Courtesy: Rajarshi Mitra/Flickr

Protection of Critical Information Infrastructure: An Indian Perspective

Abstract

Critical information infrastructure (CII) is a pillar on which modern nations function. The revolution in information and communication technologies (ICT), apart from enhancing societal interactions and information diffusion, has improved the efficiency of organisations in all spheres of activity. These technologies, when developed, were guided by the need of open society for speed and sharing of information; security was never a top concern during early stages of development. The internet protocol, TCP/IP, was born ‘open’ with no protection or self-encryption mechanism.1 The aim was to create information sharing in a close-knit, like-minded society in a globalised world. The technology was imbibed by society to bring people closer and businesses to tap its advantages of speed and efficiency. Advancements in information technology over a period of time have made life easy, brought societies together and revolutionised information-sharing. It powered societal integration, globalisation, worldwide trade and business. Today, it is impossible to imagine life without ICT.
In the process, the information infrastructure itself acquired one of the most critical places in a country’s economic progress, national security and civil governance.2 Any disruption to information infrastructure is bound to have a ‘domino effect’ on all facets of civil society. Given their inherent vulnerabilities, these info-structures are prized targets for military adversaries, terrorist groups or disgruntled insider elements of a government or private organisation itself. This danger looms larger for developing countries that endeavour to attain self-sufficiency. This paper discusses the vulnerabilities of India’s CII and a future strategy to secure and safeguard it.

What is CII?

In the 20thcentury, critical infrastructures were setup in an isolated manner. These infrastructures were like insulated islands with only surface communication connectivity like road, rail and analog telephones. With the advent of the internet, mobile telephony and then smartphones, these isolated critical infrastructures converged and became interdependent information systems. It is not only in connectivity that information systems helped; they also contributed significantly in managing and automating the control and processes of critical infrastructures.
Different countries define CII according to the importance perceived by them. The following are a few definitions are:

  1. The United States: CII is the backbone of national life and economic activities formed by businesses providing services that are extremely difficult to be substituted. If the function of the services is suspended, deteriorates or becomes unavailable, it could have a significant impact on the national life and economic activities.3
  2. India: According to Section 70(1) of the Information Technology Act, CII is defined as a “computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety”.4
  3. Australia: The ICT component of critical infrastructure is CII.5
  4. Austria: Critical information infrastructures are those infrastructures or parts thereof which are of crucial importance for ensuring important social functions. Their failure or destruction has severe effects on the health, security or the economic and social wellbeing of the population or the functioning of governmental institutions.6
  5. Russia: Critical information infrastructure is a set of automated control systems and their interaction with information and telecommunications networks, designed to meet the challenges to good governance, defense, security, law and order, and the violation (or termination) of their operation can cause the onset of serious consequences.7
  6. The Internet Engineering Task Force (IETF): Those systems so vital to a nation that their incapacity or destruction would have a debilitating effect on national security, the economy, or public health and safety.8
  7. The African Union: Cyber infrastructure that is essential to vital services for public safety, economic stability, national security, international stability, and for the sustainability and restoration of critical cyberspace.9
  8. European Union: Those interconnected critical infrastructures and information infrastructures, the disruption or destruction of either of which would have a serious impact on the health, safety, security, or economic wellbeing of citizens, or on the effective functioning of government or the economy.10

All these definitions highlight the importance of cyber systems. Even more so because the very health and smooth operation of other critical infrastructures depends on this system.
The World Economic Forum (WEF), in its 2016 report, has depicted breakdown of CII, data fraud/theft and cyberattacks as a major linkage in the Global Risks Interconnections Map of 2016(WEF says a global risk is an uncertain event or condition that, if it occurs, can cause significant negative impact on several countries or industries within the next 10 years).

The Global Risk Interconnections Map 201611

The evolving risk landscape 2007-2016 as projected by GEF12 is as under:

Global Risks in Terms of Likelihood

Rank

First

Second

Third

Fourth

Fifth

Year

2007

Breakdown of CII

Chronic disease in developed countries

Oil price shock

China’s economic hardlanding

Asset price collapse

2008

Asset price collapse

Middle East instability

Failed and failing states

Oil and gas price spike

Chronic disease, developed world

2009

Asset price collapse

Slowing Chinese economy (<6%)

Chronic disease

Global governance gaps

Retrenchment from globalisation (emerging)

2010

Asset price collapse

Slowing Chinese economy (<6%)

