Whether or not Chinese hackers gained access to the energy utilities in Maharashtra in the course of final October’s grid failure—The New York Times cites cybersecurity concern Recorded Futures to say Chinese group RedEcho did this whilst the Union government has denied it—India seriously wants to keep ahead of threats when it comes to cybersecurity. Even if it wasn’t the Chinese, lingering suspicion that a cyberattack brought on the outage only underscore the vulnerabilities of India’s cybersafety architecture. Two years ago, the Kudankulam nuclear energy plant had fallen prey to a malware attack. Meanwhile, Indian banks and organizations have been continuous targets for hacking groups.
India was one of the 1st nations to act on cybersecurity and securing essential information and facts infrastructure. The government released recommendations for essential information and facts infrastructure in 2015, outlining six priority regions. But, the response has lagged due to the fact. The recommendations have not been revised soon after 2016—despite cybersecurity needing to be as dynamic as evolving threats—and only prescribe fundamental procedures alternatively of setting sector-sensible requirements. A energy utility can not be asked to maintain the identical level of safety as, say, a bank or a information repository like UIDAI.
The other trouble is that the nodal agency, National Critical Information Infrastructure Protection Centre (NCIIPC), has itself been vulnerable to attacks. Last month, a hacking group had reportedly identified eight safety gaps in NCIIPC architecture, claiming that it was leaking sensitive information and facts. Furthermore, even 3 weeks into the attack, the safety group identified that NCIIPC had patched only one of the eight vulnerabilities.
India has completed properly to companion with international safety agencies to strengthen the cybersecurity framework. However, it also wants to revise regional recommendations and make processes easier. First, there is a want to introduce the National Cybersecurity Policy, 2020. This wants to be complemented with sector-precise typical operating procedures. RBI and Sebi have completed this for banks and monetary firms, but the purview wants to be expanded to other domains. Second, the government has to upgrade its systems, which have been operating legacy computer software, and incorporate new technologies like AI/ML for threat detection. As more services get connected to utilities with IoT devices, there is a want to improved India’s cyberdefence.
More crucial, coordination amongst unique bodies has to strengthen. At present, India has 36 unique coordination agencies below unique departments in addition to, every single state has a state-level laptop emergency response group. All these want to be brought below a single umbrella organisation, in line with what exists in the UK and Singapore. This would assure more quickly reporting and improved coordination in case of a cyberattack. It would also take away red-tape.
At present, monetary entities in India have to abide by RBI, Sebi, CERT and NCIIPC recommendations and report to all these bodies in case of a breach. The state also wants to get started spending more on cybersecurity. Budget information shows that the FY21 allocation for cybersecurity was a mere Rs 170 crore. In contrast, the UK had allocated Rs 18,050 crore for 5 years beginning 2016.