Building a Secure, Smart Grid: L.K.S. Rathore, Director, Central Electricity Authority Outlines India’s Digital Power Vision

In an era where the digital transformation of India’s power sector is accelerating at an unprecedented pace, the importance of cybersecurity and smart technology integration has never been more critical. ilouge Media recently sat down for an in-depth conversation with L.K.S. Rathore, Director, Cyber Security, Central Electricity Authority (CEA), Ministry of Power to explore how the sector is evolving to meet the dual challenges of modernization and security.

From deploying AI and IoT for smarter grid management to establishing India’s first 24×7 sectoral Security Operations Centre (CSIRT-Power), CEA is leading the charge in building a resilient and intelligent energy infrastructure. In this exclusive interaction, Rathore sheds light on emerging digital strategies, robust regulatory frameworks, the Trusted Vendor initiative, and the crucial role of academia and private industry in safeguarding India’s critical power systems. The conversation underscores CEA’s broader vision—to create a secure, future-ready power ecosystem aligned with the country’s ambitious energy transition goals.

- Advertisement -

India’s power sector is undergoing rapid digital transformation. How is the CEA leveraging emerging technologies like AI, IoT, and data analytics to modernize grid operations and improve energy efficiency?

CSIRT-Power has been established under CEA to prevent, detect, handle, and respond to cyber security incidents in Power sector utilities.CSIRT Power has deployed SIEM tool and is in process to integrate AI and Machine Learning tools to:

• Detect risky zones in OT and IT networks — like repeated login failures, unusual traffic, etc.
• Spot patterns of cyberattacks or insider misuse.
• AI tools help build real-time threat maps and identify high-risk assets in the grid.
• CEA has encouraged deployment of IoT infrastructure in grid assets, including substations and field installations, to enable real-time monitoring and data collection, a foundational step toward smart grid transformation.
• AI for Predictive Maintenance & Outage Prediction: – CEA has been actively promoting the Power sector Utilities to use AI models to predict infrastructure failures to optimize maintenance schedules to mitigate downtime and prevent outages.
• CEA is embracing analytics for balancing renewable energy variability (solar/wind)—using AI-powered forecasting tools to assist grid balancing and dispatch decisions.

With increasing digitization comes the growing threat of cyberattacks. What steps or initiatives have been taken to build a robust cybersecurity framework to safeguard India’s critical power infrastructure? The government is working on new policies to strengthen cyber resilience in the power sector. Could you share what key measures are being planned or already underway?

1. CEA has issued “CEA (Cyber Security in Power Sector) Guidelines 2021”.
2. CSIRT-Power has been established by MoP and fully functional w.e.f September 2024. This is first sectoral 24*7 SOC of any civil sector in Govt of India. CSIRT-Power is having Security Operation Centre, Data Centre equipped with cutting edge technology and expert manpower, along with a dedicated cyber forensic lab which helps to prevent, detect, handle, and respond to respond to cyber security incidents in Power sector utilities.
3. CEA is coming-up with Cyber Security Regulations in Power Sector which is in advanced stages of approval after disposal of public comments and is going to be published shortly.
4. Capacity building exercises (tailor made) conducted in collaboration with academia (i.e. IIT Kanpur and Rashtriya Raksha University etc.) to train power professionals.
5. Workshops, trainings, awareness sessions, conferences and cyber security exercises are being organized regularly by various agencies including NCIIPC, CERT-in and CSIRT-power, utilities, industry and academia to spread awareness among the stakeholders.
6. MoP has issued order dated 02nd July 2020, mandated testing of all equipment, components, and parts imported for use in the power supply system and network shall be tested in the country to check for any kind of embedded malware/trojans/cyber threat.
7. Issued guidelines for scope of Audit, QCBS based audit system to cover the complete IT/OT infrastructure and also to improve the quality of audit.

We’ve heard about a ‘Trusted Vendor’ scheme in the pipeline. How will this help secure the power sector’s supply chain and digital infrastructure?

