted at least two lakh cyber-attacks targeting its power infrastructure.
The rules have been prepared by the Central Electricity Authority (CEA), the apex technical advisory body of the Ministry of Power, and are likely to be come into force from April, 2026 once public consultation and final updates are completed, two officials privy to the matter have told Moneycontrol.
“The new framework reflects lessons from the period of intensified monitoring earlier this year, when the Power Ministry and grid operators stepped up digital surveillance after reports of attempted cyber intrusions,” one of the officials said.
India’s increasingly digitised power systems - from traditional thermal plants to renewable energy facilities such as solar and wind farms - have become more vulnerable to cyberattacks as operational technology (OT) and information technology (IT) networks converge. Modern wind and solar installations rely heavily on remote monitoring systems, smart inverters and SCADA controls connected via the internet, making them potential entry points for hackers.
Known as the Draft Central Electricity Authority (Cyber Security in Power Sector) Regulations, 2025, the proposed rules mark a major shift from the 2021 rules that currently exist. “In the new draft rules, we have tried to expand coverage beyond critical utilities to the entire power ecosystem, adding supply-chain security, real-time monitoring, and enforceable penalties to build a more resilient, risk-based cyber defence framework,” the second official said requesting anonymity.
The new rules will cover all entities connected to the grid, including renewable energy generators, power exchanges, system integrators, equipment manufacturers, and IT/OT service providers. The guidelines extend the responsibility across supply chain, requiring every vendor or third-party provider with access to critical systems to comply with security standards, once they are finalised.
The regulations will introduce stricter data protection norms, mandating encryption, access control and detailed logging of activity on critical systems to prevent data tampering or theft.
The draft rules, seen by Moneycontrol state that each entity must prepare a board-approved cyber security policy, designate a Chief Information Security Officer (CISO), and align systems with standards issued by the National Critical Information Infrastructure Protection Centre (NCIIPC) and the Ministry of Power. "Entity" here refers to any organization that owns, operates, manages, or interfaces with power sector infrastructure connected to India’s electricity grid.
A successful intrusion into any of India electricity assets has the potential to disrupt turbine operations, alter power output data, or even destabilise grid frequency if coordinated across multiple plants. With many private renewable operators using third-party software and imported control equipment, the supply-chain risk remains high, allowing malware or backdoor access into grid-connected systems.
“These vulnerabilities underline why the power sector - once seen as a purely physical infrastructure - is now at the forefront of India’s cyber defence strategy,” said the official quoted above.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
