How safe is India’s critical national infrastructure?
Now composing the study note.
1. At a Glance
- India's critical infrastructure (power, water, banking, telecom, transport, defence, healthcare) is increasingly digitised via IoT, automation and AI, which improves efficiency but widens the attack surface for remote cyber disruption [S5].
- The nodal legal-institutional response is the National Critical Information Infrastructure Protection Centre (NCIIPC), created under Sec. 70A, IT Act 2000 [S1].
- UPSC relevance: tests GS-III (internal security, cybersecurity, disaster management) and GS-II (governance/regulatory bodies).
- Static topic — no recent trigger; the Hindu article (27 May 2026) is an explainer piece, not a report of an actual breach [S5].
2. Why in the News
- Static topic — no recent trigger. The referenced article is an analytical/explainer piece on vulnerabilities from IoT-linked critical infrastructure rather than coverage of a specific attack [S5].
- Government data shows a sharp rise in cybersecurity incidents: from 10.29 lakh (2022) to 22.68 lakh (2024), keeping the issue in policy discourse [S3].
3. Background & Evolution
- 2000: Information Technology Act enacted; later amended (2008) to insert Section 70A, providing statutory basis for critical information infrastructure (CII) protection [S1].
- 16 January 2014: NCIIPC formally notified via gazette notification, functioning as a unit of the National Technical Research Organisation (NTRO), under the Prime Minister's Office (PMO) [S1].
- 2004: Indian Computer Emergency Response Team (CERT-In) established as the national nodal agency for cybersecurity incident response (background body distinct from NCIIPC) [S3].
- April 2023: Sector-specific CSIRT-Power (Computer Security Incident Response Team – Power) inaugurated for the power sector [S3].
- 2025: Draft Central Electricity Authority (Cyber Security in Power Sector) Regulations, 2025 under finalisation — a dedicated regulatory framework for power-sector cyber resilience [S3].
4. Core Static Facts
| Item | Detail |
|---|---|
| Definition of CII | "Computer resource, the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety" — IT Act, 2000 [S1] |
| Nodal agency | NCIIPC (National Critical Information Infrastructure Protection Centre) [S1] |
| Enabling provision | Section 70A, IT Act 2000 (amended 2008) [S1] |
| Parent body | NTRO, reporting to PMO [S1] |
| Established | 16 January 2014 [S1] |
| Helpline | Toll-free 1800-11-4430 (24x7 Help Desk) [S1] |
| Sister agency | CERT-In — coordinates national-level cyber incident response [S1] |
| Sectors covered | Energy, finance, telecom, transport, government, defence, health, etc. [S1] |
| Power-sector CERT | CSIRT-Power, launched April 2023 [S3] |
| Cybersecurity audits | Over 9,700 CERT-In audits conducted in 2024–25; 200 empanelled auditing organisations [S3] |
| Budget allocation | ₹782 crore for cybersecurity in Union Budget 2025–26 [S3] |
| Grid audit status | 30 of 35 State Load Despatch Centres completed VAPT (Vulnerability Assessment & Penetration Testing) audits in past 5 years (as of March 2024) [S3] |
| Incident trend | Cybersecurity incidents rose from 10.29 lakh (2022) to 22.68 lakh (2024) [S3] |
5. Multi-Dimensional Analysis
Economic - Disruption of power, banking, or fuel-distribution networks can cascade into supply-chain and market instability, given the interlinkage of services like electricity, banking and transport [S5]. - Budgetary allocation (₹782 crore, 2025–26) reflects rising fiscal commitment to cyber-resilience [S3].
Geopolitical/Strategic - Critical infrastructure is a prime target for state-sponsored actors and hybrid warfare; sectors like defence, energy and telecom carry direct national-security stakes [S1].
Legal/Constitutional - Statutory backbone is Section 70A of the IT Act, 2000, which empowers the government to declare any computer resource "protected system" and designate CII [S1].
Scientific/Technological - IoT, automation and AI have improved monitoring and control of infrastructure but also created new attack vectors via previously isolated Operational Technology (OT) systems now linked to IT networks [S5].
Administrative/Governance - Multiple overlapping agencies (NCIIPC, CERT-In, sector-CERTs like CSIRT-Power) — coordination and last-mile audit compliance (e.g., 5 of 35 State Load Despatch Centres pending VAPT) remain implementation gaps [S3].
6. Recent Developments (last 12-18 months)
- 2024–25: CERT-In conducted over 9,700 cybersecurity audits across critical sectors [S3].
- 2025: Draft CEA (Cyber Security in Power Sector) Regulations, 2025 finalisation underway [S3].
