By Karan Sharma
In early May 2025, India’s power grid faced an unprecedented technical challenge. The issue was not something as common as a storm warning, a transmission fault, over- or under-generation of renewables, or equipment failure; but a stealthy new threat. What the grid tackled was one of the most concentrated waves of attempted cyberattacks during Operation Sindoor (India-Pakistan 2025 conflict). As per media statements made by Union Minister of Power Manohar Lal, close to 200,000 cyber-intrusion attempts were detected during the conflict, which were aimed at the power digital systems, rather than physical assets themselves. These threats were successfully neutralised and no blackouts followed. However, this episode opened our eyes to a harsh reality, that is, India’s power system is vulnerable through software and connectivity as much as through wires and substations.
This vulnerability is closely linked to the rise of renewables. Modern wind and solar projects are built around continuous data exchange and monitored through supervisory control and data acquisition (SCADA) systems. Moreover, the rise of battery energy storage systems (BESSs) has added another layer of software and remote control. Each connection improves operational efficiency. At the same time, each connection also creates a potential cyber entry point.
As renewables become critical to grid stability, the integrity of their data and control systems has moved from a technical concern to a systemic risk. Against this backdrop, Renewable Watch examines the evolving cyber risk landscape of India’s renewable sector, tracking operational vulnerabilities, regulatory frameworks and the future outlook.
Regulatory status and challenges
Cybersecurity attacks on the power sector are not a recent phenomenon. According to the Indian Computer Emergency Response Team (CERT-In), the country saw a 278 per cent increase in cyber incidents affecting the power sector between 2018 and 2022. Recognising this rising threat, in November 2025, the Central Electricity Authority (CEA) released the Draft Cyber Security in Power Sector Regulations, 2025. These draft regulations aim to further strengthen the Cyber Security in Power Sector Guidelines issued in 2021. They define the minimum cybersecurity responsibilities across generation, transmission and distribution entities, including renewable energy operators. The draft proposes mandatory designation of cybersecurity officers and their functions, routine vulnerability assessments and penetration testing of components, periodic cyber audits and mock drills, the procurement of hardware and software only from trusted and approved sources, along with baseline security practices for digital systems used in power operations.
However, the challenge lies in implementation in the renewables space. India’s rising renewable sector is, by nature, far more decentralised than conventional power infrastructure. Large thermal plants and transmission utilities operate under relatively uniform systems and governance structures. In contrast, renewable projects range from utility-scale wind and solar parks to several rooftop installations owned by households, housing societies and small commercial and industrial consumers. Over 250 million smart meter connections have been sanctioned under the Revamped Distribution Sector Scheme, underlining the sheer volume of new endpoints that must be governed, hardened and monitored. Applying a single regulatory framework to such a diverse landscape creates compliance gaps.
In order to address this issue, particularly for rooftop solar, the Ministry of New and Renewable Energy (MNRE), in July 2025, issued draft compliance requirements for inverters and remote monitoring systems (RMSs) under the PM Surya Ghar: Muft Bijli Yojana. The draft focused on standardising how rooftop solar systems communicate between an RMS and centralised internet of things, mandating secure machine-to-machine (M2M) SIMs and direct connectivity to national servers managed by the MNRE or a government-designated agency. Under the framework, all original equipment manufacturers supplying inverters for the scheme must ensure that their devices transmit generation, performance and alarm information directly to Indian servers rather than to third-party or overseas platforms. These M2M SIM-based communications are intended to provide consistent, authenticated data transmission and reduce exposure-created consumer-grade connectivity or foreign server infrastructure. Furthermore, the draft guidelines emphasise vendor-neutral, open communication protocols with structured message formats, device authentication through digital certificates, and encrypted data channels to reduce security gaps and supply chain risks.
Similarly, wind turbine manufacturing components are frequently internationally sourced, potentially increasing supply chain risks as well. In this space, the MNRE in July 2025 amended the Revised List of Models and Manufacturers and restructured it as the Approved List of Models and Manufacturers (Wind). The revision mandated that data centres and servers must be located within India, with all wind turbine-related information stored and maintained domestically. Real-time operational data must not be transferred outside India, and operational control of wind turbines must be exercised exclusively from facilities located within the country.
