The article underscores the threat of cyberattacks on the critical infrastructure and also suggests the steps to be taken to secure these infrastructures.
Cyberattack on the power grid
- On October 12 last year, Mumbai plunged into darkness as the electric grid supply to the city failed.
- Recently, a study by Massachusetts-based Recorded Future, said that the Mumbai power outage could have been a cyberattack aimed at critical infrastructure.
- It was carried out by the state-sponsored group Red Echo.
- As recently as in February, the Centre’s nodal agency National Critical Information Infrastructure Protection Centre (NCIIPC) had reported concerted attempts by Red Echo to hack the critical grid network.
- CERT-In, is reported to have detected the ShadowPad malware in one of the largest supply chain attacks a month after the Mumbai outage.
- Many of the suspected IP addresses identified by NCIIPC and CERT-In were the same and most have been blocked in time.
- The Chinese focus in the past was stealing information and not projecting power, but the situation with India might be different.
Why critical infrastructures are so vulnerable
- As many of these critical infrastructures were never designed keeping security in mind and always focused on productivity and reliability, their vulnerability is more evident today.
- With devices getting more interconnected and dependent on the internet facilitating remote access during a pandemic, the security of cyber-physical systems has, indeed, become a major challenge for utility companies.
Critical information infrastructure protection
- For more than a decade, there have been concerns about critical information infrastructure protection (CIIP).
- In January 2014, the NCIIPC was notified to be the national nodal agency for CIIP and over these years has been working closely with the various agencies.
- In January 2019, the government also announced a National Mission on Interdisciplinary Cyber-Physical Systems (NM-ICPS), with a budget of Rs 3,660 crore for the next five years, to strengthen the sector.
Way forward
- Most ministries and departments need better budget allocations for cybersecurity as well as a more robust infrastructure, processes and audit system.
- The Industrial Cybersecurity Standards (IEC62443) launched by the Bureau of Indian Standards (BIS), has to be adopted soon.
- For the power sector, a strong regulation on the lines of the North American Electric Reliability Critical Infrastructure Protection (NERC) policy could serve as a guide.
Consider the question “Discuss the importance of critical information infrastructure protection (CIIP)? Also mention the steps taken by the government in this regard.”
Conclusion
Clearly, the incident is a wake-up call for better preparedness in terms of a more robust cyber security ecosystem in place. The new cyber security policy awaiting imminent announcement will hopefully cater to that.
