CRITICAL INFORMATION INFRASTRUCTURE
Critical Information Infrastructure (CII) is a communications or information service whose availability, reliability and resilience are essential to the functioning of a modern economy, national security and other essential social values.
One remarkable feature of these CIIs is that they are interconnected and interdependent. Failure of one CII due to attack (or otherwise) can impact other CIIs.
Various CIIs listed in India:
- Defense
- Space
- Banking and Finance
- Power Generation & Distribution
- Transport
- Public Health
- Water Supply
- Communication
- Sensitive Government Organisations
- Law Enforcement Agencies
- Critical Manufacturing.
- E Governance.
- Census & NPR
Effects of cyber attacks on CII:
- Damage or Destruction of CII.
- Disruption or Degradation of Services.
- Loss of Sensitive / Strategic Information
- Cascading Effect
GUIDELINES FOR SECURITY IN POWER SECTOR (CII), 2021
After a suspected cyber-attack on Mumbai power grid by Chinese hackers, Government has recently released guidelines for the Cyber Security in Power Sector.
About the guidelines:
- The guidelines have been framed by the Central Electricity Authority under the provision of Section 3(10) on Cyber Security in the ‘Central Electricity Authority (Technical Standards for Connectivity to the Grid) (Amendment) Regulations, 2019’.
- These are applicable to all Responsible Entities including power generation utilities, distribution utilities etc. Engaged in the Indian power supply system.
THE GUIDELINES:
- Procurement from Trusted Source: ICT based procurement should be from identified ‘Trusted Sources’ and identified ‘Trusted Products’ or else the product has to be tested for Malware/Hardware Trojan before deployment for use in power supply system network.
- Appointment of a Chief Information Security Officer (CISO) at each responsible entity as well as the setting up of an Information Security Division headed by the CISO.
- Identifying and Reporting threats: The entities will be required to incorporate a procedure for identifying and reporting any disturbances suspected or confirmed to be caused by sabotage and submit the report to the sectoral CERT and Computer Emergency Response Team – India (CERT-In) within 24 hours.
NEED OF GUIDELINES IN OTHER SECTORS
There is dire need of guidelines in other CIIs like:
- Telecom (The Cabinet Committee on Security has approved a National Security Directive on the Telecom Sector).
- Nuclear Power Generation Plants (Cyber attack on Kudankulam NPP in 2019 implies the possibility of future attacks.)
- Logistics Sector (Digitalisation of this sector in the form of Fastag installation on all vehicles makes this sector vulnerable to cyber threats)
