Welcome !

Purpose

The purpose of this site is to inform and guide the leadership, management and workforce of critical sector entities (CSEs) on aspects related to the use, security and resilience of their digital ecosystem. The content provides a practitioner’s perspective that is also useful to other stakeholders operating in the national cyberspace.

Important

All rights and credit go directly to their rightful owners. No copyright infringement intended. Wherever applicable, users shall ensure that they possess a rightful copy of the applicable standard(s) and there is no infringement of copyright of the originators/ owners of referred standards.

This documentation draws its inspiration from the National Cybersecurity Reference Framework (NCRF) and a wide variety of other sources, almost all of which have been referenced in footnotes. In some cases, source text has been used directly where it helps the readers to understand the context and use. While substantial editorial effort has been put in to ensure that copyrighted or controlled work is correctly attributed, it is possible that some copyrighted work still needs attribution or additional permissions. Copyright holders are therefore requested to indicate if any material is in conflict with their copyright and the action that should be taken to resolve the same.

Background

Over the last two decades, India has transformed itself into a highly digitalised nation that has embraced Information and Communication Technology (ICT), Operational Technology (OT) and Internet of Things (IoT) deeply into almost all aspects of our lives. We now have a vibrant national cyberspace, which manifests through a digital ecosystem.

The cyberspace is vital to national security, economy, public health, public safety and overall national well-being. The digital ecosystem enables critical sector entities and other organisations to deliver the national critical functions through business and industrial systems that run on an underlying digital infrastructure. Hence, it is essential to build, maintain and continually improve the resilience of the digital ecosystem of our critical sectors in a coordinated manner. Any loss of trust in the same has severe consequences for users and other stakeholders of the national cyberspace.

The critical sectors in India are listed below:

  • Banking, Financial Services and Insurance (BFSI)
  • Telecom
  • Government
  • Power and Energy (P&E)
  • Transport
  • Strategic and Public Enterprises (S&PE)
  • Health
  • Defence

Examples of critical functions delivered through the cyberspace in India are listed below:

  • Banking, financial markets and insurance payments, transactions, clearing and settlement.
  • Voice and data connectivity and internet services.
  • E-Governance and citizen services.
  • Control, operation and management of utility services like power, fuel, gas etc.
  • Control, operation and management of transportation services like railway/ metro, air traffic, ports etc.
  • Services related to defence, internal security, public safety, and law enforcement.
  • Public health related services.

The IT Act 2000 (amended 2008) applies to users and providers of the digital ecosystem, including home users, MSMEs, large enterprises, government & non-government entities. It was framed to help secure the digital ecosystem while in use by the government, businesses and others for their service delivery, business and organisational functions.

The IT Act recognises that the basic responsibility for protecting an entity’s information infrastructure lies with the entity itself. It envisages the possible threats to the digital ecosystem during its use and provides direction and guidance for its protection. Relevant Rules have been framed under the IT Act to enable designated national nodal agencies like NCIIPC and CERT-In to oversee, monitor and respond to cyber attacks from malicious threat actors onto the critical information infrastructure (CII) and the national digital ecosystem. There are other Acts and Rules that mandate sector regulators and other authorities to provide regulatory frameworks to secure the critical sectors and build cyber resilience in critical sector entities under their jurisdiction.

Securing the national cyberspace is a collective effort. The public and private entities that own, run, and manage their information infrastructure are responsible for the protection of the same. The intent of the Government is to ensure that adequate checks and balances are implemented, through appropriate legislations, policies and guidelines, for secure and resilient operations of the critical functions and their underlying critical information infrastructure. The intent of national nodal agencies and sectoral regulators is to ensure that cyber risk is appropriately managed in the sectors, to the level demanded by the national interest.

Structure

The site’s documentation section is divided into multiple chapters, sections and topics, covering the perspectives, concerns and needs of different stakeholders within and across critical sector entities and other organisations.

The Notes, FAQs, Resources and Glossary sections will be populated over time. A Discussions platform is also set up through GitHub for feedback and community engagement.

Context

Cyber-attacks on critical information infrastructure by organised criminal groups, non-state and state sponsored groups can cause debilitating impact to national security, economy, public health and public safety. The critical sector entities that own, run, and manage their critical information infrastructure are responsible for the protection of their computer resources (systems, networks, applications, data repositories and identities). The entities are expected and required to use appropriate technology, implement various best practices and build a competent workforce to achieve a high level of cyber resilience.

The CSEs and other organisations have no dearth of information and guidance from multiple sources to help them secure their IT systems and networks. Yet, a large number of them continue to suffer downtime and losses due to cyber-attacks. An analysis of successful attacks indicate that most of them succeeded because the entities did not or could not apply the cybersecurity information and guidance effectively. A common refrain from cybersecurity experts and auditors is that a large number of entities have negligible or poor implementation of basic and essential cybersecurity controls. It looks as if the entities “do not understand” or “do not want to implement” cybersecurity.

Interaction with business leaders, managers and the non-IT workforce of entities provides a different perspective. They are usually unable to integrate cybersecurity into their way of thinking and working – business impact analysis, roles and responsibilities, practices and processes, management systems, reporting structures, RACI etc. Cybersecurity is seen as a technical function that is best carried out by technology experts.

Every organisation has a complex mix of internal and external workforce and other stakeholders, each having their own specific roles, functions, backgrounds, competence and limitations. However, everyone understands the concept of business resilience and can therefore grasp the concept of cyber resilience. Hence, it would be appropriate to convert cybersecurity discussions into cyber resilience discussions, to enable the participation of all stakeholders. This calls for

  • A common vocabulary that business and technical stakeholders can both use to clearly communicate their respective perspectives, both orally and in writing, without ambiguity and misunderstanding, A shared understanding leads to faster and better convergence of perspectives and improving the decision process at all levels.
  • A cyber resilience framework that harmonises business, IT and cybersecurity perspectives, as also government and regulatory guidelines, directives and global best practices.

This site attempts to address the two aspects mentioned above. It provides a common vocabulary through a glossary of terms and definitions that both business and technical users can understand and use. The chapters, sections and topics harmonises different aspects of cyber resilience, such as institutional structures, people, policies, practices and processes, technology and collaboration.

Many of the insights and perspectives are derived from the systems and practices adopted by organisations having a high level of cybersecurity capability and maturity. Organisations should take this documentation as a generic framework that is further adapted for their specific requirements.

Note

Pictorial representations in the documentation are indicative and should be used for triggering discussions on different perspectives.

Audience

Organisations, such as the CSEs, national agencies, regulators, Central Government ministries and State departments, constitute the primary audience for this documentation. They will find this documentation useful for articulating different perspectives, both internally and externally with other stakeholders.

The increasing scale and complexity of business and technology is forcing many organisations to depend on competent service providers, who can enable and support them in the work related to governance, risk, compliance and audit management, design and architecture, systems and security engineering, business and technology processes, and workforce productivity. All such service providers will find this documentation useful for exchanging their perspectives with the primary audience in an unambiguous manner.

The primary audience also looks up to Research and Academia to provide them with innovative and future-proof solutions that leverage technology, analytics and AI/ML. The research and academic teams will also find this documentation useful for reaching a common understanding with the primary audience.

Contact

For queries, suggestions and feedback, please contact the site administrator at admin@cscin.org.in or the author at kpbhat@cscin.org.in.