A study of the experiences of the United States and India in strengthening the power grid against cyberattacks, and proposing recommendations for improving the structure of the industrial security governance system within the country
Abstract
Electric energy is a crucial prerequisite for the advancement of economic, social, and welfare sectors in all societies and countries. In developing or less developed countries, access to reliable electricity at affordable prices plays a significant role in economic and social development. Any disruption in the power grid’s operation—due to the dependence of other critical infrastructures on it (such as water supply systems, gas networks, banking, traffic and transportation, and communication infrastructure)—can lead to serious political, social, and economic consequences. Therefore, one of the most important and destructive types of attacks, which has increasingly attracted the attention of opposition groups and even hostile governments in recent years, is cyberattacks on the power grid.
In this article you read about:
Reviewing the Experiences of the United States and India
The study highlights governance challenges in protecting power grids against cyberattacks, such as unclear institutional responsibilities and overlapping regulatory roles.
After 9/11, the Department of Homeland Security (DHS) was created, and later the Cybersecurity and Infrastructure Security Agency (CISA) was formed. The Department of Energy (DOE) established a special office (CESER) for energy cybersecurity. Key components include:
• United States:
- Centralized policymaking (DHS/CISA)
- Technical regulation (NERC, NIST)
- Threat sharing via ISACs
- 80% private power companies operating under NERC guidelines
India:
- Cybersecurity governance began with the IT Act (2000). Since 2011, organizations must establish cybersecurity offices. Key institutions include:
- NPTI and CPRI (under Ministry of Power)
- C-DAC (under MeitY) for testing and cybersecurity labs
The U.S. shows a more integrated, multi-level governance model, while India is still developing its framework with less historical depth.
Strengths and Weaknesses of the Existing Structure in Iran
Iran’s cybersecurity governance for critical infrastructure has strengths such as policy and regulatory bodies, cybersecurity committees, and designated accountability. However, it faces key weaknesses: unclear organizational responsibility, regulatory overlap, lack of budget transparency, limited training, and incomplete evaluation of new technologies.
Recommendations
Separate IT and industrial network responsibilities in organizational structures.
Establish a national system for sharing industrial cybersecurity threat information, modeled after the U.S.
Develop specialized training programs with universities and international centers to build expertise.
Create local labs to test vulnerabilities in industrial software and hardware.
Prioritize the development of industrial cybersecurity technologies in national plans.
This study was conducted at Iran’s Energy and Resource Governance Institute in collaboration with Moein Ahmadi and Amir Mohammadi Doust in 2024.
To read more, click here
