Understanding Critical National Infrastructure (CNI)
Definition: CNI refers to physical and cyber-based systems, assets, and networks so vital that their incapacity or destruction would have a debilitating impact on:
- National security
- Economic stability
- Public health
- Safety
Key Sectors Under CNI in India
Under the Information Technology Act, 2000, the following sectors are protected:
- Energy and Power: Power grids, nuclear plants, refineries
- Transport: Railways, airports, shipping corridors, digital navigation
- Banking and Finance: UPI payment gateways, banking networks, stock markets
- Telecommunications: ISPs, satellite communications, 5G networks
- Strategic Enterprises: Defense networks, centralized healthcare, urban water distribution
Understanding IT-OT-IoT Triad
| Component | Function |
|---|---|
| Information Technology (IT) | Manages, processes, stores, and transmits digital data |
| Operational Technology (OT) | Monitors and controls industrial processes and physical machinery |
| Internet of Things (IoT) | Network of connected sensors collecting and exchanging data |
Key Point: Historically, OT networks (controlling power grids, dams) were "air-gapped" (isolated). Connecting them to IT and IoT for remote monitoring creates massive attack surfaces.
Major Threats and Vulnerabilities
1. Supply Chain Infiltration
- Loose tender specifications allow re-branded foreign equipment
- Example: 1.4 lakh Chinese-made Hikvision cameras integrated into Delhi's municipal infrastructure
- Hidden malware or foreign remote shut-off capabilities
2. Weak Credentials
- Millions of IoT devices lack strong security protocols
- Government mail servers and water quality software operate on default manufacturer passwords
3. Quantum Threat ("Harvest Now, Decrypt Later")
- Future quantum computers can break current public-key cryptography
- Adversaries steal encrypted data today to decrypt when quantum capabilities mature
4. Cascading Failures
- Hyper-connected infrastructure means attack on telecom can cripple banking, power, and logistics simultaneously
5. Legacy Systems
- 60% of PSUs and municipal utilities operate on outdated software
- Basic checklist audits instead of rigorous firmware-level security checks
India's Initiatives to Protect CNI
| Initiative | Description |
|---|---|
| NCIIPC | National Critical Information Infrastructure Protection Centre - designated nodal agency under NTRO |
| CERT-In Drills (2025) | Advanced cybersecurity drills simulating multi-vector attacks |
| I4C | Indian Cybercrime Coordination Centre under MHA |
| IT Amendment Rules, 2026 | 3-hour takedown window for deepfakes/synthetically generated information |
| Trusted Telecom Portal | Mandates procurement of 5G equipment from verified "Trusted Sources" only |
| IndiaAI Mission (2026) | Onboarded 38,000 GPUs for indigenous AI models |
| STQC Hardware Verification | Tests imported IoT devices for hidden data-sharing mechanisms |
Measures to Strengthen CNI Protection
1. Post-Quantum Cryptography (PQC)
- DST Task Force recommendation: Foundation by 2027, full adoption in critical sectors by 2029
2. Zero-Trust Architecture (ZTA)
- Principle: "Never trust, always verify"
- Continuous authentication for every user and device
- Restricts lateral movement of hackers
3. Silicon Sovereignty
- Reduce dependence on foreign supply chains
- Incentivize domestic manufacturing of trusted microprocessors
4. Unified Cyber Command
- Integrate CERT-In, NCIIPC, I4C intelligence
- Centralized apex body for real-time threat response
5. Human Layer Protection
- Localized cybersecurity talent development
- Public awareness campaigns against digital impersonation scams
Constitutional/Legal Framework
- Information Technology Act, 2000 - Legal basis for NCIIPC establishment
- IT Amendment Rules, 2026 - Addressing AI-generated misinformation and deepfakes
UPSC Previous Year Questions
2020: Cyber insurance benefits covered for individuals include cost of restoration of computer system (malware), cost of hiring specialized consultant (cyber extortion), cost of defence in court - Answer: 1, 3 and 4 only
2017: Service providers, data centres, and body corporate are legally mandatory to report cyber security incidents
2022 Mains: Different elements of cyber security and examination of India's National Cyber Security Strategy