With the growing digitalization of power systems and the deployment of IT- based solutions for optimization of resources, continuous monitoring and enhanced efficiency, the cyber-attack surface has significantly expanded. ln this interconnected and geographically distributed supply chain, ensuring cyber security of the equipment and components being sourced and deployed is crucial.

National security council secretariat (NSCS) of the Government of India has set up a Trusted Telecom Portal for ensuring only trusted telecom equipment are being used from trusted sources with an aim to address the security concerns of the equipment’s. In this regard, the Trusted Vendor Scheme is currently being implemented in the power sector in coordination with the National Security Council Secretariat (NSCS).

By sourcing from vendors vetted by the National Security Council Secretariat (NSCS), the power sector can avoid technology that poses national security risks. This will also promote indigenous manufacturing and self-reliance in critical infrastructure.

The Trusted Vendor scheme ensures that equipment and software used in the power sector originate from reliable and secure sources. This mitigates supply chain risks, especially related to foreign-origin components with potential backdoors.

Is the CEA planning any specific regulations or frameworks for ensuring that new digital solutions and suppliers meet high cybersecurity standards?

The CEA (Cyber Security in Power Sector), Regulation 2025 have been successfully drafted, which is in advanced stages of approval after disposal of public comments and is underprocess for Issuance.

Role of Regulation in Power Sector to mitigate the Cyber Security Concern: –

• Directs to establish Cybersecurity Governance structure.
• Take the approach to establish business integrated Cyber security policy to involve the top management.
• Addresses the concern of coordinated cyber security incident and crisis management.
• Addresses the vulnerability caused by integration of existing and new system.
• Directs utility to ensure physical and cybersecurity in the interconnected grid system where equipment can be located in second- or third-party premises.
• Addresses the concern of Legacy system that is a major area of concern.
• Directs the utility to comply with NCIIPC and CERT-In directives.
• Addresses the concern of cybersecurity risks in existing systems by mandating operational cybersecurity.
• Addresses the concern of data privacy and security aspects of power sector.
• Addresses the concern of supply chain related threats, outsourcing and cloud service integration.

Cybersecurity Regulation is much more comprehensive. Additional areas apart from Cyber security guidelines being added in regulations are: –

• Physical security
• Secure System Architecture
• Access Control Policy
• Configuration Management and Change Management Process
• Application Security and Testing
• Maintenance and Testing
• Data Privacy
• Use of cloud Services
• Vendor Management
• Outsourcing
• Documentation and Retention Policy

How can academic institutions and private industry play a bigger role in building a secure, future-ready power sector? Are there any ongoing partnerships or upcoming opportunities?

Academic institutions and private industry play a crucial role in empowering individuals and organizations to become proactive participants in cyber defence, especially in the context of capacity building.

• Academic institutions help employees and Utilitiesto understand the risks and potential consequences of cyber threats.
• Private industry campaigns promote to implement the security measures like the adoption of cybersecurity best practices such as strong passwords, keeping software up to date, implementing multi-factor authentication etc.
• When employees are aware of cyber threats, they are more likely to report suspicious activity promptly. This allows Utilities to identify and address potential breaches early, minimizing damage.
• By raising awareness about the potential consequences of insider threats and promoting a culture of trust and transparency, organizations can reduce the likelihood of insider attacks.
• Capacity building exercises (tailor made) conducted in collaboration with academia (i.e. IIT Kanpur, IIT Kharagpur, IISc and Rastriya Raksha University), industries, premier cyber security organizations of India, more than 250 power professionals trained through these programs, including power professionals from State DISCOM.

What are the top goals for the CEA in the next few years when it comes to digital transformation and keeping the power sector secure?

Our key goals include:

• Achieving 100% smart metering in distribution.
• Establishing sector-wide cybersecurity standards, SOCs, and response mechanisms.
• Promoting domestic R&D and secure-by-design infrastructure in collaboration with stakeholders.
• Institutionalising cyber risk management as part of utility governance and audit mechanisms.

The vision is to create a resilient, intelligent, and secure power system that can support India’s energy transition while staying protected from emerging cyber threats.