A look at India’s preparedness to tackle cyber threats from state and non-state actors
A few years ago, a public sector undertaking (PSU) in the manufacturing sector took part in a power plant’s contract bidding. It lost the contract to a Chinese firm. Most Chinese companies are known for their aggressive bidding, as they quote the lowest. They have been giving nightmares to many Indian PSUs, and private sector companies, for over ten years, by outbidding them in various tenders worth several thousand crores. This time, however, it was not just the case of an aggressive bidding. The Chinese, says an official aware of the matter, had access to the turbine/product drawings, an intellectual property of the PSU. The Chinese firm submitted these drawings during the bid process, which lead to their selection.
After a few months, an Indian intelligence agency came across the drawings submitted by the Chinese firm. They were suspicious of the originality of the design. A cyber forensic expert, helping the Indian agency, then contacted the PSU and sought its drawing number scheme. Each drawing has a unique number. “They [Chinese firm] took the drawing, changed it slightly and made a new copy. During detailed examination, however, it was found that they didn’t change the numbers completely,” says the official.
It was a classic case of cyber espionage, says the official. Many oil and gas exploration companies too have been targeted, disabling their chances of winning a contract. It is not clear if the government has investigated or taken any action into the cyber espionage cases, which have been happening for more than a decade.
On December 23, 2015, Russian military backed hackers infiltrated the IT system of the Ukrainian power grid and caused a blackout affecting lakhs of people for several hours. A similar attempt was made in 2016. The US department of energy said in January that there is a looming threat to power grids and power plants from the state actors in the country. The US and Ukraine are advanced economies, with higher levels of automation and security across industries.
India has, relatively speaking, moved up significantly in automation. The protection of the automated and unautomated systems, which run most of the critical infrastructure, however, is still in its early days. India doesn’t have a strong defence mechanism to deal with threats from the state actors. It has come a long way though. Here is a brief on the major works undertaken by the government in last ten years in cyber security.
Institutional and regulatory changes
For the first time, the government defined critical infrastructure under the IT (Amendment) Act, 2008, as “computer resource, the incapacitation or destruction of which, shall have the debilitating impact on national security, economy, public health or safety”. Section 70A of the IT Act provided statutory backing to the Indian computer emergency response team (ICERT), which served as the sole agency to look at cyber incidents across the country. Section 70B, however, proposed to set up a new agency, National Critical Information Infrastructure Protection Centre (NCIIPC), to look at the protection of critical information infrastructure (CII).
While the ICERT worked under the ministry of electronics and information technology (MeitY), the government planned to place the new body under the National Technical Research Organisation (NTRO). In 2012, the NTRO created NCIIPC. The agency was eventually notified in January 2014.
Historically, the Indian intelligence and military organisations have been carrying out cyber espionage for several years. But there were none when it came to defending the country’s own critical sectors and organisations. ICERT provides help in case of a cyber breach irrespective of the organisation where it took place, critical or noncritical. NCIIPC, on the other hand, was established as a dedicated agency to look after the critical information infrastructure.
According to the government notification, “The NCIIPC shall essentially protect and deliver advice that aims to reduce the vulnerabilities of critical information infrastructure, against cyber terrorism, cyber warfare and other threats”. The agency should identify “all CII elements” and provide “strategic leadership and coherence” across the government to respond to cyber security threats. Given its mandate, the government recruited officials for the NCIIPC from the three defence services.
In 2015, the NCIIPC issued guidelines for the protection of CII, to be complied by the respective organisations. This was in line with the international cyber security standard, ISO 27001. It provided for 36 information security controls. These are broadly categorised as planning, implementation, operational, disaster recovery, reporting and accountability controls. A few key controls include penetration testing, APT (advanced persistent threat) protection, threat reporting to government agencies and compliance of security recommendations.