Chronic disease

Fiscal crises

Global governance gaps

2011

Storms &cyclones

Flooding

Corruption

Biodiversity loss

Climate change

2012

Severe income Disparity

Chronic fiscal imbalances

Rising greenhouse gas emissions

Cyber attacks

Water supply crises

2013

Severe income Disparity

Chronic fiscal imbalances

Rising greenhouse gas emissions

Water supply crises

Mismanagement of population ageing

2014

Income disparity

Extreme weather events

Unemployment and underemployment

Climate change

Cyber attacks

2015

Interstate conflict with regional consequences

Extreme weather events

Failure of national governance

State collapse or crisis

High structural unemployment or underemployment

2016

Large-scale involuntary migration

Extreme weather events

Failure of climate change mitigation and adaptation

Interstate conflict with regional consequences

Major natural catastrophes

The trend of effects of cyberattacks on information infrastructure and data frauds or thefts is going to increase in the near future, as Internet of Things becomes the norm. The failure to comprehend risks related to networks of information systems may lead to breakdown of the CII, with far-reaching, adverse consequences on a nation’s economy, defence, and other critical services. A fundamental requirement for any nation is, therefore, to institute proper safeguards to protect CII from falling prey to an adversarial nation, terrorist organisations, hackers or lone wolves in the form of insiders or hackers.

Threats to CII

Increased interdependency and total reliance on often vulnerable information systems has made CII prone to attacks. The threat landscape is depicted below:

Natural Hazards

Natural hazards such as floods, earthquakes, cyclones, tsunami, among others, can damage information systems, crippling dependent services like telecommunications, electricity grid, water supply and internet unusable. History is replete with examples such as the following:

(a) The Fukushima Accident. On 11 March 2011, following a major earthquake, a 15-metre tsunami disabled the power supply and cooling of three Fukushima Daiichi reactors in Japan, causing a nuclear accident. All three cores largely melted in the first three days. There have been no deaths or cases of radiation sickness from the nuclear accident, but over 100,000 people were evacuated from their homes. Official figures show that there have been well over 1,000 deaths from delaying the return of evacuees, in contrast to little risk from radiation if early return had been allowed13.

(b) Floods in Kashmir: All state-owned and private telecommunication networks were affected in the 2014 floods and there was no means of communication between various agencies. The only lifeline available was military communications, which was effectively used in coordinating relief activities.

It is clear natural calamities can play havoc to national ICC and it is important to factor them in while designing or planning protection to it.

Man-made Threats

Worldwide, CIIs remain under man-made threats, some of them explained below:

(a) Action by adversary a Nation-State: The resources required for a cyber attack on an adversary’s CII, viz., detailed intelligence and technical expertise, are generally available only at the national level. It can be an isolated attack in the cyber realm or in conjunction with kinetic operations. Cyber attacks by Russia on Georgia in 2008 were followed by kinetic operations (distributed denial of service, logic bombs).15 A classic example of an attack on CII is of Stuxnet, a malware used to damage the centrifuges used in an Iranian nuclear facility.16  Another case is the shutting down of Ukrainian electric grid on 23 December 2015. On that day, Ukrainian Kyivoblenergo, a regional electricity distribution company, reported service outages to customers due to a third party’s illegal entry into the company’s computer and supervisory control and data acquisition systems (SCADA). Seven 110 kV capacity and 23 35 kV capacity substations were hit, leaving about 225,000 customers were without power for three hours. Ukrainian news media reported a foreign attacker remotely controlled the SCADA distribution management system to cause the outage.17

Cyber security researcher Jeffrey Karr has proved that India’s INSAT 4B satellite was taken down in 2010 by Stuxnet to serve Chinese business interests. On 7 July 2010, a power glitch in the satellite forced India’s leading DTH providers such as Sun Direct, Doordarshan and Tata Teleservices to shift to ASIASAT-5, a satellite owned by the Chinese government. INSAT 4B was using the same Siemens software responsible for activating Stuxnet to disable the Iranian nuclear centrifuges.18

(b) Terrorists Organisations:

In 1998, ethnic Tamil guerrillas attempted to disrupt operations of Sri Lankan embassies by sending large volumes of e-mail. The embassies received 800 e-mails a day over a two-week period.19

(c) Embedded systems:

The information infrastructure, various networks and systems of government and private sector extensively leverage latest technology and commercial electronic components (hardware, software and firmware) procured from global sources. The global commercial procurement may offer availability of state-of-art technology at a competitive price but it can also potentially compromise the supply chain by adversary action in the form of intentional tampering during development, delivering a counterfeit or insertion of malicious software during maintenance, making it easy to manipulate, control or even paralyse another organisation’s systems and data.

