Cyber attacks on critical infrastructure: Is India ready?
Last week, a major cyber attack crippled one of the largest pipelines in the United States (US), Colonial Pipeline, which carries about 45% of all fuel consumed on the country’s East Coast. The attack disrupted fuel supplies and caused a surge in gas prices in some parts of the country.
This was a case of ransomware attack, where hackers usually threaten to block the system or publish the targeted company or victim’s confidential data, unless a ransom is paid. US authorities have blamed Darkside, a Russia-based criminal group, for the attack, but so far have ruled out the Russian government’s involvement. Reportedly, the company has paid the hackers nearly $5 million in ransom.
The attack on Colonial Pipeline fits the broader trend witnessed in recent years of cyberattacks on critical infrastructure which require to be operational at all times such as traffic systems, banks, power grids, oil pipelines and nuclear reactors. For years, security researchers have speculated about the possibility of the sabotaging of these operations. Now, States, keen to settle their geopolitical scores, have shown that such disruptions are no longer a piece of fiction.
In recent years, attacks targeting critical infrastructure and businesses have surged. These include the 2017 WannaCry and NotPetya ransomware attacks, the 2015 attack on Ukrainian power grids and 2010 Stuxnet attack on Iranian nuclear reactor. The NotPetya ransomware attack impacted operations of multiple companies and reportedly cost $10 billion worldwide in damages. Moreover, to escape responsibility for such debilitating attacks, many States use hacking syndicates as proxies.
India too has not escaped the impact of such debilitating cyberattacks. The NotPetya attack had infected computer network of Maersk, the world’s largest shipping company. That infection led to further disruption of terminal operations, most prominently of APM Terminals Mumbai, at the Jawaharlal Nehru Port Trust, India’s biggest container port. This disruption further delayed cargo deliveries and interrupted global supply chains. Most recently, in 2020, a China-linked hacker group RedEcho targeted India’s power sector, ports and parts of the railway infrastructure, affecting Mumbai.
India’s Computer Emergency Response Team (CERT) and National Critical Infrastructure Protection Centre (NCIIPC) have noted several such attacks on India’s critical infrastructure. Last year, National Security Advisor Ajit Doval mentioned that attacks targeting defence and critical infrastructure had surged during the outbreak of the Covid-19 pandemic.
This has made critical infrastructure protection a major cybersecurity priority for India.
The government established the NCIIPC in 2014 as the nodal agency to work with the public and private sectors for plugging gaps in their critical infrastructure systems. NCIIPC’s main contribution is detailed operational and technical guidelines for critical infrastructure operators to secure their systems. It also brings out the Common Vulnerabilities and Exposures reports, which alert operators on incoming threats. Further, dedicated CERTs (CERT-Thermal, CERT-Hydro, CERT-Transmission) disseminate information about cyber incidents in the power sector.
Yet, multiple issues complicate India’s comprehensive response. A significant challenge is the inhibition in the private (and public) sector to sharing information about the vulnerability of their systems. By revealing their vulnerabilities and, therefore, their proprietary information, businesses fear exposing themselves and losing a competitive edge over rivals. Critical infrastructure operators have resorted to plugging the security gaps in their systems whenever faced with a cyberattack or data breach. Indian regulators have often complained that this reticent approach of operators and businesses is tactical and short-term, overlooking the possibility of concerted cyber warfare by adversarial States against India.
Given the mutual distrust and vulnerability of public and private sector, any solution involves sharing responsibility through a public-private partnership for critical infrastructure protection. These should focus on building an institutional framework, expanding and deepening capacity, creating security standards and strict audits and evolving a cybersecurity incident reporting framework.
India may not have witnessed the kind of cyberattack depicted in the 2007 Hollywood film Die Hard 4.0, which cripples transportation, financial and other critical sectors across the US. But our threat canvas and vulnerabilities are expanding. Hence, only an integrated, whole-of-the-ecosystem approach for securing critical infrastructure will be successful.
Sameer Patil is Fellow, International Security Studies Programme at Gateway House, Mumbai. Previously, he has served in the National Security Council Secretariat.
The views expressed are personal