All the news about ransomware attacks and other cyber menaces around the world might make you presume that it happens only to potential superpower states. However, it is astounding to find India, too, is on the radar of such Cyber Attacks.
A report by Check Point suggests the number of ransomware attacks on organizations across all sectors, including government, healthcare, and other critical infrastructure has increased by 93 percent annually. India is also a key target. It is rightly said, “A chain is only as strong as its weakest link”. In matters of cybersecurity, it is the unawareness of established organizations that make them sitting ducks for such Cyber Attacks.
In this article, we shall be discussing Critical Information Infrastructure, its constituents, and the absolute need to protect it. Furthermore, we shall discuss the working of a government agency, rather a lesser-known agency, called “NCIIPC” (National Critical Information Infrastructure Protection Centre). The agency works for the sole purpose of plugging gaps in critical infrastructure systems of public and private sector organizations.
What is Critical Information Infrastructure?
Do you remember the antagonist Thomas Gabriel from the 2007 movie Die Hard 4.0? In the movie, he launched a series of attacks that sabotaged the city’s transport system, then the telecommunication networks, followed by the financial system, and finally disrupted the power grids & gas pipelines. This movie aptly depicts the large-scale impact of attacks on critical infrastructure.
Critical Information Infrastructure (CII) simply put, are any physical or cyber systems that are vital to a country. Any attack on these infrastructures will weaken security including but not limited to economic and/or national security and public health.
The Information Technology Act, 2000 defines CII as:
“computer resources, the destruction of which shall have a debilitating impact on national security, economy, public health or safety.”
Identification of Critical Information Infrastructure
Now the next question is what exactly can we call critical infrastructure. The American Cybersecurity Infrastructure & Security Agency states it is up to a country’s analysis and discretion to categorize or identify a particular sector/establishment as critical infrastructure. In general, security agencies identify 16 vital sectors as the critical infrastructure of any country. These include sectors such as defense, energy, emergency services, nuclear reactors, and their materials, etc.
From the Indian perspective, NCIIPC has issued guidelines with respect to assessing CII. It has set certain parameters for the determination of CII. These include assessing the extent of functions and services provided by the organization, geographical or environmental impact, and most importantly how the non-availability of services by the organization affects significant businesses. Common examples include telecommunication networks, air traffic control, railway routing and control, financial services, and industrial control systems.
Who protects CII in India?
Critical infrastructure protection is a major cybersecurity priority for India. For safeguarding the common interest of the nation, the government established the NCIIPC in 2014 as the nodal agency to work with the public and private sectors for plugging gaps in their critical infrastructure systems.
The organization was established under section 70A of the Information Technology Act, 2000, and comes directly under the control of the Prime Minister’s Office.
The agency aims at facilitating safe, secure, and resilient information infrastructure for critical sectors of the Nation. It follows the international parameters of Critical Infrastructure. Further, it broadly identifies Critical Sectors, which include Power & Energy, Banking & Financial Services, Telecom, Transport, Government, and Strategic Enterprise.
“Protected System” and NCIIPC
NCIIPC, under its charter, has been working towards recognizing many of the Government of India’s systems as “Protected Systems”. Now, a protected system can be defined as any computer, computer system, or computer network of any organization under section 70 of the Act.
Section 2(j) & (k) of the Information Technology (Information Security Practices and Procedure for Protected System) Rules, 2018 gives a clear definition of what is an organization and its protected system. Once notified as a “Protected system” under section 70 of the IT Act, the CII is immediately placed under the ambit of section 66 (f) of the IT Act, which defines any cyberattack as an act of cyber terrorism.
Furthermore, the rules prescribe certain practices and procedures. For example, a “Protected System” shall mandatorily have an ISSC (Information Security Steering Committee) tasked with defined roles and responsibilities within the institution. Additionally, the guidelines released by NCIIPC also mandate nominating a Chief Information Security Officer (CISO) who shall adhere to defined responsibilities ensuring an organization’s cyber security practices meet prescribed standards.
Recent Cyber Attacks on CII
Instances of cyber-attacks by national/state actors mainly targeting critical infrastructure and other nationally important institutions are on a rise. A plethora of high-profile cyber-attacks in the past few months have exposed vulnerabilities in the critical infrastructure of even advanced nations. The recent case of a ransomware attack on Colonial Pipeline is a fitting example.
India too has not escaped the impact of such catastrophic cyberattacks. The most infamous one being the NotPetya attack, which infected Maersk’s (the world’s largest shipping company) computer network. That infection further led to disruption of terminal operations, most prominently of Mumbai Terminals and the Jawaharlal Nehru Port Trust, India’s biggest container port. Another recent example is the Mumbai blackout. A China-linked hacker group RedEcho targeted India’s power sector, ports, and parts of the railway infrastructure affecting Mumbai.
How to report an Incident with NCIIPC?
The NCIIPC clearly states that it accepts both reports relating to vulnerabilities and security incidents. It also provides services for maintaining cyber security. Organizations can inform the NCIIPC about the requirement for security applications, hardware, software, and other security solutions through [email protected].
The victim organization may report malware in a specified format through the NCIIPC Malware Report Form. Along with malware reports, any other incident which likely affects CII can be reported through NCIIPC Incident Report Form. The NCIIPC additionally includes a Responsible Vulnerability Disclosure Program (RVDP). Stakeholders across different sectors may report vulnerabilities and seek advisory services under the program. A new vulnerability likely to result in unauthorized access to CII can be reported under the Vulnerability Disclosure Form.