In 1982, US President Ronald Reagan approved a CIA plan to transfer to the Soviet Union software used to run pipeline pumps, turbines and valves. The software, subsequently stolen by Russians in Canada, had embedded features—a logic bomb—designed to cause pump speeds and valve settings to malfunction. “The result was the most monumental non-nuclear explosion and fire ever seen from space,” noted former US Air Force Secretary and former Director of the National Reconnaissance Office, Thomas C. Reed, in his book At the Abyss: An Insider’s History of the Cold War.20.

(d) Hackers or Lone Wolves:

The possibility of attacks for disruption by individuals cannot be ruled out. This could be for any reason, viz., testing one’s own hacking capability or to show solidarity with a particular organisation, or for no reason at all. These persons are akin to misguided missiles. The probability of such lone wolf attacks exists as the entry cost is almost negligible. E Morzov in An Army of Ones and Zeros: How I became a soldier in Georgia-Russia Cyberwar mentions that he had much simpler research objective to carry out a cyber attack: to test how much damage someone who is quite aloof from the Kremlin physically and politically could inflict upon Georgia’s web infrastructure acting entirely on his own using only a laptop and internet connection. If successful, Morzov thought he could show that the field is open to anyone to launch a cyber attack against Georgia. This is what exactly happened—the individual without any technical knowledge and by just browsing through net for approximately half an hour had his e-Molotov cocktail ready to take on Georgia’s information systems.21

(d) Insider Threat:

The WikiLeaks is an example of the havoc that can be caused by an insider. If an individual employee of an organisation is compromised, much damage can be done to it. The insider threat can be in the form of a disgruntled employee, compromised worker or even an unintentional hiring of a cyber terrorist or a hacker.

(e) Lack of Training:

Skills and knowledge of staff plays an important role in preventing major losses to the organisation. If a person is inadequately trained, then the chances of CII disruption or damage by accident or mistake are higher.

Road Ahead for India

The government of India has designated the National Critical Information Infrastructure Protection Centre (NCIIPC) of National Technical Research Organisation (NTRO) as the nodal agency under Section 70A (1) of the Information Technology (Amendment) Act 2008 for taking all measures including associated research and development for the protection of CIIs in India. Creation of the NCIIPC is a welcome move but making a technical intelligence agency responsible for the task is fraught with inherent limitations. Why a technical intelligence agency has been made responsible defies logic other than that cyberspace was within the charter of NTRO. An intelligence agency has its own work culture and limitations which forbid it to function in an open manner and interact in a joint platform with private enterprises. How the NCIIPC intends to engage civil and private organisations and major operators of information infrastructure is not yet known. The NCIIPC framework has to have coordination among industry and government. It is felt that CII protection should not be solely left to the NCIIPC; rather, it should follow a holistic, multi-stakeholder approach that requires a separate architecture with adequate wherewithal.
The networks of information systems are a complex phenomenon which demands actions from all stakeholders, viz., industry, government, technology experts, researchers and academia. The measures recommended are:

(a) At Critical Information Infrastructure

   (i) Physical Security:

       (a) If feasible the site of infrastructure should be such so as to have minimum damage in case of natural hazards

       (b) Have layered physical security to incorporate well-trained guards, electronic surveillance, alarms, electronic locks, etc.

       (c) Access control of sensitive areas in the form of biometric measures

(ii) E- Security:

     (a) Securing the electronic systems from unauthorised access by means of encryption, making use of tools available like intrusion detection system, firewalls, etc.

     (b) Taking measures to protect e-transmissions

     (c) Having strong password policy

     (d) Adequate well-rehearsed data disaster management drills

(iii) Human Capital:

   (a) Training the staff in e-security

   (b) Doing a background check on employees handling sensitive appointment or data

(b) NCIIPC:

    (i) Formulating a national strategy on CII protection

    (ii) Identification of CII

    (iii) Perform risk analysis based on various threat scenarios

    (iv) Making available standard operating procedures

    (v) Doing penetration testing of CII systems and analysing the weaknesses

    (vi) Issuing advisories on implementing security programmes

    (vii) Formulation of standards in consultation with industry

    (viiii) Best practices

    (ix) Coordination aspects related to CII among various agencies, including international

    (x) Guidance on equipment hardening and testing of critical components

    (xi) Public private partnership

    (xii) Information-sharing on types of cyber attacks is critical to cyber security.

