External Context

The interconnected and digitalised world requires a constant alignment of an enterprise’s mission, objectives, and functions with the larger context of the national, regional, and sectoral ecosystem in which the enterprise or organisation operates. The external context of an entity includes the customers/ users of an entity’s services, as well as the suppliers, service providers, auditors and supporting agencies. In the case of regulated entities and CSEs, the national bodies, viz, the government, regulators, nodal agencies, and other authorities, are important stakeholders/ interested parties, having legal, regulatory, oversight and advisory responsibilities over the entities.

Business and Digital Ecosystems

In modern business, it is very rare that a CSE operates in isolation. They engage with their customers and users, suppliers and service providers, regulators and national nodal agencies, and in the case of PSUs, their administrative ministries. The CSEs and their business partners use a variety of business systems to provide and use services, and to process and exchange information within their respective organisations and across the business ecosystem.

The business systems of an entity are conceptual or logical systems. In practice, the business processes and information flows of business systems are enabled by technology through digital transformation initiatives. The resulting digital systems comprise of ICT infrastructure, software platforms, applications and data repositories that the CSE’s workforce and automation engines use to carry out the CSE’s business functions. The CSEs interacts with their users, customers, partners, service providers and national bodies through the larger digital ecosystem.

The business and digital ecosystems of a CSE in the Indian context is pictorally shown below:

Each organisation in the digital ecosystem is responsible for its own IT and information security. The organisations however must be aware and responsive to the information security needs of other participating entities within the federated ecosystem, and comply with directions, guidelines and standards prescribed by law, regulation, and mandates of nodal agencies. Every organisation in the complex, federated ecosystem is ultimately responsible for carrying out due diligence, not only about its own information security but also with respect to all parties in its external context.

The National Cyberspace

The digital ecosystem is a manifestation of the national cyberspace. A pictorial view of the national cyberspace is shown below:

The digital ecosystem elements (blobs) give visual representation of the national cyberspace from an usage and ownership perspective (who uses, owns, provides, manages and controls what). Ownership, management and control of elements of the digital ecosystem are important criteria to assess the trustworthiness and risk associated with the elements, specifically from the perspective of external threats.

Decomposing the Ecosystem

The business and digital ecosystems of CSEs are highly complex and continually evolving. However, for ease of understanding, they can be decomposed into the following four levels:

• Governance
• Business
• Technology
• Physical

The pictorial ecosystem is further decomposed into the four levels and described in greater detail.

Governance Level

The governance level ecosystem of a CSE in the Indian context is pictorally shown below:

Enterprises and organizations are successful in the long run, only when they have a strong and capable governance mechanism at the top-most level. CSEs, additionally, have to adhere to regulatory, administrative and legal compliances that are mandated for their respective sectors.

Many small and mid-sized CSEs do not have in-house expertise and competence to design, implement, operate, manage and support a Governance, Risk and Compliance (GRC) program and would depend on external consultancy organisations for the same. Highly regulated sectors like Banking and Financial Services have a well-developed ecosystem of GRC consultancy organisations, certification and audit bodies. Regulators of other critical sectors like Power and Telecom are also developing GRC focused ecosystems for their respective entities. The NCIIPC-QCI Scheme for Consultancy Organisations has two GRC-specific workheads, namely WH-1 and WH-4. The CSEs can use the services of accredited Consultancy Organisations for these Work Heads. The regulators can use the Scheme for development of GRC ecosystems for their respective sectors.

Business Level

The business level ecosystem of a CSE in the Indian context is pictorally shown below:

Every CSE performs a set of business and/ or industrial functions to provide services and/ or capabilities to the consumers. The functions, services and capabilities are typically delivered through business and/ or industrial systems. Almost all the business and industrial systems leverage technology, platforms and digital infrastructure for delivery of the functions, services and capabilities.

