The article highlights the growing vulnerability of India's **Critical Information Infrastructure** (CII) due to rapid digital transformation and the integration of IoT devices. While traditional cybersecurity measures focus on IT systems, the physical infrastructure—power grids, fuel supply chains, and industrial plants—is increasingly connected to the internet, creating new avenues for remote disruption. The author stresses the need for rigorous certification of imported devices and a shift towards trusted indigenous technologies to ensure national security and economic stability.
The protection of Critical Information Infrastructure (CII) is a core component of national security. Under Section 70 of the Information Technology Act, 2000, CII is defined as a computer resource whose incapacitation or destruction would have a debilitating impact on national security, economy, public health, or safety. The National Critical Information Infrastructure Protection Centre (NCIIPC) is the nodal agency designated to protect these assets. The article emphasizes that the threat landscape has evolved beyond traditional IT systems to encompass Operational Technology (OT) (systems that monitor and control physical devices) and the Internet of Things (IoT). Adversaries can now target these interconnected physical systems, leading to real-world disruptions, such as the targeting of fuel supply chains or power grids. UPSC often tests the understanding of these evolving threats and the institutional frameworks in place to counter them, especially in the context of state-sponsored cyber-attacks.
The integration of Information Technology (IT), Operational Technology (OT), and the Internet of Things (IoT) represents a significant technological shift in managing critical infrastructure. Previously, industrial control systems like SCADA (Supervisory Control and Data Acquisition) were isolated networks (air-gapped). However, the push for automation and predictive maintenance has led to these systems being connected to the internet. This convergence creates a complex attack surface. An attacker exploiting a vulnerability in an IoT device (like a temperature sensor or an e-lock on a fuel tanker) can potentially manipulate physical processes controlled by the OT layer. The article points out a critical flaw: the certification process for these interconnected devices is often inadequate. Institutions like the Standardisation Testing and Quality Certification (STQC) Directorate provide testing, but the sheer volume and variety of IoT devices outpace the current regulatory capacity. For UPSC Prelims, understanding the distinction between IT, OT, and IoT, and the specific vulnerabilities they introduce, is crucial.
The article raises concerns about the procurement policies of government departments and Public Sector Undertakings (PSUs). Despite the national push for Atmanirbhar Bharat (Self-Reliant India) and Make in India, the practical implementation in procurement often falls short. Tenders frequently rely on superficial, template-based compliance checks rather than in-depth security evaluations of the origin, manufacturing, and potential vulnerabilities of the equipment. This allows potentially compromised or unverified imported devices (especially those with communication capabilities) to be embedded within sensitive national infrastructure. The government must enforce stricter guidelines under the Public Procurement (Preference to Make in India) Order, 2017 to ensure that critical sectors prioritize trusted, indigenous technologies. The lack of stringent enforcement of IT guidelines and IoT policies for national-level infrastructure highlights a significant governance gap in ensuring the security of the digital supply chain.