Critical infrastructure is the body of systems, networks and assets that are so essential that their continued operation is required to ensure the security of a given nation, its economy, and the public’s health and/or safety. Critical infrastructure needs to be protected against physical as well cyber threats. India, being a vast nation developed huge infrastructure in multiple sectors which are very critical for its economic development, security, health, safety, and nation functioning. Hence a need for a robust, wide reaching, and integrated plan and programme to protect this critical infrastructure as the national well-being relies upon secure and resilient critical infrastructure. To ensure security and resilience, all stake holders must collectively identify priorities, articulate clear goals, mitigate risk, measure progress, and adapt based on feedback and the changing environment.
The big challenge for any nation is in defining their critical infrastructure which needs to be protected. The major sectors in which critical infrastructure exists in India are: Transportation – rail, road, air, water ; Energy and Power – oil and gas, conventional, nuclear, non-renewable, generation and transmission; Food and Agriculture – production, storage and distribution ; Communications – telecom, Information technology; Defence – strategic assets, research and production; Health Care & Public Health – hospitals, water and waste water systems; Financial Services – banking and insurance ; Government Facilities – administration and public services; Manufacturing – chemicals, machinery, metals; Emergency Services – fire, disaster relief; National Monuments and Icons – heritage and religious sites, museums; and Commercial Facilities – office complexes, stock exchanges. Equally important is the Critical Information Infrastructure of these physical infrastructure assets. Holistically, the Critical Infrastructure Protection (CIP) encompasses both physical and cyber protection.
Evolving Threats to Critical Infrastructure
The risk environment affecting critical infrastructure is complex and uncertain; threats, vulnerabilities, and consequences have all evolved over the last decade. Critical infrastructure that has long been subject to risks associated with physical threats and natural disasters is now increasingly exposed to cyber risks, which stems from growing integration of information and communications technologies with critical infrastructure operations and an adversary focus on exploiting potential cyber vulnerabilities. The evolving threats to critical infrastructure could be in the broad categories of adversarial/human-caused, natural, and technological/accidental threats. Critical assets, systems, and networks face many of the threats as categorised above, including terrorists and other actors seeking to cause harm and disrupt essential services through physical and cyber- attacks; severe weather events; pandemic influenza or other health crises; and the potential for accidents and failures due to infrastructure operating beyond its intended life span. The potential for interconnected events with unknown consequences adds uncertainty in addition to the known risks mentioned above.
Growing interdependencies across critical infrastructure systems, particularly reliance on information and communications technologies, have increased the potential vulnerabilities to physical and cyber threats and potential consequences resulting from the compromise of underlying systems or networks. In an increasingly interconnected world, where critical infrastructure crosses national borders and global supply chains, the potential impacts increase with these interdependencies and the ability of a diverse set of threats to exploit them. In addition, the effects of extreme weather pose a significant risk to critical infrastructure— rising sea levels, more severe storms, extreme and prolonged drought conditions, and severe flooding combine to threaten infrastructure that provides essential services to the people. Ongoing and future changes to the climate have the potential to compound these risks and could have a major impact on infrastructure operations. Finally, vulnerabilities also may exist because of a retiring work force or lack of skilled labour. Skilled operators are necessary for infrastructure maintenance to reduce risks. These various factors influence the risk environment and, along with the government policy and operating environments, create the backdrop against which decisions should be made for critical infrastructure protection.
CIP Protection Measures – India
In India, measures have been taken since 2014 to coordinate the Critical Information Infrastructure Protection by setting up of the National Critical Information Infrastructure Protection Centre (NCIIPC) at the national level for coordinating and guiding all the stake holders in protecting their information from cyber threats. Being in nascent stage, the NCIIPC needs to do much more to be able to fulfil its mandate and keep critical information secure from possible threats. Large number of stake holders in the states, local bodies and the private sector owners and operators of critical infrastructure have still not registered with the NCIIPC. While the physical security of critical infrastructure including the strategic assets of some government sectors is being taken care of by the designated security forces, many other sectors with in the government are yet to initiate measures aimed to prevent, protect, mitigate, respond, and recover from any possible physical and cyber threats. The private sector is far behind in its initiatives in physical protection of the critical assets owned and operated by them, as they depend on ill trained and ill-equipped private security agencies. Some big private owners especially in the IT sector have taken good initiatives to ward of any possible cyber threats. In overall, the status of Critical Infrastructure physical protection remains rudimentary while protection from cyber threats has picked up momentum of late.
