In 2008, the Indian parliament finally recognized the need for a focussed approach to cybersecurity and separated it into two segments: Critical and Non-Critical. And therefore, the NCIIPC was created and given the responsibility to protect all CII, and CERT-IN was assigned to manage all non-critical systems.
National Critical Information Infrastructure Protection Centre (NCIIPC) is an organization of the Government of India created under Sec 70A of the Information Technology Act, 2000 (amended 2008), through a gazette notification on 16th Jan 2014. It is designated as the National Nodal Agency in respect of Critical Information Infrastructure Protection. NCIIPC monitors and forecasts national-level threats to CII for policy guidance, expertise sharing, and situational awareness for early warning or alerts.
Value added by NCIIPC in cybersecurity:
- Identification of critical sub-sectors.
- Issuance of Cyber Alerts and Advisories Daily and Monthly
- Coordinate, share, monitor, gather, evaluate, and anticipate national-level risks to critical information infrastructure (CII) for policy guidance, knowledge exchange, and situational awareness for early warning or alerts. The agency in charge of running a CII system is primarily responsible for keeping it secure.
- Research and development for a secure and knowledgeable environment
- Assist CII owners in implementing the best practices, standards, and policies for CII protection.
- Create awareness and training around cybersecurity.
- Protect against cyberterrorism, cyberwarfare, and other threats by providing guidance aimed at reducing the vulnerabilities of vital information infrastructure.
- Provide strategic leadership and coherence across governments to respond to cybersecurity threats against the identified critical information infrastructure.
Things wrong with NCIIPC:
- Even if the NCIIPC runs a responsible vulnerability disclosure procedure, the carelessness and lack of communication go completely against the spirit of that program. It is detrimental to their information security posture when they fail to promptly patch highly-critical vulnerabilities and notify affected citizens of the incident.
- The ethical hacking organization reports that it found over 13,000 personally identifiable records exposed as well as instances of file leakage, exposed private keys, and 35 exposed credentials in the NCIIPC servers and applications. And when they were alerted about this by NCIIPC only one-eight of the total vulnerabilities were patched by the NCIIPC.
- NCIIPC has identified the following as ‘Critical Sectors’ – Power & Energy, Banking, Financial Services & Insurance, Telecom, Transport, Government, and Strategic & Public Enterprises still there were attacks that have caused havoc for those working in that sector. From the Oil India Limited ransomware attack in April to the grounded Spice Jet flights in May that left passengers stranded for four hours, to Goa's flood monitoring system in June, to the reported banking data breaches in August, to the more recent cyberattacks on the AIIMS healthcare sector and the onslaught that followed on Safdarjung Hospital in New Delhi, authorities have realized the need to prepare for an escalation in cyberattacks in future.
The development of India's cybersecurity has advanced significantly with the creation of NCIIPC. As they have introduced CII as a key sector to protect, finally the Indian institution is in place to implement policies that will make organizations compulsory to focus on cybersecurity. However, due to some reason, they are not able to implement it effectively but if the Indian government has identified cybersecurity as a major concern then they must have to include CII as an important aspect of their security policies.