One of the core responsibilities of a CSE’s top and senior management is to evaluate, direct and monitor the digital transformation initiatives. Large scale and complex digital transformation of business systems is usually undertaken by consulting and technology firms with expertise across business strategy, technology integration, automation, AI, cloud, sector and industry-specific experience.

Digital transformation initiatives introduce a variety of challenges, threats and risks during both the lifecycle stages - acquisition and operation. Some of the important risks that business level stakeholders must understand and manage are:

• System integrity and trustworthiness risks triggered by gaps in the digitalisation of business processes and controls. For example, a weak implementation of segregation of duties (SoD) can lead to fraud, misuse or malicious manipulation of information.
• Data confidentiality and privacy risks triggered by misconfiguration of roles and permissions assigned to human users and automation agents.
• Cybersecurity risks triggered by an expanded attack surface, and by exposing legacy systems to new attack vectors opened up via integration.
• Vendor and supply chain risks related to technology products and services, and dependency on a multitude of third-party vendors.
• Operational risks triggered by the lack of digital skills in both users and the technical workforce that operates, manages, maintains and secures the digital systems.

Business level stakholders seek information, guidance and support from the process and technology experts on how to i) implement robust governance, audit and compliance mechanisms, ii) protect the business systems from being harmed, iii) continuously monitor and detect unauthorised and malicious actitivities within the business systems, iv) respond to and recover from unauthorised and malicious actions that impact the integrity, confidentiality and trustworthiness of business systems.

Technology Level

Business systems are composed of software applications and sevices that run on a digital infrastructure. The digital infrastucture and systems are managed and secured by the technology level stakeholders. The technology level ecosystem of a CSE in the Indian context is pictorally shown below:

Generally, the executive, senior and mid-level managers of CSEs have a good grasp and understanding of the business complexities and are able to handle them well. However, the complexities of technology and digital infrastructure are not well understood by them and it is left to the CIOs, CISOs and their teams to handle the same. In many cases the technical and project teams adopt a technology-first approach, which can lead to misalignment between the business needs and the use of digital ecosystem technologies.

Many small and mid-sized CSEs have limted in-house expertise and competence to design, implement, operate, manage, support and secure their digital infrastructure. Usually, this work is carried out by their OEMs, System Integrators and other service providers. Thus, these third-party suppliers become an extended workforce of the entities. Automation agents and bots further provide an hugely scalable non-human workforce that can supplement the limited human workforce. However, the CSEs need competent technical personnel within their extended workforce to manage and secure the agents and bots.

Entities must ensure that their entire composite workforce, comprising of own employees, contracted manpower, and third-party suppliers have the required competence (knowledge, skills and expertise) to do their job functions efficiently and effectively. Entities are encouraged to use the NCIIPC-QCI Schemes for Cybersecurity Professionals, Consultancy Organisations and Training Bodies to assess the competencies and capabilities of their composite workforce. The identified gaps in competencies must be filled up by the concerned HR teams through resources hiring, training and certification.

CSEs are mandated to adopt the guidelines and directives from national nodal agencies like NCIIPC and CERT-In. They also have well-defined reporting obligations to these agencies. The regulators and national nodal agencies also have an important role related to third-party cybersecurity audits of CSE’s information infrastructure. VAPT and audits carried out by CERT-In empanelled auditors, risk assessments carried out by NCIIPC and special audits carried out under the aegis of the NCSC, together provide vital insights about the cyber resilience of a CSE’s digital infrastructure.

Physical Level

The physical level ecosystem of a CSE in the Indian context is pictorally shown below:

CSEs are usually required to adhere to specific mandates for physical security, access control and 24x7 monitoring of their critical infrastructure. Typically, in many CSEs, IIoT technologies like digital access control and CCTV systems are used for securing the physical space. However, these systems are not under the ambit of the more competent technical teams under the CIO and CISO. The top management of CSEs must therefore involve their IT and cybersecurity teams in the design, implementation, operation, protection and monitoring of their physical security systems.

