India’s Critical Infrastructure and the Need to Evolve Cybersecurity Strategies

By Rama Krishna Murthy Gudipati, General Manager-India, Customer Success, Securonix

The recent cyber attack on All India Institute Of Medical Sciences (AIIMS) has been a wake-up call about the state of cybersecurity in India. The exposure of sensitive health data of senior government officials, military officers, and foreign dignitaries poses multiple national security risks, and necessitated a swift response from the Indian Computer Emergency Response Team (CERT-In). The attack has shown how there are major vulnerabilities to India’s critical infrastructure that threat actors can use to cripple India’s government and economy. It is essential to conduct a thorough audit of the cybersecurity measures of major institutions that make up India’s critical infrastructure. This should extend beyond government institutions and cover private companies delivering essential services like telecom providers and banking.

Taking a holistic and strategic approach

The AIIMS incident is no anomaly or outlier as cyber attacks have been on the rise in recent years. According to CERT-In, the number of cybersecurity incidents has tripled in the last few years. In 2019, the organisation tracked 3,94,499 incidents, but this number jumped to 11,58,208 in 2020 and reached 14,02,809 in 2021. With this scale of growth, it is essential that there be a strategic approach that plots out a trajectory for capacity building that anticipates exponential rises in both the amount and variety of threats. This strategy needs to be holistic, looking at various parts of the ecosystem such as data governance, policing systems, and sector-specific cybersecurity regulations. The Ministry of Electronics and Information Technology has confirmed that a Draft National Cyber Security Policy has been written by the National Security Council Secretariat, but details remain unclear.

It is essential that this strategy take a holistic perspective toward critical infrastructure. The first place to start would be to shore up cybersecurity protocols of government institutions and public sector companies. This is especially true for organisations providing essential services like DISSCOMs, Indian Railways, and the Airports Authority of India as any failure will have knock-on effects on other industries. As some of these institutions are under the control of state governments, this will be no easy task. Moreover, it is important that any improvements not be a one-time update — it is more important to put in place a system for regular updates and audits than it is to ensure that these institutions have robust cybersecurity measures today. Using cloud-based cybersecurity solutions would be a clear pathway to achieve this at scale with faster time to value and minimal cost.

Non-governmental critical infrastructure

However, it is important to recognise that as pivotal as government institutions are to India’s critical infrastructure, there are sectors where private industry is also essential. Perhaps the best example of this is banking and financial institutions. The sheer volume and interlinking of the operations of major banks today mean that even private banks can be points of failure for entire economies. Known to the public as banks that are ‘Too Big to Fail’, these institutions are referred to as Systemically Important Financial Institutions (SIFIs) by regulators like the Reserve Bank of India that are increasingly passing measures to ensure the cybersecurity protocols of these SIFIs are robust enough to avert catastrophic economic collapses. However, the recent yogi controversy with the National Stock Exchange shows us that there is still scope for improvement. 

The AIIMS attack has also shown us that banking is not the only such critical sector. Other sectors like healthcare need additional cyber protections that do not have the benefit of a vigilant regulator like the RBI that stipulates security protocols and keenly enforces them. Each of these sectors have their unique requirements and considerations. For example, health data is especially sensitive, cannot be altered (unlike names and addresses), and can be used for a variety of nefarious purposes, from the more straightforward like financial exploitation to the more outlandish like bioweapons.

While some of these concerns sound like they’ve emerged from a “James Bond” or “Fast and Furious” film, they are more feasible than people may think. This is largely because of the pace of development in certain industries. For example,  electric cars are becoming an increasingly large part of the overall car market and electric vehicles are some of the most sophisticated electronic devices commonly available in the market. Legendary hackers, Charlie Miller and Chris Vaselek have demonstrated the capacity for zero-day exploits and other vulnerabilities to affect cars, which is why the automotive cybersecurity market is projected to grow to $5.6 billion by 2026.

Choosing the right cybersecurity tools

Ultimately, the extent to which these critical sectors are protected from cyber attacks will be determined by the type of cybersecurity measures that are used. Traditionally, cybersecurity protections are designed using an outside-in approach that focuses on setting up strong perimeter defences for networks. This approach, while still necessary, is no longer as applicable given the increasingly cloud-based nature of modern workplaces. Moreover, it fails to adequately protect against insider threats. It is now essential to complement strong perimeters with a zero trust approach that requires authentication at every point. 

Fully implementing cybersecurity protections that utilise this dual inside-outside approach will require constant monitoring and analysis to ensure full coverage and visibility. By design, attacks are often hard to detect and may appear as a single event or anomaly such as dynamic access control events or a port scan at an unusual time of day. Analysts may not be able to correlate these individual events, but robust analysis tools that use machine learning can parse through vast amounts of log information to identify attacks. To ensure robust protections it may be necessary to establish data lakes to house the data being generated. This also comes with the added bonus of boosting operations through rigorous analytic insights — a study showed that data lakes can improve organic revenue growth by 9%.

There is a debate and discussion to be had about what cybersecurity measures are needed to protect India’s critical infrastructure, but there is a clear consensus that these measures are needed. Incidents like the AIIMs attack in India and the Colonial Pipeline attack in the USA show that there are vulnerabilities. CERT-In has acknowledged this situation and is proactively implementing new regulations on this front. However, there will be no one-stop measure that will prevent these attacks in perpetuity and will require continuous regulatory oversight — much like with most criminal regulations, it will likely be a perpetual cat-and-mouse game. It is therefore essential that processes are put in place to ensure that India’s critical infrastructure is always being protected from cyber attacks.