Need for An Integrated Approach
The stake holders involved in managing risks to critical infrastructure either individually or in partnership is wide- ranging, composed from among central, state, local governments, owners, and operators of critical infrastructure, private businesses, non-profit organisations, and academia. Managing the risks from significant threat and hazards to physical and cyber critical infrastructure requires an integrated approach across these diverse entities with an objective to: Identify, deter, detect, disrupt, and prepare for threats and hazards to the nation’s critical infrastructure; Reduce vulnerabilities of critical assets, systems, and networks; and Mitigate the potential consequences to critical infrastructure of incidents or adverse events that do occur. The success of this integrated approach depends on leveraging the full spectrum of capabilities, expertise, and experience across the critical infrastructure community and associated stakeholders. This requires efficient sharing of actionable and relevant information among partners to build situational awareness and enable effective risk-informed decision making.
Elements of the National Plan
Any protection plan should be comprehensive, integrate physical and cyber security of the critical infrastructure and take in to consideration the significant evolution in the critical infrastructure risks, government policies, and operating environments. The National Plan should be aligned with the goal of a secure and resilient nation with the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk. This is central to a comprehensive approach for enhancing national preparedness and critical infrastructure risk management activities and contribute to achieving the National Preparedness Goal. It should provide a frame work for collective efforts of all stake holders and their ability to make risk informed decisions when allocating limited resources in both -normal and crisis situations. The plan must integrate and create networks of national, regional, state, and local partnerships between government and the owners and operators who have the responsibility of managing risks to enhance security and resilience. The National Plan should establish basic principles which the critical infrastructure community should consider when planning for CIP: Risk should be identified and managed in a coordinated and comprehensive way across the stake holders; Understanding and addressing risks from cross- sector dependencies and interdependencies is essential; Gaining knowledge of infrastructure risk and interdependencies requires information sharing across the critical infrastructure community; The partnership approach to CIP recognises the unique perspectives and comparative advantages of the diverse critical infrastructure community; Security and resilience should be considered during the design of assets, systems, and networks.
Way Forward CIP- India
A single point agency, preferably under the Cabinet Secretariat be established to lay down policy, guidelines, and carry out coordination on the whole gamut of physical and cyber protection of all national critical infrastructure assets. Nominate organisations responsible for coordination and guidance related to CIP at the national, states, local and private sector levels. Critical infrastructure with dependencies and interdependencies in each sector be identified, periodically updated, and integration of these achieved. CIP plans be prepared for all sectors and at all levels for individual assets, these plans be tested and rehearsed. Resources need to be created and earmarked for each sector to take care of critical infrastructure of respective sectors. Set up mechanisms for obtaining and sharing information and intelligence related to the threats on a need to know basis with all the stake holders. Establish exclusive CIP communication networks at all levels for speedy dissemination of information, intelligence, and ensure quick response in case of any threats.
Critical Infrastructure Security and Resilience in India needs to be addressed on a priority basis by the national, states, local governments and asset owning and operating entities as both physical and cyber threats to these critical assets is ever increasing. Any vacillation on this account would be very catastrophic. The CIP should be integrated and coordinated activities based on partnership not only amongst all the stake holders but also international agencies.
Col Naidu Gade was commissioned in the Corps of Combat Engineers and commanded an Assault engineer Regiment. He is a qualified CBRN and C-IED Professional and has served as Joint Director for CBRN Defence. Presently, he is Chief Consultant with ‘CBRNe Secure India’ a ‘forum and a knowledge centre’ for bringing in awareness on the threats arising from the use of CBRNe material and their disastrous consequences.