(c) International Level: The following issues need deliberation:

    (i) Sharing of research and security initiatives

    (ii) Legal issues

    (iii) Development of security apparatus

Conclusion

No matter how much one tries, the vulnerabilities of CII will remain, especially when the hardware, firmware and software are produced globally. About 72 percent of Indian companies faced attacks in 2015.22 With rapidly growing interconnected, interdependent operations and digitisation (with Digital India as the flagship programme of the government), the cyber security challenges will only increase with time. Any damage to CII will have a direct impact on national security, economy and civil society. To safeguard and secure CII, all the stakeholders have to work together to evolve innovative security solutions.

Endnotes

  1. Cyberspace and Critical Information Infrastructures by Dan Colesniuc
  2. Critical Information Infrastructure Protection: Analysis, Evaluation and Expectations by Eugene Nickolov
  3. Source: IEEE-USA. Available at http://www.ieeeusa.org/policy/positions/infoinfrastructure.html tions/infoinfrastructure.html as quoted in https://www.enisa.europa.eu/topics/national-csirt-network/files/event-files/ENISA_best_practices_for_ciip_Willke.pdf, accessed on 1 June 2016
  4. http://cis-india.org/internet-governance/blog/guidelines-for-protection-of-national-critical-information-infrastructure, accessed on 10 June 2016
  5. https://publicwiki-01.fraunhofer.de/CIPedia/index.php/Critical_Information_Infrastructure#Japan, accessed on 25June 2016
  6.  Austrian Cyber Security Strategy, Federal Chancellery of the Republic of Austria, Vienna (2013)2012 as quoted in https://publicwiki-01.fraunhofer.de/CIPedia/index.php/Critical_Information_Infrastructure, accessed on 25June 2016
  7. National Security of Russia – Information security (February 3, 2012, № 8032012 as quoted in https://publicwiki-01.fraunhofer.de/CIPedia/index.php/Critical_Information_Infrastructure as accessed on 25 June 2016
  8. IETF RFC449 Internet Security Glossary 2
  9. https://publicwiki-01.fraunhofer.de/CIPedia/index.php/Critical_Information_Infrastructure accessed on 26 June 2016
  10. www.enisa.europa.eu/act/res/files/glossary accessed on 28 July 2016
  11.  The Global Risk Report 2016, available at https://www.weforum.org/reports/the-global-risks-report-2016/, accessed on 20 June 2016
  12.  Ibid
  13. http://www.world-nuclear.org/information-library/safety-and-security/safety-of-plants/fukushima-accident.aspx, accessed on 27 June 2016
  14. https://blackboard.angelo.edu/bbcswebdav/institution/LFA/CSS/Course%20Material/BOR4301/Readings/Hurricane%20Katrina%20Communications%20%26%20Infrastructure%20Impacts.pdf
  15. Persistent Enemies and Cyberwar by Brandon Valeriano and Ryan Maness
  16.  Ibid.
  17. http://webcache.googleusercontent.com/search?q=cache:http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf&gws_rd=cr&ei=2MJwV9K-I4frvAT5sJbYDg
  18. http://archive.tehelka.com/story_main51.asp?filename=Ne261111India.asp
  19. https://en.wikipedia.org/wiki/Cyberterrorism, accessed on 27 June 2016.
  20. http://www.telegraph.co.uk/news/worldnews/northamerica/usa/1455559/CIA-plot-led-to-huge-blast-in-Siberian-gas-pipeline.html
  21. An Army of Ones and Zeroes:How I became a soldier in the Georgia-Russia cyberwarBy Evgeny Morozov
  22.  The Economic Times, 01 December 2015

Comments

Leave a Reply

17 Comments on "Protection of Critical Information Infrastructure: An Indian Perspective"

avatar
Sort by:   newest | oldest | most voted
Raj
Guest

A well researched and Comprehensive Article. All Stakeholders need to wake up at the earliest and work in proactive and synergised manner. ” Future of warfare is in ICT domain”. Bugle has already been sounded.

Lewellyn Nott
Guest

The criticality and vulnerability of CII in India has very well been brought out by Col RK Sharma. Along with the Institutional measures being taken to protect CII in India articles such as this shall go a long way in helping informed debate in the public domain. A very well researched and articulated insight.

Mukesh Bansal
Guest

Excellent article author has covered the very essence of the topic.The clarity of thought and expression is commendable.

