External Context

The interconnected and digitalised world requires a constant alignment of an enterprise’s mission, objectives, and functions with the larger context of the national, regional, and sectoral ecosystem in which the enterprise or organisation operates. The external context of an entity includes the customers/ users of an entity’s services, as well as the suppliers, service providers, auditors and supporting agencies. In the case of regulated entities and CSEs, the national bodies, viz, the government, regulators, nodal agencies, and other authorities, are important stakeholders/ interested parties, having legal, regulatory, oversight and advisory responsibilities over the entities.

Business and Digital Ecosystems

In modern business, it is very rare that a CSE operates in isolation. They engage with their customers and users, suppliers and service providers, regulators and national nodal agencies, and in the case of PSUs, their administrative ministries. The CSEs and their business partners use a variety of business systems to provide and use services, and to process and exchange information within their respective organisations and across the business ecosystem.

The business systems of an entity are conceptual or logical systems. In practice, the business processes and information flows of business systems are enabled by technology through digital transformation initiatives. The resulting digital systems comprise of ICT infrastructure, software platforms, applications and data repositories that the CSE’s workforce and automation engines use to carry out the CSE’s business functions. The CSEs interacts with their users, customers, partners, service providers and national bodies through the larger digital ecosystem.

The business and digital ecosystems of a CSE in the Indian context is pictorally shown below:

Federated Digital Ecosystem Federated Digital Ecosystem

Each organisation in the digital ecosystem is responsible for its own IT and information security. The organisations however must be aware and responsive to the information security needs of other participating entities within the federated ecosystem, and comply with directions, guidelines and standards prescribed by law, regulation, and mandates of nodal agencies. Every organisation in the complex, federated ecosystem is ultimately responsible for carrying out due diligence, not only about its own information security but also with respect to all parties in its external context.

The National Cyberspace

The digital ecosystem is a manifestation of the national cyberspace. A pictorial view of the national cyberspace is shown below:

National Cyberspace National Cyberspace

The digital ecosystem elements (blobs) give visual representation of the national cyberspace from an usage and ownership perspective (who uses, owns, provides, manages and controls what). Ownership, management and control of elements of the digital ecosystem are important criteria to assess the trustworthiness and risk associated with the elements, specifically from the perspective of external threats.

Decomposing the Ecosystem

The business and digital ecosystems of CSEs are highly complex and continually evolving. However, for ease of understanding, they can be decomposed into the following four levels:

  • Governance
  • Business
  • Technology
  • Physical

The pictorial ecosystem is further decomposed into the four levels and described in greater detail.

Tip

Entities are encouraged to print out the blank diagrams and populate them with their own ecosystem elements (collaborators, suppliers, service providers, auditors, certification bodies, regulators etc), and the information infrastructure components of their digital systems (web portals, backend ERP, CRM, HR, email systems, subscriptions & support providers etc). The resulting pictorial representations can be used to establish a common understanding amongst all the stakeholders.

Governance Level

The governance level ecosystem of a CSE in the Indian context is pictorally shown below:

Governance Level Ecosystem Governance Level Ecosystem

Enterprises and organizations are successful in the long run, only when they have a strong and capable governance mechanism at the top-most level. CSEs, additionally, have to adhere to regulatory, administrative and legal compliances that are mandated for their respective sectors.

Many small and mid-sized CSEs do not have in-house expertise and competence to design, implement, operate, manage and support a Governance, Risk and Compliance (GRC) program and would depend on external consultancy organisations for the same. Highly regulated sectors like Banking and Financial Services have a well-developed ecosystem of GRC consultancy organisations, certification and audit bodies. Regulators of other critical sectors like Power and Telecom are also developing GRC focused ecosystems for their respective entities. The NCIIPC-QCI Scheme for Consultancy Organisations has two GRC-specific workheads, namely WH-1 and WH-4. The CSEs can use the services of accredited Consultancy Organisations for these Work Heads. The regulators can use the Scheme for development of GRC ecosystems for their respective sectors.

Business Level

The business level ecosystem of a CSE in the Indian context is pictorally shown below:

Business Level Ecosystem Business Level Ecosystem

Every CSE performs a set of business and/ or industrial functions to provide services and/ or capabilities to the consumers. The functions, services and capabilities are typically delivered through business and/ or industrial systems. Almost all the business and industrial systems leverage technology, platforms and digital infrastructure for delivery of the functions, services and capabilities.

One of the core responsibilities of a CSE’s top and senior management is to evaluate, direct and monitor the digital transformation initiatives. Large scale and complex digital transformation of business systems is usually undertaken by consulting and technology firms with expertise across business strategy, technology integration, automation, AI, cloud, sector and industry-specific experience.

Digital transformation initiatives introduce a variety of challenges, threats and risks during both the lifecycle stages - acquisition and operation. Some of the important risks that business level stakeholders must understand and manage are:

  • System integrity and trustworthiness risks triggered by gaps in the digitalisation of business processes and controls. For example, a weak implementation of segregation of duties (SoD) can lead to fraud, misuse or malicious manipulation of information.
  • Data confidentiality and privacy risks triggered by misconfiguration of roles and permissions assigned to human users and automation agents.
  • Cybersecurity risks triggered by an expanded attack surface, and by exposing legacy systems to new attack vectors opened up via integration.
  • Vendor and supply chain risks related to technology products and services, and dependency on a multitude of third-party vendors.
  • Operational risks triggered by the lack of digital skills in both users and the technical workforce that operates, manages, maintains and secures the digital systems.