Chapter XI of the Central Electricity Authority (CEA) draft regulations gives specific directions to Responsible Entities of the Power sector on the physical security of all identified cyber and non-cyber critical assets.

Many of the physical processes controlled by OT systems have the potential to create hazardous situations to human life and safety, property, and the environment. Health, Safety and Environment (HSE) is a framework of actions that organisations having OT must take to ensure the protection of the environment without harming the health and safety of their employees or local communities. Manufacturers, implementers, operators, maintainers and regulators of OT systems typically give the highest priority to HSE at the physical level.

There are several types of safety systems related to OT environments, which typically use instrumentation systems that operate at the physical level for activities like emergency shut down (ESD), process safety shutdown (PSS), and fire and gas systems (FGS). One of the more well-known types of safety system is the safety instrumented system (SIS).

Common Vocabulary

The glossary of terms and definitions provides a common vocabulary that all stakeholders can understand and use. The glossary is divided into the following sub-sections, to align with the ecosystem levels:

• Conceptual terms
• Governance terms
• Business terms
• Technology terms
• Other terms

The common vocabulary helps to avoid misunderstanding between the stakeholders. As an example, the terms “cyber incident”, “cyber security incident” and “cyber security breach” are often used interchangeably. However, the use of these terms must be based on their definitions given in sections 2(g), 2(h) and 2(i) of G.S.R 20(E) - Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.

The common vocabulary also provides a very effective way for interactions amongst the stakeholders across the four levels. Technical terms are best used within the Technology level. However, when the outcome of technical analysis has to be conveyed to the stakeholders at the Governance and Business levels, the technical teams must use appropriate terms like business functions, business impact, risk, compliance, protection from harm and so on.

Capability Framework

The capability framework for the nation’s digital ecosystem describes the people, processes and technology related capabilities in a manner that is agnostic of specific products and solutions. It enunciates the IT and information security capabilities that the digital ecosystem participants should acquire, maintain, and continually improve so as to achieve their objective of cyber resilience. It also describes how organisations can ensure the effective use and sustenance of IT and information security capabilities through a lifecycle approach.

The target audience for the capability framework includes:

• Business and GRC Heads, CIOs, Heads of OT, CISOs and their respective teams within CSEs.

• Sectoral Regulators, who are mandated to oversee and ensure the cyber resilience of business and IT practices in their regulated entities.

• Consultancy Organisations, System Integrators, OEMs, MSPs and MSSPs engaged by the CSEs.

• Empanelled bodies, who carry out cyber security verification & validation (V&V), VAPT and technical audit of systems and networks of CSEs.

Governing bodies and top management of entities (through the Technology Strategy and Perspective Planning Group, the IT, OT and Information Security Divisions) can use this guidance to use, secure and sustain their IT for delivery of business functions, operations, and services.

Smart, Resilient and Sustainable Digital Ecosystem

In the current information age, data and communication technologies along with smart devices are deeply integrated into almost all aspects of our lives. The nation today runs on well-orchestrated and integrated IT and is therefore critically dependent upon the cyberspace and its underlying infrastructure (systems, networks, applications and data). Hence, it is vital that the Indian cyberspace is secure and protected against cyber-attacks that could jeopardise the benefits it offers to national security, economic prosperity, governance, constitutional processes, and social well-being.

The integration of IT at the sectoral, regional, and national levels will only increase in future. Hence, at the national level, there is need to develop capabilities for a smart, resilient, and sustainable digital ecosystem. These terms are described below.

• Smart: describes the high levels of automation, analytics and decision support capabilities that are enabled by the use of IT. Smart technologies can significantly improve the functioning, performance and resilience of the digital ecosystem. In the context of information and cyber security, these capabilities are typically achieved by the use of intelligent devices, analytics, AI and machine learning for preventing, protecting, detecting and responding to cyber-attacks on IT and OT.

