Welcome !

Purpose

The purpose of this site is to inform and guide the leadership, management and workforce of critical sector entities (CSEs) on various aspects related to the use, security and resilience of their digital ecosystem. The content provides a practitioner’s perspective that is also useful to entities of other sectors too.

Background

Over the last two decades, India has transformed itself into a highly digitalised nation that has embraced Information and Communication Technology (ICT), Operational Technology (OT) and Internet of Things (IoT) deeply into almost all aspects of our lives. We now have a vibrant national cyberspace, which manifests through a digital ecosystem formed by geographically dispersed, interconnected and federated conglomeration of systems, networks, data repositories, applications, devices, processes and services.

The cyberspace is vital to national security, economy, public health, public safety and overall national well-being. The digital ecosystem enables critical sector entities and other organisations to deliver the national critical functions through business and industrial processes that use the digital infrastructure. Hence, it is essential to build, maintain and continually improve the resilience of the digital ecosystem of our critical sectors in a coordinated manner. Any loss of trust in the same has severe consequences for users and other stakeholders of the national cyberspace.

The critical sectors in India are listed below:

• Banking, Financial Services and Insurance (BFSI)
• Telecom
• Government
• Power and Energy (P&E)
• Transport
• Strategic and Public Enterprises (S&PE)
• Health
• Defence

Examples of critical functions delivered through the cyberspace in India are listed below:

• Banking, financial markets and insurance payments, transactions, clearing and settlement.
• Voice and data connectivity and internet services.
• E-Governance and citizen services.
• Control, operation and management of utility services like power, fuel, gas, smart cities etc.
• Control, operation and management of transportation services like railway/ metro, air traffic, ports etc.
• Services related to defence, internal security, public safety, and law enforcement.
• Public health related services.

The IT Act 2000 (amended 2008) applies to users and providers of the digital ecosystem, including home users, MSMEs, large enterprises, government & non-government entities. It was framed to help secure the digital ecosystem while in use by the government, businesses and others for their service delivery, business and organisational functions.

The IT Act recognises that the basic responsibility for protecting an entity’s information infrastructure lies with the entity itself. It envisages the possible threats to the digital ecosystem during its use and provides direction and guidance for its protection. Relevant Rules have been framed under the IT Act to enable designated cybersecurity agencies like NCIIPC and CERT-In to oversee, monitor and respond to cyber attacks from malicious threat actors onto the critical information infrastructure (CII) and the national digital ecosystem. There are other Acts and Rules that mandate sector regulators and other authorities to provide regulatory frameworks to secure the critical sectors and build cyber resilience in critical sector entities under their jurisdiction.

Securing the national cyberspace is a collective effort. The public and private entities that own, run, and manage their information infrastructure are responsible for the protection of the same. The intent of the Government is to ensure that adequate checks and balances are implemented, through appropriate legislations, policies and guidelines, for secure and resilient operations of the critical functions and their underlying critical information infrastructure. The intent of national nodal agencies and sectoral regulators is to ensure that cyber risk is appropriately managed in the sectors, to the level demanded by the national interest.

Structure

The site’s documentation section is divided into multiple chapters and topics that reflect the perspectives, concerns and needs of different stakeholders within and across critical sector entities and other organisations.

The Notes, FAQs, Resources and Glossary sections will be populated over time. A Discussions platform is also set up through GitHub for feedback and community engagement.

Context

Cyber-attacks on critical information infrastructure by organised criminal groups, non-state and state sponsored groups can cause debilitating impact to national security, economy, public health and public safety. The critical sector entities that own, run, and manage their critical information infrastructure are responsible for the protection of their computer resources (systems, networks, applications, data repositories and identities). The entities are expected and required to use appropriate technology, implement various best practices and build a competent workforce to achieve a high level of cyber resilience.

The CSEs and other organisations have no dearth of information and guidance from multiple sources to help them secure their IT systems and networks. Yet, a large number of them continue to suffer downtime and losses due to cyber-attacks. An analysis of successful attacks indicate that most of them succeeded because the entities did not or could not apply the cybersecurity information and guidance effectively. A common refrain from cybersecurity experts and empanelled auditors is that a large number of entities have negligible or poor implementation of basic and essential cybersecurity controls. It looks as if the entities “do not understand” or “do not want to implement” cybersecurity.

Interaction with business leaders, managers and the non-IT workforce of entities provides a different perspective. The underlying message from these interactions is that they are unable to integrate cybersecurity into their way of thinking and working – organisational hierarchy, business impact analysis, roles and responsibilities, practices and processes, management systems, reporting structures, RACI etc. Cybersecurity is seen as a technical function that is best carried out by technology experts.

Every organisation has a complex mix of internal and external workforce and other stakeholders, each having their own specific roles, functions, backgrounds, competence and limitations. However, everyone understands the concept of business resilience and can therefore grasp the concept of cyber resilience. Hence, it would be appropriate to convert cybersecurity discussions into cyber resilience discussions, to enable the participation of all stakeholders. This calls for

• A common vocabulary that business and technical stakeholders can both use to clearly communicate their respective perspectives, both orally and in writing, without ambiguity and misunderstanding, A shared understanding leads to faster and better convergence of perspectives and improving the decision process at all levels.
• A cyber resilience framework that harmonises business, IT and cybersecurity perspectives, as also government and regulatory guidelines, directives and global best practices.

This site attempts to address the two aspects mentioned above. A common vocabulary is provided through a glossary of terms and definitions that both business and technical users can understand and use. The chapters and topics address various aspects of cyber resilience framework, covering institutional structures, people, policies, procedures, practices and processes, technology and collaboration.

Many of the insights and perspectives are derived from the practices and processes adopted by organisations having a high level of cybersecurity capability and maturity. Organisations should take this documentation as a generic framework that is further adapted for their specific requirements.

Contact

For queries, suggestions and feedback, please contact the site administrator at admin@cscin.org.in.