Operational status and challenges
Institutional capacity at the national level has expanded. According to Minister of State (MoS) for Power and New and Renewable Energy Shripad Yesso Naik, in a Lok Sabha response in December 2025, Computer Security Incident Response Team–Power (set up at the CEA as an extended arm of CERT-In) now supports utilities in detecting and responding to cyber incidents, while six subsectoral CERTs, including one for renewable energy, are mandated to prepare coordinated cyber crisis management plans. Additionally, the Powergrid Centre of Excellence in Cybersecurity at the Indian Institute of Science, Bengaluru, has been created to promote research and development. Cybersecurity audits have now become routine – the National Load Despatch Centre (NLDC) reports nine information technology (IT) assessments and five operational technology (OT) assessments over the past five years.
However, on the ground, the operational reality of cybersecurity in renewables remains challenging. At the RENEWSEC 2025 conference organised in December 2025, it was discussed that the merger of legacy control systems with modern cloud and edge services has also increased their risk exposure. Many control rooms and substations still run outdated SCADA and remote terminal units with limited modern defences such as next-generation firewalls or OT-specific intrusion detection. Furthermore, there is no clear separation between IT networks and OT networks; so a breach in an IT system, such as an email server or employee workstation, can allow attackers to move laterally into OT environments that directly control grid operations. This creates gaps that attackers can exploit. Once inside, attackers may manipulate telemetry, suppress alarms or alter control commands such as actions that can produce false state information and create operational confusion. The practical result is that operators must now manage software updates, remote-access privileges and detailed logging as everyday tasks – activities that were largely absent from traditional energy operations.
Additionally, unlike mature generation assets, operational standards for BESS cybersecurity are still evolving. BESS projects integrate battery management software, energy management platforms and grid communication systems. Low-bid procurement structures, in some cases, prioritise cost over long-term digital resilience. This creates a dual risk – cyber incidents that disrupt grid services and safety incidents linked to unauthorised control or incorrect system commands.
Remote project sites that use satellite links for telemetry are also a cause for concern. CERT-In issued an advisory in February 2025, warning that satcom ground stations and satellite control links are potential targets, meaning that there lies an acute risk for off-grid and remote renewable sites that rely on satellite telemetry.
Human capacity is another hurdle, since operational failures often arise from skill gaps and not technology alone. Cybersecurity in this sector requires a blend of OT knowledge and digital security skills, a combination that remains scarce. State load despatch centres and discoms vary widely in their readiness.
Despite the number of attacks that the Indian grid faces, no successful cyber breaches have been recorded in NLDC’s operational systems in the past five years, as per the MoS’s Shripad Yesso Naik’s Lok Sabha response. However, incident visibility still remains limited, because detailed public data on attempted breaches, near misses or sector-specific vulnerabilities is scarce. Without structured sharing of this data, utilities and operators might learn lessons in isolation, rather than through coordinated sector learning.
Outlook
India’s renewable energy transition is now a cyber story as much as it is an engineering one. However, translating policy intent into durable security needs practical action. As per a guest article written by Sunil Singhvi, President, Indian Electrical and Electronics Manufacturers’ Association, for Renewable Watch in August 2025, the creation of a single nodal cyber authority for the energy sector would help align standards, audits and enforcement, reducing gaps created by overlapping mandates.
Operationally, the renewable ecosystem must shift away from perimeter-based defences to zero-trust practices, supported by routine penetration testing, stronger communication protocols, encryption and continuous monitoring for all devices across all segments, and backed by clear vendor obligations for timely patching. Additionally, scaling human capacity would require sustained investment in training programmes and awareness campaigns.
Artificial intelligence-based threat detection, as well as quantum-resistant blockchain and cryptography tools, can also strengthen grid security, provided they are supported by clear standards and robust governance measures rather than being treated as standalone technology fixes. Furthermore, as consumers, we also have a role to play by demanding transparency from the government, as well as developers and utilities, on how generation data is stored, protected and used. Gone are the days when cybersecurity could be addressed as a back-office IT issue and limited to periodic audits or post-incident reviews; in a power system dominated by renewables, it must be embedded into everyday operations and system design for grid stability and public safety. As renewable energy moves forward to becoming the backbone of the power sector, securing its digital foundations will be more important to keep the energy transition resilient, rather than exposing it to new forms of risks.