Last year, it also issued a standard operating procedure for cyber auditing. In between, the ICERT also issued a crisis management plan, outlining processes to deal with cyber incident and communication with monitoring agencies. In 2010, the ministry of power created four different CERTs for thermal power, hydropower, transmission and distribution. The government move came close to the heels of Stuxnet – a sophisticated malware, a cyber weapon, developed by the US and Israel, that took down hundreds of revolving cylindrical centrifuges at Iran’s Natanz nuclear plant, delaying the programme by several days.
In 2013, the government also proposed to set up a National Cyber Coordination Centre (NCCC) to detect malicious traffic on the internet and network and analyse metadata. The idea was to analyse traffic on a realtime basis and alert organisations in advance, in case of detection. The proposed centre, which was initially thought to be placed under the NCIIPC, is now being set up under the ICERT supervision.
In the last three years, the NCIIPC has turned into an advisory body, lacking regulatory powers. It limits itself to sending alerts, issuing guidelines and occasionally seeking security compliance reports from critical infrastructure organisations.
“The idea was to create an agency which can identify critical and protected systems across organisations and do an annual review of organisations on compliance of these controls,” says Muktesh Chander, an Indian police service official and former director, NCIIPC, who wrote the initial draft of the guidelines.
“This would have given the government of India a clear view of the level of preparedness of critical facilities — the ‘baseline’ data. We would have had an index to measure it. I don’t think there has been any substantial progress in the last three years,” he adds.
In the last three years, only three organisations – Unique Identification Authority of India, Delhi Metro Rail Corporation and the navy – have declared their IT systems as CII, multiple sources confirmed to Governance Now. When a critical organisation declares one of its systems as ‘critical information infrastructure’, its security becomes a shared responsibility of the central government, and in case of any legal consequence the government supports it.
Governance Now spoke to a couple of PSU banks, a few PSUs in the in the power and energy sector and a few in the transport sector. They admit receiving regular advisories from ICERT and NCIIPC as far as their business networks, which facilitate management of the organisation, are concerned.
Either of these two organisations conduct a cyber drill or audit of the business network once a year or once in two years. But the industrial control systems (ICS) are managed by the instrumentation and engineering team, without any federal oversight. Alerts and advisories are the only support provided by the NCIIPC and ICERT to the instrumentation teams.
In critical sectors including power, oil and gas, there are two types of crucial or critical IT assets: one is related to the core business, having entire financial, product design and human resource records. The other is related to industrial control systems, which is managed by computer networks. An intrusion in the business network results in financial losses, while intrusion in the industrial control system, could shut down the production facilities and even cause accidents, endangering lives.
Yet no industrial control systems breach has been reported by the country. “Unlike Ukraine, India has been lucky so far”, says an official dealing with industrial control systems of a PSU. “It is the country’s fortune that Pakistani hackers are not skilled enough to break into the industrial control systems. They are happy in defacing websites (a child’s play in the world of hacking). They have some ground capabilities, and hence inflict physical damage, but not in the cyber world,” the official adds. China, on the other hand, is focused on cyber espionage, collecting strategic and financial intelligence. “They haven’t yet meddled with industrial systems – not that we are aware of,” he says.
Most of these threats come from state-backed hackers. India is unprepared to deal with such hackers. “It requires a strategic initiative by the government. It can’t be done by companies alone. It has to be done centrally,” says Sivarama Krishnan, leader, cyber security, PwC India.
Cyber espionage, says Krishnan, happens because of the silliness of companies. Business espionage is a common phenomenon. It has nothing to do with national security. “If I am bidding, I need to make sure that information is protected. Even competitors would do it,” he says.
The information security awareness and management is largely weak in the power and energy sector. Although major PSU organisations have implemented ISO 27001 standard, a large part of the private sector and state-owned corporations in the power sector are still grappling with putting up a basic information security mechanism.
Many of them have not even appointed chief information security officers (CISOs) – the first step in the information security management. “Of the total 39 thermal power generation companies owned by the states, only 27 have appointed CISOs. And of the total 38 private sector companies only two have CISO,” says a senior official with the NTPC, which also serves as the sectoral CERT for thermal power generation companies.
