The cybersecurity of critical infrastructure (CI) components is gaining increasing significance, particularly with the rising digitisation of information. CI refers to those facilities, systems, or functions whose incapacity or destruction would have a debilitating impact on a country’s national security, governance, economy and social well-being. Sectors with CI facilities include energy (power, nuclear, petroleum and natural gas); transportation (air, surface, rail and water); banking and finance; telecommunications; defence; law enforcement, security and intelligence; space; sensitive government organisations; public health; water supply; critical manufacturing; and e-governance. Critical information infrastructure (CII), meanwhile, refers to the information and communication technology infrastructure on which the core functionality of CI is dependent.
The typical CII components in an organisation comprise networks (public network, demilitarised zone, militarised zone and intranet) and devices (intrusion prevention systems/intrusion detection systems, firewalls, routers, switches, hardened servers, hardened workstations and secured storage).
The National Critical Information Infrastructure Protection Centre (NCIIPC) is the nodal agency formed under Section 70A(1) of the Information Technology (Amendment) Act, 2008 for taking all possible measures for the protection of CII. Smart Utilities presents an overview of NCIIPC’s role…
Role of NCIIPC
NCIIPC’s primary function is to undertake all possible measures to protect national CII and deliver advice to reduce its vulnerabilities. It is required to identify all CII elements for notification and provide strategic leadership and coherence to respond to cybersecurity threats. It must coordinate, share, monitor, collect, analyse and forecast national-level threats pertaining to CII for the purposes of policy guidance, expertise sharing and situational awareness for early warnings or alerts. However, the basic responsibility for protecting a CII system lies with the agency that runs the system.
NCIIPC also assists in the development of appropriate plans, adoption of standards, sharing of best practices, and the refinement of procurement processes for CII. In addition, it works on evolving protection strategies, policies, vulnerability assessments, and auditing methodologies and plans.
The organisation also undertakes research and development and allied activities for creating, collaborating and developing technol-ogies for the growth of skills required for CII protection. It aims to develop and organise training and awareness programmes, as well as national and international cooper-ation strategies in this regard.
NCIIPC issues guidelines, advisories and vulnerability notes, etc. for CII in coordin-ation with the Computer Emergency Response Team India (CERT-In) and other organisations working in the field. It exchanges cyber incidents and other information related to attacks and vulnerabil-ities with CERT-In and other organisations.
The foremost question when it comes to dealing with cybersecurity is about the right time to introduce security into a system or product. It is a good practice to make the system secure at the design phase itself, rather than adding security enhancement features later. This means finalising system security specifications at the request for procurement (RfP) stage itself.
The various factors that make web applications susceptible to cyberattacks include attack vector injection, broken authentication and session management, cross-site scripting, insecure direct object reference, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery, use of components with known vulnerabilities, and unvalidated redirects and forwards.
Typically, a vulnerability threat risk (VTR) analysis is done to determine the cyber threat perception to a system. The possible vulner-abilities are identified, and a risk assessment carried out. Thereafter, security controls are set up to mitigate the risk.
Security controls can comprise a process or a technical device. While they are being set up, it is important to conduct proper documentation; assign roles, responsibilities and liabilities; and set up mechanisms for monitoring their effectiveness.
NCIIPC can help organisations in the process of sending VTR analyses for review and inputs or RfP clauses related to information security. It can also be requested to send experts for discussing information security.
Implementation of security controls
In order to properly implement security controls, framing an information security policy (ISP) is a must for any organisation. The policy represents the commitment and ability of the management to secure its information, and critical cyber assets. The policy should set roles and responsibilities for its implementation and maintenance, apart from detailing a process for monitoring and reviewing its performance. Any exception to the policy and all changes in processes, systems and architecture must be documented and approved by the senior management.
The other important requirements for organisations to effectively prevent cybersecurity mishaps are:
- A mechanism for handling and reporting cybersecurity incidents.
- Proper documentation of an incident response plan procedure.
- Competent and trained incident response support personnel who are capable of offering advice and assistance on a 24×7 basis throughout the year.
- Carrying out regular testing of the incident response plan.
- Regular reviews of the incident response plan to address systemic, organisational or operational changes encountered during its implementation, execution and testing.
- The reporting of cyber threats and incidents to CERT-In and NCIIPC.
Tailored CVE alerts
NCIIPC sends common vulnerabilities and exposures (CVE) alerts about the latest attacks and threats as well as security advisories on a regular basis. It even has access to cross-sector security vulnerabilities and threat alerts. A CI organisation can send soft copies of important software/ firmware and hardware inventory to NCIIPC for getting tailored CVE alerts specific to its inventory.
Regular cybersecurity audits, both internal and external, should be carried out in CI organisations, with the auditors changing after two or three years. The standard audit frequency is six months for an internal audit, and one year for an external audit. After an audit is complete, a formal sign-off must be taken for residual risks, and the compliance report sent to NCIIPC for review.
CIIs need to identify the critical components in their IT set-ups and accordingly design and enforce ISPs specific to their organisational needs. They should also have regular audits and post-audit compliance with the feedback given to NCIIPC.
With inputs from presentations by NCIIPC’s Navdeep Pal Singh, Scientist, and Mohammad Zaki Ahmed, Energy Sector Coordinator, at the India Smart Grid Week 2015