• Resilient: ‘Resilient’ describes the ability of the business and digital ecosystems to not only withstand large scale attacks and mitigate its destructive power but also the capability to recover from a successful attack in the shortest possible time with minimal damage or disruption. It is a key component of business and organisational needs and achieved through well-designed operating procedures, processes, and practices.

• Sustainable: ‘Sustainable’ describes the ability of the CSEs and the nation as a whole to be able to use and sustain IT for delivery of national critical functions and business services efficiently and effectively over a long period of time that extends into decades. It can be achieved through a combination of institutional structures, people, policies, governance, risk, and compliance (GRC) mechanisms.

Terms

The following terms establish a common vocabulary for communication of capabilities, objectives, activities and outcomes. They may be used within the organisations, from the executive level to the operations level, and with external stakeholders for business and technology level communication.

Information Technology (IT) capability is described as an organisation’s ability to identify IT business needs, to deploy IT to improve business process in a cost-effective manner, and to provide long-term maintenance and support for IT-based systems.

Information Security (IS) capability is defined as “an organisation’s ability to carry out a set of inter-related cybersecurity functions to secure, protect, defend and sustain its mission and business functions that run on underlying IT and OT infrastructure in the cyberspace”.

Cyber resilience is a key outcome expected from a full-fledged capability development program. A smart, resilient, and sustainable digital ecosystem is achieved at the national level only when all the stakeholders achieve a minimum level of cyber resilience through their individual capability development initiatives.

Functions represent sets of management and technical activities that organisations must carry out daily or periodically to achieve their cyber resilience objectives. The objectives are described using action-verbs defined below. Organisations can implement the functions through institutionalised practices and processes that must be carried out by the workforce, enabled by technology and tools.

Management Objectives and Activities

The action verbs describing the five management objectives are Govern & Administer, Acquire & Provision, Operate & Maintain, Analyse & Investigate, and Train & Enable. Activities to achieve the management objectives are usually owned, managed and carried out by different units and departments across the organisation.

Technical Objectives and Activities

The action verbs describing the five technical objectives are Identify, Protect, Detect, Respond and Recover. Activities to achieve the technical objectives are usually owned, managed and carried out by the IT, OT, IIoT and IS workforce of the organisation.

The technical objectives are derived from NIST CSF, and the guidelines issued by multiple regulators and national agencies. There are minor variations in the definitions of the action-verbs by these different bodies, which can lead to confusion and misunderstanding in conversations between the practitioners of different guidelines. Hence, it is suggested that the definitions given in this document be used as the base for generic discussions.

Description of Functions

A diagrammatic representation of the technical and management functions is given below.

The individual functions are further described below.

Identify

This technical function addresses the need for organisations to identify things of value that need to be secured and protected from harm. The key practices and processes under this function are:

• Asset lifecycle management: Identify and catalogue all the business and digital systems of the organisation, their physical and virtual assets, both in-store and in-use, across their lifecycle from acquistion till decommissioning.

• Information and data lifecycle management: Identify and catalogue all the business and technical information, data and documentation of the organisation, along with parameters that help define their sensitivity, organisational value, ownership, restrictions etc, across the lifecycle from creation till disposal.

• Identity lifecycle management: Identify all individuals, machines, devices, systems and applications along with their functions, roles, privileges, credentials, and access rights (to assets, information, data and documents) across the active lifecycle from onboarding till retirement.

The Identify function is a continuously running activity and needs regular review and update. The data managed through this activity is used by all other functions and is therefore a fundamental pillar of the framework. Automation of data collation and analysis activities under this function would be extremely useful to organisations, depending upon their size, budget, and risk profile.

Protect

This technical function addresses the need for organisations to establish and maintain robust defences by continuously searching for, discovering and acting upon vulnerabilties and weaknesses. A robust defensive action minimises the vulnerabilities and weaknesses and reduces the possibility of their exploitation by threat actors. The key processes under this function are:

• Protection of in-store and in-use assets spanning across geographies of the organisation’s operational structure. This is typically achieved through hardening of in-use systems, networks, applications, databases, and other components of the information infrastructure.