“We have audited some of these organisations falling in the critical category. Their security system was so weak that it could be hacked by a geek. It is in a mess,” says Dinesh Pillai, CEO, Mahindra Special Services Group, a MeitY-empaneled auditor.
Notifying ‘protected’ systems
Officials in critical organisations say that though they have identified critical systems, but the top management is yet to make up its mind in declaring them as CII. There is a catch here. “Once you notify your infrastructure as CII, you have to make a big investment on physical and cyber security, complying to the NCIIPC guidelines. Notification itself will make the infrastructure a target for hackers,” says a senior official at a public sector bank.
An official working with the Indian railways flagged similar concerns. “The railway board decides these matters [notifying specific computer systems as critical]. The board hasn’t taken any action yet on the guidelines issued by the NCIIPC,” he says. In the Indian railways there are systems which support automatic signalling on busy routes and junctions like Mughalsarai and Kanpur. “In some places, like Mumbai suburban and New Delhi, the automatic signalling is in place. It can be hacked because it is run through computers. But it’s not on a network,” says the railway official, adding, “By design, a stripped version of Windows, like in ATMs, is used.” The air-gap security arrangement – disallowing integration of IT system with a network – is not impregnable. Malware could be delivered through a USB dongle. A hack into these systems could lead to accidents. Declaring these systems ‘protected’ – as done by DMRC – would be a step in the right direction.
Auditing & penetration testing
The NCIIPC guidelines call for periodic audit and vulnerability assessment of critical organisations. The audit, however, is always done in a compliance mode, says Dinesh Pillai of Mahindra Special Services Group. Under this mode a mere formal testing is done whereby one just ticks the boxes, which is completely useless, he adds.
Usually, while doing vulnerability assessment, explains Pillai, whose clientele includes Airport Authority of India, Union Bank and ICICI Bank, organisations ask information security professionals to run some tools on the network. The information security team flags applications which are not patched (upgraded). The report is then given to the IT head. After that no one really checks what happens to the vulnerabilities. They are simply identified and not rectified. That is the end of the story. “If in quarter one, we identify a vulnerability, the same vulnerability appears in quarter two scan, which means it wasn’t patched earlier,” he says.
Every system which gets compromised has gone through hundreds of compliances. Hence, when an assessment is happening, ideally the security team should really try to penetrate the system. “This would be a shift from the compliance mode to figure out possible ways through which a breach can take place,” says Pillai. But this is something which companies are not willing to do.
ICERT is supposed to find and accumulate vulnerabilities and pass it to organisations and people. Again, ICERT is just an advisory body and organisations have an option to neglect it, says Pillai.
At present, ICERT and NCIIPC don’t do any auditing at all. Standardisation, Testing and Quality Certification (STQC) and Centre for Development of Advanced Computing (CDAC), Pune, both under the MeitY, do it. STQC, however, specialises in testing and certification of electronics and IT. It has limited human resource when it comes to information security audit. It certainly doesn’t have any expertise in auditing or security of industrial control systems or more sophisticated IT or Internet of Things networks.
“STQC doesn’t have expertise in hardware security. Security is highly specialised. It doesn’t have the skill sets. It only does testing of the application,” says a MeitY official. It won’t be able to crack a security-related flaw, the official adds. “It also depends on the complexity of a product. Some telecom products are very complex. STQC is not able to do that. You can’t do lip service to these things. That’s what is happening here,” he says.
Lack of funds
Although the investment on security in the private sector has increased over the years, as evident from an Ernst and Young 2016-17 survey, it is still not enough, if an organisation has to comply with the 36 controls highlighted by the NCIIPC. “If you have to implement these guidelines... then you need to have so much of technology, it will cost a bombshell,” says Pillai. This is going to cost a few million dollars.
And this is not sector specific. It is happening with most organisations. Most of these companies are in the government vertical. “They follow the CVC [central vigilance commission] guidelines and select the lowest bidder. Invariably, the best guys never get the job,” he says. A lot of the critical sector companies, including telecom and power, are already running on a thin margin. Increasing spending on security will be a challenge for them.