- Union Budget 2025–26: ₹782 crore allocated for cybersecurity [S3].
- March 2024: Status update — 30/35 State Load Despatch Centres VAPT-compliant [S3].
- 27 May 2026: The Hindu published an explainer on IoT-driven vulnerabilities in critical infrastructure, reiterating the need for a stronger policy framework [S5].
7. Prelims Hooks
- NCIIPC was created under Section 70A of the IT Act, 2000 (amended 2008) [S1].
- NCIIPC was notified on 16 January 2014 [S1].
- NCIIPC functions as a unit of NTRO, under the PMO — not MeitY or MHA [S1].
- NCIIPC's 24x7 helpline number is 1800-11-4430 [S1].
- CERT-In (not NCIIPC) is India's nodal agency for cyber incident response generally [S1].
- CSIRT-Power, a sector-specific CERT for the power sector, was inaugurated in April 2023 [S3].
- No cyberattack has been officially reported to have disrupted actual power grid operations in India, per government statements [S3].
- Union Budget 2025–26 allocated ₹782 crore for cybersecurity [S3].
- Cybersecurity incidents rose from 10.29 lakh (2022) to 22.68 lakh (2024) [S3].
- As of March 2024, 30 of 35 State Load Despatch Centres had completed VAPT audits in the preceding 5 years [S3].
- CERT-In has empanelled 200 organisations for cybersecurity audits [S3].
- The Draft CEA (Cyber Security in Power Sector) Regulations, 2025 are meant to create a dedicated cybersecurity framework for the power sector [S3].
8. Mains Relevance
- GS-III: Internal Security — "Role of external state and non-state actors in creating challenges to internal security"; "Basics of cyber security"; Disaster Management linkages.
- GS-II: Governance — institutional mechanisms/regulatory bodies for infrastructure protection.
- Possible question stems: 1. "Discuss the vulnerabilities introduced by digitisation (IoT, AI, automation) in India's critical infrastructure. Suggest a comprehensive policy framework to mitigate these risks." (GS-III) 2. "Examine the institutional architecture for protecting India's Critical Information Infrastructure. How adequate is the coordination between NCIIPC, CERT-In and sector-specific CERTs?" (GS-II/III) 3. "Critical infrastructure protection is as much a governance challenge as a technological one. Comment with reference to India's power sector." (GS-III)
9. Related Topics to Study Next
- CERT-In and Information Technology Act, 2000/2008 — the overarching statutory-institutional cybersecurity framework.
- National Cyber Security Policy/Strategy — broader policy context beyond CII.
- Internet of Things (IoT) and Industrial Control Systems (SCADA) security — technical vulnerability discussed in the article.
- Disaster Management Act, 2005 — parallel framework for infrastructure-related disruptions.
- Data Protection (DPDP Act, 2023) — related digital governance/security legislation.
- National Technical Research Organisation (NTRO) — parent body of NCIIPC.
- Power sector reforms and grid resilience — CSIRT-Power, CEA regulations.
- Cyber warfare and hybrid threats in international relations — geopolitical dimension.
10. Common Errors / Trap Areas
- Confusing NCIIPC (CII protection, under NTRO/PMO) with CERT-In (general incident response, under MeitY) — they are distinct bodies with distinct mandates [S1].
- Misattributing NCIIPC's parent ministry as MeitY or MHA instead of PMO (via NTRO) [S1].
- Assuming a power-grid cyberattack has actually occurred in India — government statements explicitly deny any reported operational disruption [S3].
- Confusing CSIRT-Power (sector-specific, power sector, 2023) with CERT-In (national-level, 2004) [S3].
- Treating the IT Act's CII protection provision as a standalone Act — it is Section 70A of the IT Act, 2000, not a separate statute.
11. Sources
- [S1] National Critical Information Infrastructure Protection Centre, Government of India — https://nciipc.gov.in/index.html — (tier: 1)
- [S3] Government Strengthens Cybersecurity Across Critical Sectors; Over 9,700 CERT-In Audits Conducted in 2024–25 — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2148943 — (tier: 1)
- [S3] Cybersecurity of Power Grids — https://www.pib.gov.in/PressReleaseIframePage.aspx?PRID=2043154 — (tier: 1)
- [S3] Strengthening Cybersecurity in Power Sector — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2202421®=3&lang=1 — (tier: 1)
- [S5] How safe is India's critical national infrastructure? — The Hindu (27 May 2026) — https://www.thehindu.com/todays-paper/2026-05-27/th_international/articleGROG1I6NS-14730657.ece — (tier: 4)