How safe is India’s critical national infrastructure?
Over the last few decades, critical infrastructure and services have been scaled up through automation, the Internet of Things and AI. However, this has also made them more vulnerable to attacks through IoT devices, highlighting the need for a policy framework to safeguard our infrastructure
360° Perspective Analysis
Deep-dive into Geography, Polity, Economy, History, Environment & Social dimensions — AI-powered, on-demand
Context
The article highlights the growing vulnerability of India's Critical Information Infrastructure (CII) due to rapid digital transformation and the integration of IoT devices. While traditional cybersecurity measures focus on IT systems, the physical infrastructure—power grids, fuel supply chains, and industrial plants—is increasingly connected to the internet, creating new avenues for remote disruption. The author stresses the need for rigorous certification of imported devices and a shift towards trusted indigenous technologies to ensure national security and economic stability.
UPSC Perspectives
Internal Security
The protection of Critical Information Infrastructure (CII) is a core component of national security. Under Section 70 of the , CII is defined as a computer resource whose incapacitation or destruction would have a debilitating impact on national security, economy, public health, or safety. The (NCIIPC) is the nodal agency designated to protect these assets. The article emphasizes that the threat landscape has evolved beyond traditional IT systems to encompass Operational Technology (OT) (systems that monitor and control physical devices) and the Internet of Things (IoT). Adversaries can now target these interconnected physical systems, leading to real-world disruptions, such as the targeting of fuel supply chains or power grids. UPSC often tests the understanding of these evolving threats and the institutional frameworks in place to counter them, especially in the context of state-sponsored cyber-attacks.
Science & Technology
The integration of Information Technology (IT), Operational Technology (OT), and the Internet of Things (IoT) represents a significant technological shift in managing critical infrastructure. Previously, industrial control systems like SCADA (Supervisory Control and Data Acquisition) were isolated networks (air-gapped). However, the push for automation and predictive maintenance has led to these systems being connected to the internet. This convergence creates a complex attack surface. An attacker exploiting a vulnerability in an IoT device (like a temperature sensor or an e-lock on a fuel tanker) can potentially manipulate physical processes controlled by the OT layer. The article points out a critical flaw: the certification process for these interconnected devices is often inadequate. Institutions like the (STQC) Directorate provide testing, but the sheer volume and variety of IoT devices outpace the current regulatory capacity. For UPSC Prelims, understanding the distinction between IT, OT, and IoT, and the specific vulnerabilities they introduce, is crucial.
Governance
The article raises concerns about the procurement policies of government departments and Public Sector Undertakings (PSUs). Despite the national push for (Self-Reliant India) and , the practical implementation in procurement often falls short. Tenders frequently rely on superficial, template-based compliance checks rather than in-depth security evaluations of the origin, manufacturing, and potential vulnerabilities of the equipment. This allows potentially compromised or unverified imported devices (especially those with communication capabilities) to be embedded within sensitive national infrastructure. The government must enforce stricter guidelines under the to ensure that critical sectors prioritize trusted, indigenous technologies. The lack of stringent enforcement of IT guidelines and IoT policies for national-level infrastructure highlights a significant governance gap in ensuring the security of the digital supply chain.