The railway official says that whenever auditing is done, the vulnerabilities are flagged. Now to even fix those gaps, one needs adequate funding. And if NCIIPC guidelines have to be followed in letter and spirit, the security budget will have to be simply doubled. It is not clear if the railway board will do so, he says.
Despite years of deliberations, notifications and rules, organisations don’t report cyber incidents voluntarily to the law enforcement agencies. The cyber attack on several banks last year, including the ATM card breach which impacted millions, was never reported, until agencies contacted them.
“Most of the time they [organisations] would try to mislead and take a position that nothing has happened,” Dr Gulshan Rai, national cyber security coordinator, who also works at the national security council secretariat under the prime minister’s office, said earlier this year.
This is because, the breach disclosure clause, as in the 2015 guidelines, whereby critical category organisations ought to report a cyber attack to NCIIPC, is not mandatory. “It should be made mandatory by law. As long as it is not mandatory, it will never be complied. It can also be done by an order of the government,” suggests Chander.
“India is a country where people wear helmets only because there is a penal provision attached to it. Unless you start measuring the effectiveness of control you have implemented, the situation will not change much,” says Pillai.
Scanning cyber space
To detect malicious traffic on the internet and network, access to metadata flowing through networks is necessary. But the proposed NCCC, which is supposed to analyse the traffic on a realtime basis, is not yet established.
The MeitY claimed that the NCCC will be up and running by June this year. At present, ICERT is even recruiting cyber security professionals for the centre. Some 40 cyber security professionals will be manning the centre, says another MeitY official. According to Krishnan of PwC, the NCCC will be using US-based security solutions provider RSA’s tool for scanning the web, which is already obsolete.
Moreover, the overlapping responsibilities of ICERT and NCIIPC add to the complexity. Both organisations, under the IT Act, are empowered to scan the web as both have the mandate to provide alerts well in advance. Several officials blame the delay in the working of NCIIPC and commencement of NCCC project to the turf war between the two agencies.
“The NCIIPC works under NTRO, which in turn reports to PMO. However, it derives its power from the IT Act, which is dealt by the IT ministry,” says Krishnan.
The duplicity of the cyber monitoring agencies creates a nuisance for the user organisations. “We keep sending reports to multiple organisations, to CERT, NCIIPC, to our respective ministries. There is no single line of command and reporting, which would make our job easier,” says a PSU official.
Is there a way out?
First and foremost, organisations including those in the critical sectors must appoint CISOs and comply to ISO 27001 standard. Although compliance to NCIIPC guidelines or ISO standard alone will not make them invincible, but it will at least make them compliant to basic security levels. That could be a starting point for measuring their preparedness against cyber attacks and threats from state and non-state actors, say officials from power sector companies.
There is also a need to have a cyber security evaluation matrix. “How will you rate organisations otherwise?” asks Chander. Though, NTRO and IIT Delhi did make a matrix around 2012- 13, it is yet not clear if the matrix has been finalised or not, as there is no news on it. Chander was transferred from the NTRO in mid-2013.
Also, at present there is only one set of NCIIPC guidelines for all the different sectors. “In each sector, the technicality and functionality are different. There is a need for sector-specific guidelines. They have not been issued yet,” he says. Moreover, a separate CERT is required for the industrial control systems.
CISOs should be empowered and given administrative powers. At present, organisations do not comply with the orders and suggestions of a CISO.
Usually, CISOs report to the IT head of an organisation. “Ideally, CISO should report directly to a board member, if not the CMD,” suggests a power sector official.
Some experts in the MeitY and industry believe that the government should either create a new organisation under the PMO having regulatory and punitive powers to protect critical infrastructures, or it must entrust NCIIPC and ICERT with adequate powers and human resource to fill the leadership gap.
“There has to be a good amount of R&D investment in developing indigenous security products and solutions. Like China has developed its own firewall shielding their cyber space, the [Indian] government will have to create capacities and capabilities within the country,” recommends Krishnan.
(The story appears in the July 1-15, 2017 issue of Governance Now)