• Protection of data (at rest, in transit, in use) to achieve confidentiality, integrity and availability.

• Protection of identities of people, machines and devices.

• Protection of physical premises and safety of OT and IIoT systems.

A layered defence for business and digital systems with adequate monitoring and reporting is essential for achieving protection from a large variety of attack vectors. This requires a lifecycle approach that incorporate secure by design, secure in implementation and secure during operation. Custom-developed systems and software additionally require to be secure during manufacture/ development.

Detect

This technical function addresses the need for organisations to continuously observe, monitor, analyse, detect and classify threats emanating from anomalous events, activities, incidents, user behaviours, policy violations, infrastructure weaknesses, bypass of security controls, failures of security processes etc.

Continuous monitoring, analysis and detection of Indicators of Compromise (IoCs) and Indicators of Attacks (IoAs) is possible only through a proper collection and management of logs and other artefacts generated by the digital ecosystem.

The detect function at the organisation level must provide its observations to the central agencies for sectoral and national level situational awareness of potentially malicious activities in the national cyberspace.

Respond

This technical function addresses the need for organisations to act upon detected cyber incidents and cyber-attacks and respond to the same in order to contain/ mitigate their adverse impact.

Effectiveness of the Incident Response (IR) strategies is based on prior planning, having clearly earmarked responsibilities/ actions, and periodic testing of standard operating procedures (SOPs).

National agencies have an important role of supporting the CSEs in their response to debilitating, high impact cyber-attacks.

Recover

This technical function addresses the need for organisations to rapidly restore the business, IT and OT functions and/ or services that were impaired due to cyber-attack. This function is deemed to be successfully achieved when the services are restored with consistent data and the process is completed within the mandated “Time to Recovery”.

Incident analysis of breaches and cyberattacks on CSEs is essential, not only for rapid recovery within the affected CSEs but also for prevention of similar attacks on other organisations. National agencies have an important role to play in this regard and should implement mechanisms to ensure availability of essential logs (evidence) for carrying out necessary analysis. Automation of evidence recording by the technical functions is critical for rapid and effective incident handling.  

Entities should also endeavour to maintain voluntary information security sharing policy to enable broader cyber security awareness. Further, lessons from such information shared by other entities must be carefully perused to evaluate influence on internal cyber security functions.

Govern & Administer

This management function requires organisations to develop policies, practices and oversight mechanisms for governance and administration of people, processes, and systems on a day-to-day and periodic basis. It is based on establishing and maintaining an enterprise cybersecurity program and an ISMS that provides governance, planning, and operations support to the organisation’s cybersecurity activities. It includes practices and processes for planning and design of applicable guidelines and cyber security policies for the cyber-governance program and identification of risk to formulate mitigation strategy. Audit and compliance requirements are also covered under this function.

Acquire & Provision

This management function requires organisations to develop policies, practices and oversight mechanisms for acquisition and provisioning of trustworthy systems. It is primarily focused on conceptualisation, design, acquisition, and engineering of secure and trustworthy systems through a project-driven approach. It also includes supply chain risk management, covering systems, software, services, and workforce resources.

Regulators and national nodal agencies have a role in shaping policies, practices and guidelines for CSEs, specifically for acquisition of their critical systems, processes, services, and workforce. National initiatives for trusted supply chains are under design for supporting the CSEs through regulatory mechanisms.

Operate & Maintain

This management function requires organisations to develop policies, practices and oversight mechanisms for secure operations and maintenance of systems. It covers the entire gamut of people, processes, systems, and services.

Many entities assign the IT security functions to their IT operations workforce, whose primary responsibilities are to ensure the functionality, availability and performance of digital systems. Organisations must assign the IT security responsibility to a separate IT security team, distinct from the IT operations team. The team must be given separate resources for operation and management of IT security functions.