Business level stakholders seek information, guidance and support from the process and technology experts on how to i) implement robust governance, audit and compliance mechanisms, ii) protect the business systems from being harmed, iii) continuously monitor and detect unauthorised and malicious actitivities within the business systems, iv) respond to and recover from unauthorised and malicious actions that impact the integrity, confidentiality and trustworthiness of business systems.

Technology Level

Business systems are composed of software applications and sevices that run on a digital infrastructure. The digital infrastucture and systems are managed and secured by the technology level stakeholders. The technology level ecosystem of a CSE in the Indian context is pictorally shown below:

Technology Level Ecosystem Technology Level Ecosystem

Generally, the executive, senior and mid-level managers of CSEs have a good grasp and understanding of the business complexities and are able to handle them well. However, the complexities of technology and digital infrastructure are not well understood by them and it is left to the CIOs, CISOs and their teams to handle the same. In many cases the technical and project teams adopt a technology-first approach, which can lead to misalignment between the business needs and the use of digital ecosystem technologies.

Important

A key objective of this documentation is to specifically help organisations reduce or eliminate the misalignment between business and technical perspectives.

Many small and mid-sized CSEs have limted in-house expertise and competence to design, implement, operate, manage, support and secure their digital infrastructure. Usually, this work is carried out by their OEMs, System Integrators and other service providers. Thus, these third-party suppliers become an extended workforce of the entities. Automation agents and bots further provide an hugely scalable non-human workforce that can supplement the limited human workforce. However, the CSEs need competent technical personnel within their extended workforce to manage and secure the agents and bots.

Entities must ensure that their entire composite workforce, comprising of own employees, contracted manpower, and third-party suppliers have the required competence (knowledge, skills and expertise) to do their job functions efficiently and effectively. Entities are encouraged to use the NCIIPC-QCI Schemes for Cybersecurity Professionals, Consultancy Organisations and Training Bodies to assess the competencies and capabilities of their composite workforce. The identified gaps in competencies must be filled up by the concerned HR teams through resources hiring, training and certification.

CSEs are mandated to adopt the guidelines and directives from national nodal agencies like NCIIPC and CERT-In. They also have well-defined reporting obligations to these agencies. The regulators and national nodal agencies also have an important role related to third-party cybersecurity audits of CSE’s information infrastructure. VAPT and audits carried out by CERT-In empanelled auditors, risk assessments carried out by NCIIPC and special audits carried out under the aegis of the NCSC, together provide vital insights about the cyber resilience of a CSE’s digital infrastructure.

Note

Mid-level and senior mananagement of many CSEs believe that six-monthly external VAPT and audits are sufficient by themselves and the CSEs need not carry out their own internal VTR assessments and audits more often. This aspect is further analysed in other parts of the documentation.

Physical Level

The physical level ecosystem of a CSE in the Indian context is pictorally shown below:

Physical Level Ecosystem Physical Level Ecosystem

CSEs are usually required to adhere to specific mandates for physical security, access control and 24x7 monitoring of their critical infrastructure. Typically, in many CSEs, IIoT technologies like digital access control and CCTV systems are used for securing the physical space. However, these systems are not under the ambit of the more competent technical teams under the CIO and CISO. The top management of CSEs must therefore involve their IT and cybersecurity teams in the design, implementation, operation, protection and monitoring of their physical security systems.

Chapter XI of the Central Electricity Authority (CEA) draft regulations gives specific directions to Responsible Entities of the Power sector on the physical security of all identified cyber and non-cyber critical assets.

Many of the physical processes controlled by OT systems have the potential to create hazardous situations to human life and safety, property, and the environment. Health, Safety and Environment (HSE) is a framework of actions that organisations having OT must take to ensure the protection of the environment without harming the health and safety of their employees or local communities. Manufacturers, implementers, operators, maintainers and regulators of OT systems typically give the highest priority to HSE at the physical level.

There are several types of safety systems related to OT environments, which typically use instrumentation systems that operate at the physical level for activities like emergency shut down (ESD), process safety shutdown (PSS), and fire and gas systems (FGS). One of the more well-known types of safety system is the safety instrumented system (SIS).

Note

Bundling of OT safety and IIoT systems under the physical level has its own pros and cons. CSEs should exercise their discretion whether this approach is relevant to the organisation.

Common Vocabulary

The glossary of terms and definitions provides a common vocabulary that all stakeholders can understand and use. The glossary is divided into the following sub-sections, to align with the ecosystem levels:

  • Conceptual terms
  • Governance terms
  • Business terms
  • Technology terms
  • Other terms

The common vocabulary helps to avoid misunderstanding between the stakeholders. As an example, the terms “cyber incident”, “cyber security incident” and “cyber security breach” are often used interchangeably. However, the use of these terms must be based on their definitions given in sections 2(g), 2(h) and 2(i) of G.S.R 20(E) - Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.

The common vocabulary also provides a very effective way for interactions amongst the stakeholders across the four levels. Technical terms are best used within the Technology level. However, when the outcome of technical analysis has to be conveyed to the stakeholders at the Governance and Business levels, the technical teams must use appropriate terms like business functions, business impact, risk, compliance, protection from harm and so on.