Protect critical infrastructure
(I wrote this article in 2011. It got published in Salute magzine in July 2014. http://salute.co.in/protect-critical-infrastructure/ and still as relevant, where the governemnt has met most of the issues raised in the Article. This is one of the precusrors to the main article on future plans and recommendation.)
A squadron of Israel Air Force entered the airspace of Syria and pulverised an under construction nuclear fuel enrichment plant of Syria and returned home safely. Not a single shot was fired by Syrian Air Defence system because for those specific moments the Anti-Aircraft Control Plot of Syrian air defence system was disabled by Israel’s Signal Intelligence Unit 8200. Operation Orchard was successful. This is not a description from a Hollywood thriller but a real fact which happened on 06th September 2007. A benign malware Stuxnet was detected in September 2010 that had spread widely but primarily in third world countries like Iran-India-Indonesia. This precision cyber weapon was targeting for Siemens machinery controllers using Programmable Logic Controllers “WinCC/PCS 7” of “SIPLUS Extreme” because this specific PLC configuration was used by Iran’s Nuclear enrichment plant.
Despite extensive infection world over only 12 PLCs were reported to have malfunctioned. The consequence of this cyber attack was that Iran’s nuclear enrichment program was delayed by several months, if not years. The techniques and methodologies used by Stuxnet show that the creator was a nation-state who undertook extensive technical as well as human intelligence operations prior to designing this malware. This is the first formal cyber weapon which was found ‘in the wild’. The artefacts and dissection of Stuxnet pointed fingers towards Israel. Since November 2010, “someone” is using servers located in China to carryout extensive probe and surveillance of networks of petrochemical industries across the world. Mcafee who detected this surveillance has named it Operation Night Dragon.
In 2003, a large portion of US and Canada electric grid failed and it took them three days to revive it. Though the joint investigation report has blamed the legacy systems for the failure their 80% of its recommendations were related to the cyber defence of the electric grid! Consequently, the US had conducted several exercises under the code name Cyber Strom to check the vulnerability of their Critical Information Infrastructure (CIP) and is presently in the process to take appropriate defensive mechanism. India had its own share of attacks and counter attacks on critical information infrastructure. It has been alleged that in 2003, Indian hackers attacked the Karachi Stock Exchange and made it inoperative for three days using “Yaha” virus. A counter attack to penetrate India’s National Stock Exchange, using a launch pad at the network of one of the stock brokers, was foiled in December 2005.
The above examples are not minor incidents of penetration of general purpose computers and stealing documents or defacing websites but real and effective actual attacks impacting critical infrastructure adversely. All these examples are short of a declaration of cyber war and took place with or without the intervention of a nation state. This concern to defend the Critical Information Infrastructure was raised by Mr Vijay K Nambiar, then Deputy National Security Advisor while writing the foreword of International CIIP Handbook 2006, where he wrote, “Whether we compete or collaborate with others, connectedness between people around the world is a fact of life today. Cyberspace has contributed to this reality through the internet and telecom revolutions".
The critical sectors of modern society namely energy (power, oil and natural gas, and nuclear energy) transportation (airways, railways, roads, shipping, and space), law enforcement (defense, police intelligence, and the judiciary), ICT (networks and telecom), the financial sector (banking, trade and commerce, financial instruments, and insurance) and public health (medical care, water, and sanitation) are becoming increasingly dependent on ICT structures for enhancing their efficiency and effectiveness. There are important downsides to this phenomenon in that criminals have found new targets to shake the foundation of our communities.” Unlike most of the countries, India does not have a National Information Security Policy( NISP). NISP which was drafted by National Information Board under the chairmanship of late Mr J N Dixit, after extensive deliberations with more than scores of Ministries / Government Departments and also Industry confederations, is pending approval of Prime Minister’s Office since May 2005.
However, the Department of Information Technology has published a Cyber Security Policy on its website but it is understood that this policy was prepared without consultation with all stake holders. To provide a comprehensive cyber security environment to the country, the National Information Security structure as recommended by the National Information Board in 2005 is placed along in a diagram. However this structure has collapsed in 2006 due to internal squabble of the government but now, once again, attempts are being made to revive it. After extensive collaboration between National Security Council Secretariat, Department of Information Technology and Ministry of Home Affairs, a Statement of Case was prepared by the MHA in 2005 to establish Information Infrastructure Protection Centre (IIPC).
However, since then this SOC is gathering dust in the files of the government. In the meanwhile, the parliamentarians have empowered the government to take suitable steps to protect the national critical information infrastructure through the enactment of Sections 70 and 70 A of IT Act in 2008. The critical information infrastructure in the Indian context is defined at the ‘explanation’ given with the Section 70 of IT Act 2000, where it states, “Critical Information Infrastructure means the computer resource, the incapacitation or destruction of which, shall have a debilitating impact on national security, economy, public health and safety.
” The section 70 of IT Act empowers the government to protect the Critical Information Infrastructure by declaring them as “protected system.” Once a necessary gazette is issued any person who unauthorisedly accesses these infrastructures can be arrested under non-bailable provisions of law and upon conviction can be punished for ten years of imprisonment and/or fine, however till such a gazette is issued, as it is today, punishment for unauthorised access to such critical infrastructure is limited to three years imprisonment and the offence is bailable. Therefore the government needs to act promptly to protect critical information infrastructure of the country. Some of the steps which may be taken urgently for CIIP are :
Increase the frequency of meetings of the National Information Board, under National Security Advisor. (Status as on today - ???)
Declare National Information Security Policy. (Status as on today - Need revision)
Create and designate a national nodal agency for protection of Critical Information Infrastructures in accordance with section 70A of IT Act. (Status as on today - Action completed)
In the meantime empower the National Technical Research Organisation to interact with all stake holders and evolve policies and procedures in addition to technical ability to withstand any attack on our infrastructures. (Fresh View - Get NCIIPC out of NTRO because NTRO task is focused on Technical Intelligence, hence to stay out of public view, while NCIIPC taks is to protect Critical Infrastrcture where interaction with the public is a primary function.)
Identify and declare critical information infrastructures (including those held by the private sector) as ‘protected systems’ in accordance with Section 70 of the IT Act. Frame rule, practices and procedures for such protected systems. (Status as on today - Action partially completed)
Re-establish the National Information Security Coordination Cell under PMO/NSCS. Launch extensive campaign for enhancing cyber security awareness in the country involving the private sector. (Status as on today - Action Completed)