Analyse & Investigate

This management function requires organisations to continually analyse threats and risks and design, develop, test, implement, analyse, and improve the functions, thereby improving the cyber resilience of the organisation. Threat modelling, performance measurement and evidence collection are essential for any analysis to be effective. The evidence collection should also support investigations that may be triggered by multiple events like cyber incident report, new acquisition, observations during internal / external VAPT etc.

Train & Enable

This management function requires organisations to train the IT Operations, IT Security and Cybersecurity workforce and other employees (users of IT services) in the technical and management functions applicable to them. Workforce enablement is achieved through the development of organisational culture in which the workforce is encouraged to operate as a team, be accountable and empowered to take decisions within their scope of responsibility and authority.

Application of Capability Framework

There is a generalised relationship between the five management functions and the broader capability framework:

• The functions ‘Acquire & Provision’ and ‘Operate & Maintain’ represent the two major lifecycle stages of business and digital systems in CSEs. These functions will help the CSE to become “smart”, efficient and effective over time.

• The functions ‘Analyse & Investigate’ and ‘Train and Enable’ will help enhance the CSE’s organisational culture for developing “resilience” through continuous improvement.

• The ‘Govern & Administer’ function encompasses everything and enables the CSEs to have a long term “sustainability” approach.

Elements of Resilience and Sustainability

In general, cyber resilience is achievable through well-designed operating procedures, processes, and practices, while sustainability is achievable through a combination of institutional structures, people, policies, governance, risk, and compliance (GRC) mechanisms. High levels of cyber resilience and sustainability are largely achievable using technology and automation operated by skilled personnel. These are further described below.

Resilience Drivers

In the context of cybersecurity, resilience is usually achieved through:

• well-designed cyber secure architecture that incorporates the concepts of defense-in-depth and supports the processes and people responsible for its protection.

• responsive operating practices and processes to achieve resilience, such as:

  • keep the defenses and all possible attack routes under 24 x 7 watch (Logging, SOC).

  • quick response to anomalous activities that are observed by the SOC (IR).

  • rapidly carrying out defensive actions against materialized attacks (EDR, XDR, SOAR).

  • mitigate the impact of any successful penetration through the defenses (CCMP, BCP).

• a skilled and trained workforce is essential for successfully executing the operating processes.

Sustainability Drivers

In the context of cybersecurity, sustainability is usually achieved by:

• having the right cybersecurity policies in place.

• smart mechanisms to monitor the effectiveness of implementation and operation of the policies on ground.

• a culture of continuous improvement within the entities.

Strategic Program Management

Resilience and sustainability of IT and Information Security are strategic goals of organisations. Hence, they must be driven by the top leadership and management, who must take a long-term strategic view of both the use of IT to achieve business objectives and use of Information and Cyber Security to protect IT and business. Governing bodies and top leadership should assess whether they have adequate in-house capabilities to strategise on these two goals or they require external expertise to support their leaders and teams.

A smart, resilient, and sustainable digital ecosystem is achieved only when it is driven by the top leadership. It is a good practice to have a strategic oversight team that regularly consults, analyses and reports to the top management whether the organisation’s digital ecosystem sufficiently:

• Enables and supports the business requirements.
• Protects information and information infrastructure in cyberspace.
• Minimises weaknesses, vulnerabilities and risks through defensive actions.
• Detects failures and cyber exploits.
• Responds rapidly and effectively to IT and cyber incidents.
• Recovers quickly from disruptions and cyber-attacks with minimal damage.
• Is governed, administered, engineered, operated, maintained and managed by a competent workforce, through institutionalised practices and processes, supported by technology, platforms and tools.

A right combination of people, processes, technology and governance is essential for organisations to leverage the digital ecosystem to accomplish the organisation’s mission, fulfil the legal and regulatory requirements, maintain the day-to-day functions, and protect the assets and individuals.

Capability Maturity Models

This is described in detail here.