Cyber attacks on critical infrastructure: Is India prepared?
Last week, a major cyber attack crippled one of the largest pipelines in the United States (US), Colonial Pipeline, which carries about 45% of all fuel consumed on the East Coast. The attack disrupted fuel supplies and caused a surge in gas prices in some parts of the country.
This was a case of ransomware attack, where hackers threaten to block the system or publish the targeted company or victim’s confidential data, unless a ransom is paid. The US authorities have blamed Darkside, a Russiabased criminal group, for the attack, but so far have ruled out the Russian government’s involvement. Reportedly, the company has paid the hackers nearly $5 million in ransom.
The attack on Colonial Pipeline fits the broader trend witnessed in recent years of cyber attacks on critical infrastructure which need to be operational at all times such as traffic systems, banks, power grids, oil pipelines and nuclear reactors.
In recent years, attacks targeting critical infrastructure and businesses have surged. These include the 2017 WannaCry and NotPetya ransomware attacks, the 2015 attack on Ukrainian power grids and 2010 Stuxnet attack on Iranian nuclear reactor.
India too has not escaped the impact of such debilitating cyber attacks. The NotPetya attack had infected the computer network of Maersk, the world’s largest shipping company. That infection led to further disruption of terminal operations, most prominently of APM Terminals Mumbai, at the Jawaharlal Nehru Port Trust, India’s biggest container port. This disruption further delayed cargo deliveries and interrupted global supply chains. Most recently, in 2020, a China-linked hacker group RedEcho targeted India’s power sector, ports and parts of the railway infrastructure, affecting Mumbai.
India’s Computer Emergency Response Team (CERT) and National Critical Information Infrastructure Protection Centre (NCIIPC) have noted several such attacks on India’s critical infrastructure. Last year, national security adviser, Ajit Doval, mentioned that attacks targeting defence and critical infrastructure had surged during the outbreak of the Covid-19 pandemic.
This has made critical infrastructure protection a cyber-security priority for India. The government established NCIIPC in 2014 as the nodal agency to work with the public and private sectors for plugging gaps in their critical infrastructure systems. NCIIPC’s main contribution is detailed operational and technical guidelines for critical infrastructure operators to secure their systems. It also brings out the Common Vulnerabilities and Exposures reports, which alert operators on incoming threats. Further, dedicated CERTs (CERTThermal, CERT-Hydro, CERT-Transmission) disseminate information about cyber incidents in the power sector.
Yet, multiple issues complicate India’s response. A significant challenge is the inhibition in the private (and public) sector to sharing information about the vulnerabilities of their systems.
Critical infrastructure operators have resorted to plugging the security gaps in their systems whenever faced with a cyber attack or data breach. Indian regulators have often complained that this reticent approach of operators and businesses is tactical and short-term, overlooking the possibility of concerted cyber warfare by adversarial states against India.
Given the mutual distrust and vulnerabilities of public and private sector, any solution involves sharing responsibility through a public-private partnership for critical infrastructure protection. These should focus on building an institutional framework, expanding and deepening capacity, creating security standards and strict audits and evolving a cyber-security incident reporting framework.
India may not have witnessed the kind of cyber-attack depicted in the 2007 Hollywood film Die Hard 4.0, which cripples transportation, financial and other critical sectors across the US. But our threat canvas and vulnerabilities are expanding. Hence, only an integrated, whole-of-the-ecosystem approach for securing critical infrastructure will be successful.