From UPSC perspective, the following things are important :
Prelims level : CERT-In
Mains level : Paper 3- Critical information infrastructure protection
The article underscores the threat of cyberattacks on the critical infrastructure and also suggests the steps to be taken to secure these infrastructures.
Cyberattack on the power grid
- On October 12 last year, Mumbai plunged into darkness as the electric grid supply to the city failed.
- Recently, a study by Massachusetts-based Recorded Future, said that the Mumbai power outage could have been a cyberattack aimed at critical infrastructure.
- It was carried out by the state-sponsored group Red Echo.
- As recently as in February, the Centre’s nodal agency National Critical Information Infrastructure Protection Centre (NCIIPC) had reported concerted attempts by Red Echo to hack the critical grid network.
- CERT-In, is reported to have detected the ShadowPad malware in one of the largest supply chain attacks a month after the Mumbai outage.
- Many of the suspected IP addresses identified by NCIIPC and CERT-In were the same and most have been blocked in time.
- The Chinese focus in the past was stealing information and not projecting power, but the situation with India might be different.
Why critical infrastructures are so vulnerable
- As many of these critical infrastructures were never designed keeping security in mind and always focused on productivity and reliability, their vulnerability is more evident today.
- With devices getting more interconnected and dependent on the internet facilitating remote access during a pandemic, the security of cyber-physical systems has, indeed, become a major challenge for utility companies.
Critical information infrastructure protection
- For more than a decade, there have been concerns about critical information infrastructure protection (CIIP).
- In January 2014, the NCIIPC was notified to be the national nodal agency for CIIP and over these years has been working closely with the various agencies.
- In January 2019, the government also announced a National Mission on Interdisciplinary Cyber-Physical Systems (NM-ICPS), with a budget of Rs 3,660 crore for the next five years, to strengthen the sector.
- Most ministries and departments need better budget allocations for cybersecurity as well as a more robust infrastructure, processes and audit system.
- The Industrial Cybersecurity Standards (IEC62443) launched by the Bureau of Indian Standards (BIS), has to be adopted soon.
- For the power sector, a strong regulation on the lines of the North American Electric Reliability Critical Infrastructure Protection (NERC) policy could serve as a guide.
Consider the question “Discuss the importance of critical information infrastructure protection (CIIP)? Also mention the steps taken by the government in this regard.”
Clearly, the incident is a wake-up call for better preparedness in terms of a more robust cyber security ecosystem in place. The new cyber security policy awaiting imminent announcement will hopefully cater to that.