Modern society is built on the foundation of technological advancements. Today technology infrastructure like the internet, cloud, computers containing sensitive information, etc. is as much important as the physical infrastructure like railways, roadways, and buildings. Technology is growing fast and has a tremendous evolution rate. Seamless functioning of the physical infrastructure such as generation, transmission, and distribution of energy; air and maritime transport; banks and financial services and the water supply and storages, etc. is essential for a nation-state. Information technology has become an indispensable tool to this physical infrastructure, enabling seamless functioning. Any minor disruption at any point of the information infrastructure could create ripples affecting multiple critical infrastructure of a state. But first, what is critical information infrastructure?
What is Information ‘Infrastructure’?
Information infrastructure is the term used to describe interconnected computers and networks and the essential information flowing through them. In other words, information infrastructure includes the transmission media; telephone lines, cable television lines and satellites, and antennas, and also the routers, aggregators, repeaters, and other devices that control transmission paths. Infrastructure also includes the software used to send, receive and manage the signals that are transmitted.
What is ‘Critical’ Information Infrastructure?
The term “critical” refers to infrastructure that provides essential support for economic and social well-being, for public safety, and for the functioning of key government responsibilities. For example- telecommunication network, financial services, transportation or traffic control systems, etc. Disruption or destruction of this infrastructure could result in catastrophic and far-reaching damage. The loss, damage, unavailability, even for a short duration, can have significant consequences and cascading effects far beyond the targeted sector and physical location of the incident.
The information infrastructure that is essential for the continuity of critical infrastructure services is known as Critical Information Infrastructure (CII).
Critical information infrastructure generally refers to:
“Information and Communication Technology systems that are essential to the operations of national and international Critical Infrastructures. Some of the examples include
i) telecommunication networks;
ii) transportation: air traffic control, railway routing and control, highway or city traffic management;
iii) financial services: credit card transactions, online payment systems or gateways, electronic stock trading; and
iv) Industrial Control Systems/SCADA (Supervisory, Control, and Data Acquisition) used to manage energy production and distribution, chemical manufacturing and refining processes”
The Information Technology Act, 2000 and the CII
In India, Section 70 of the IT (Amendment) Act, 2008 describes CII as “the computer resource, the incapacitation or destruction of which, shall have a debilitating impact on national security, economy, public health or safety.”
The government amended the IT Act in 2008 to expand the scope of the existing legal framework. The broadened scope included defining CII and designating a nodal agency and its roles and responsibilities for protecting CII. The Act empowers the Central Government to designate any computer resource which directly or indirectly affects the facility of CII to be a protected system.
The scope of CII is very wide and it becomes extremely challenging to identify the computer resources supporting the functioning of CII. Moreover, tools, techniques, and frameworks for quantitative assessment of the impact of CII disruptions and degradation on national security, economy, public health, or safety are inadequate.
However, the IT Act lays down that any person who unauthorizedly accesses a protected system shall be punished with imprisonment up to 10 years, and a fine.
National Critical Information Infrastructure Protection Centre (NCIIPC)
The National Critical Information Infrastructure Protection Centre (NCIIPC) is the designated nodal agency to protect India’s CII. As per NCIIPC, the sectors that were put under the auspices of the agency are:
- power and energy (oil and gas, power, industrial control systems, etc.),
- banking, financial services and insurance,
- ICT, transportation (air, surface [rail and road] and water) and
- e-governance and strategic public enterprises.
These sectors can be further subdivided into independent business or industrial functions: for example, in the case of transportation; aviation, shipping, road, and rail are the primary constituents. Similarly, the subdivision of services, such as telecommunications has landline voice services, mobile voice services, and broadband cable services.
