By Sowmya Karun
In a previous post, we critically examined the legislative and institutional framework for the protection of critical information infrastructures (“CIIs”) in India. The National Critical Information Infrastructure Protection Centre (“NCIIPC”) has since revamped its website. This is a heartening move towards transparency and increased public engagement. According to “data shared by a broad range of NCIIPC constituencies”, a total of around 7.5 million incidents, threat feeds and vulnerabilities were reported from CIIs in 2016. This was reported in the first NCIIPC newsletter. The newsletter further indicated the number of incidents on a monthly basis, the most impacted cities in terms of the volume of cyber attack incidents, the major forms of attacks and the country-wise share of the origins of cyber attacks on CIIs.
Sector-specific guidelines for CII
As recommended in our post, the NCIIPC has been increasing its efforts towards the protection of sectoral critical information infrastructures. There has been particular emphasis on designing sector-specific cyber security practices. For instance, the Ministry of Power has taken steps to sensitize critical organisations in the power sector, following instructions received from the NCIIPC. This includes the auditing of underlying information infrastructures by CERT-In accredited agencies and the setting up of a dedicated computer emergency response team for the transmission sector. This is especially significant as the deployment of smart grid technologies on a large scale poses unique cybersecurity risks. Similarly, it has been reported that the NCIIPC has conducted workshops on cyber security and critical information infrastructure protection for the oil and gas industry. Further, the NCIIPC has engaged with the Chief Information Security Officers in strategic and public enterprises (which includes heavy industry and public sector units) for the identification, protection and notification of their CII.
However, the NCIIPC’s attempts to address the claim that there is “an urgent need to evolve sector specific guidelines for handling cyber crises” remain piecemeal and reactive. The transportation sector, for instance, is particularly vulnerable to cyber threats on account of growing dependencies on network based systems for navigation, tracking and positioning, amongst others. There have been reports of Pakistani hackers who have been tapping into air traffic control systems in Jammu as well as gaining access to the GPS data of police vehicles in Madhya Pradesh. These instances represent only the tip of the iceberg when it comes to the capacity of malicious actors to disrupt CIIs in the transportation sector. However, despite these incidents, there have been no reports about the development of sector specific cybersecurity guidelines for the transportation sector. The Long Range Identification and Tracking (LRIT) system under the Ministry of Shipping remains the only transportation to be declared as a “protected system” under the Information Technology Act, 2000.
Information Sharing and Analysis
While the development of sector specific guidelines for cyber-security should continue, it is also necessary to focus on mechanisms for information sharing and analysis across sectors. Information sharing about vulnerabilities, threats and attacks is essential as security solutions cannot be built without shared threat intelligence or co-ordinated responses. In recognition of this, the National Cybersecurity Policy of 2013 (“the Policy”) noted the necessity of establishing a mechanism for sharing information on cyber-security incidents (Paragraph IV(A)(7)). The creation of such a mechanism, according to the Policy, will generate the necessary understanding of existing and potential threats to enable timely information sharing (Paragraph IV(E)(1)). Prior to the policy, the creation of Information Sharing & Analysis Centres (ISACs) had also been recommended by the Joint Working Group on Engagement with Private Sector on Cyber Security (“JWG”). The JWG conceived of ISACs within various industry verticals with the private sector to co-ordinate with sectoral CERTs as well as CERT-IN.
However, currently, institutional mechanisms for streamlined and prompt sharing of information are not in place for most sectors. An ISAC has been set up at the Institute for Development and Research in Banking Technology (IDRBT), but it remains restricted to financial services. While the Central Government stated that action was initiated in 2014 for the setting up of similar ISACs in the power and petroleum sector, there is no confirmation of the same in the public domain. There is also no clarity on whether ISACs will be instituted for other sectors. There have also been no reports dealing with steps that are being taken for cross-sectoral information sharing and analysis. In a move forward, the NCIIPC has now made available forms for reporting vulnerabilities as well as cyber attacks on critical information infrastructures on its website. However, this is a poor substitute for a mandatory and systematic mechanism for collating information on threats, vulnerabilities and attacks. To this end, it is essential to urgently initiate the setting up of sectoral ISACs, under the guidance of the NCIIPC. A cross-sectoral ISAC, modelled along the along the lines of the National Council of ISACs in the US, could grow to function as an effective platform. It may also prove to be useful to pursue collaborations with existing global information sharing networks (such as the Financial Services Information Sharing and Analysis Centre (FS-ISAC). Similarly, the merging of sectoral platforms to create a collaborative intelligence sharing platform under the National Cybersecurity Co-ordination Centre is recommended.
To conclude, it is heartening to observe the progressive changes the NCIIPC has made as well as the creation of sector specific guidelines in certain sectors. However, this must progress across various critical sectors in addition to being placed within broader information sharing mechanisms. It is hoped that the NCIIPC will continue on the path of transparency and information sharing in this regard.
Sowmya Karun is a Project Manager at the Centre for Communication Governance at National Law University Delhi