Rakesh Kumar Sanger
Guest

Nice article. Govt must have good team of researchers and developers in IT. Technology will play a major role in coming years and to safeguard we must have secure system in place.

Raj
Guest

Adding on

All Maj countries including our adversaries have taken pragmatic steps.
What is Indian Armed Forces which is among the world’s busiest, engaged in vast and varied operations doing?
To my understanding: not much.
The reason could be, we have little influence in policy making
But then we in services too are not forceful, are hesitant and cautious.

Time and tide waits for none.

Abrar
Guest

Good elucidation of basic facts on critical info. Would recommend a holistic all encompassing , vibrant setup , incorporating the civil stakeholders , to address the issue rather than the beauracratic NTRO. Well written.

Debashish Bose
Guest

An excellent article. Comprehensively brings out at one place the identification features and required action points for CII. There is a strong need for govt agencies to take note and take this forward. Our condition could be as open as the example of “Georgia” quoted in the article. Even putting basic Standing Operating Procedures (SOPs) in place would go a long way in retrieving the situation. Private industry is also equally effected by the implications and an equal party in supporting the initiative.

Pawan Samyal
Guest

An excellent article which is well researched and comprehensive. It brings out the global outlook of the major stakeholders and Indian perspective with a view to improve our CII which is without doubt a multidimensional area of concern. Need to take it forward from here, Well done Rajesh.

Meenakshi
Guest

A good informative article giving practical solutions for protecting critical information infrastructure. Government need to look into the aspect of agency which should be made responsible for protecting it i.e. is NTRO the right agency as articulated in the paper.

satinder
Guest

A very well written and educative article on Protection of Critical Information Infrastructure: An Indian Perspective by col R K Sharma.The clarity of thought and essence of topic covered is commendable.

Vibhor Sharma
Guest

A very informative article

Sudesh Dhillon
Guest

The article brings to fore a ‘threat in being’ in the cyber domain. Author has meticulously explained the, otherwise complex and intricate issue, is easily comprehensible language, duly supported by relevant statistics and facts. It is NOT possible to retract the data already dished out to Cyber World, however, future revelations must be done with adequate caution. Policy, by itself, will not yield much success till the people involved in execution of these policies adequately understand and implement them…

Kailash Ghale
Guest

Well written. The need of the hour is to take concrete steps in protecting our critical information infrastructure

Anurag
Guest
Good article. I agree with you that merely creating another govt organisation is not the answer. This is classic govt response – create this creature called “nodal agency” and staff it with some bureau/techno-crats. Take for example the importance of regular audit for safeguarding CII. Can NCIIPC (or any of ts subordinate entities) conduct a comprehensive security audit of the software & systems being used by Banks or telecomn or Power Distribution firms? If “Yes” NCIIPC will be blamed for perpetuating Inspector Raj ; if “No” it won’t be doing its job! Most likely it will end up doing nothing.… Read more »
Anuj Singhal
Guest

An informative article

VIJAY KATOCH
Guest

AN EXTREMELY EDUCATIVE PERSPECTIVE

sahni
Guest

well written and comprehensive

wpDiscuz
Author

R K Sharma

Col R K Sharma is an army officer serving in Corps of Signals, Indian Army. The... Read More

Most Viewed

The Changing Face of Internet Addresses and Online Identity

PRIVACY & DATA PROTECTION

Gajendra Upadhyay
12 September, 2016

A specialist neurology clinic in Japan has this revealing signage with its website  address prominently proclaiming its function (photo courtesy:... 

Protection of Critical Information Infrastructure: An Indian Perspective

CYBER SECURITY

R K Sharma
1 August, 2016

Abstract Critical information infrastructure (CII) is a pillar on which modern nations function. The revolution in information and communication technologies... 

What we need to talk about when we talk about Artificial Intelligence

FUTURE TECHNOLOGIES

Urvashi Aneja
7 March, 2017

No longer the subject of science fiction, Artificial Intelligence (AI) is profoundly transforming our daily lives. While computers have been... 

The NCIIPC & Its Evolving Framework

CYBER SECURITY

Saikat Datta
27 October, 2016

Only eight years after India passed the Information Technology Act, did the term cybersecurity appear in a statute through a... 

Under the UN’s Shadow: Internet Governance Forum & the Urgent Need for Reforms

INTERNET GOVERNANCE

Jyoti Panday
8 July, 2016

The creation of the Internet Governance Forum (IGF) was a watershed moment in the history of the Internet. This article...