Critical Information Infrastructure of India
|Transportation||Power and Energy||Information and Communication Technology||Banking, Financial Services, and Insurance||E-Governance & Strategic Public Enterprises|
|Civil Aviation||Thermal Power||PSTN Network||Reserve Bank of India||NIC|
|Railways||Hydroelectric Power||Satellite Communication||Stock Exchanges||e-Governance Infrastructure|
|Shipping||Nuclear Power||Network Backbone||Banking|
|Petroleum/ Natural Gas||Mobile Telephony||Clearing Houses|
|Power Grid||Broadcasting||Payment Gateways|
Strategic Challenges in Critical Information Infrastructure Protection
As the critical information infrastructure of a nation-state is becoming integrated and gaining strategic advantage, there is growing insecurity among the nation-states on the issues pertaining to the protection and defense of these infrastructures. However, the process of protecting critical infrastructure has many challenges; we will discuss some of them next.
Private and Public Perspectives: The list of actors involved in developing or maintaining critical infrastructure installations is endless, but they broadly fall under government or public enterprises and private entities. The private sector is a key player and the government, by itself, has limited control over the functioning or policymaking apparatus of private entities.
Multiple Stakeholders: This gives rise to the collective action problem, given a large number of entities; they have diverse and sometimes divergent interests. The private sector has business growth as its top-most priority. But the government has national security and delivery of essential services as the primary concern.
Fragmentation: In the wake of the sudden rise in cyber threats, various departments and ministries of the government and private sector associations have set up cybersecurity agencies, which are more aligned to serve their own mandates and interests. This fragmented approach is a substantial challenge, as most of these agencies work in silos and devise policies according to the small set of stakeholders.
Information Sharing/Analysis: In the absence of clearly defined roles and responsibilities, duties and a definite command structure, information sharing among the entities is not seamless. Stakeholders hoard information often don’t share it with the right department or agency; and there are only a few information-sharing platforms and therefore, collecting and using the information to aid decision-making remains a key challenge.
Scale and Unlimited Boundaries: Critical infrastructure is geographically spread, across the length and breadth of the nation-state. It is impossible to set any physical boundaries, which makes it a daunting task to affix the areas of responsibility.
An Expanding Network: Critical infrastructure is growing day by day, as new facilities, industries, technologies, equipment, and processes are continuously being added to the already existing massive network.
Complexity and Interdependencies: Critical infrastructure is complex and difficult to understand in terms of its behavior under conditions of disruption, also known as cascading failures, which have unpredictable consequences. It arises out of the interdependencies between and among the sectors, as materials, products, information, etc., are passed on to the downstream sectors.
Human Element: This is most critical in CIP policymaking and its implementation. All the key decisions regarding the design, development, and operations of the systems, applications, and networks behind critical infrastructure installations are human-dependent.
Endless Vulnerabilities and Limited Knowledge: Technologies that underpin critical infrastructure sectors/industries, such as process or assembly chain automation, robotics, remote process controls, IT, database systems, industrial control system and SCADA, are built over a period of time, and probably by different vendors under varying demands of the clients. Gradually, the industrial control system networks have been integrated with IT networks, which has thrown open a wide space for the attackers to exploit the control systems for potential malfunction or disruption.
Asymmetric Angle: The threat spectrum has widened as threats originate from nation-states as well as malicious non-state actors. The present-day threats are ambiguous, uncertain, and indistinct in terms of their identity and goals.
There has been a significant increase in the number of cyber-attacks. The recent attack on Mumbai’s power grid by Chinese actors is a prime example. The cyber threats, particularly categorized as cyber-crime, cyber terrorism, cyber espionage, and cyber warfare, exploit numerous vulnerabilities in the software and hardware design, human resources, and physical systems. This concern has gained significant traction among governmental agencies, computer/network security firms, and the scientific and strategic community. There is a dire need to evolve a comprehensive security policy to address the physical, legal, cyber, and human dimensions of security. Nation-states across the globe have realized the growing challenges in preventing and containing the attacks on critical infrastructure, while ingraining resiliency in the critical infrastructure and the corresponding information infrastructure.
This article was co-authored by Rohit Ranjan Praveer.