How safe is India’s critical national infrastructure?

Now composing the study note.

1. At a Glance

2. Why in the News

3. Background & Evolution

4. Core Static Facts

Item Detail
Definition of CII "Computer resource, the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety" — IT Act, 2000 [S1]
Nodal agency NCIIPC (National Critical Information Infrastructure Protection Centre) [S1]
Enabling provision Section 70A, IT Act 2000 (amended 2008) [S1]
Parent body NTRO, reporting to PMO [S1]
Established 16 January 2014 [S1]
Helpline Toll-free 1800-11-4430 (24x7 Help Desk) [S1]
Sister agency CERT-In — coordinates national-level cyber incident response [S1]
Sectors covered Energy, finance, telecom, transport, government, defence, health, etc. [S1]
Power-sector CERT CSIRT-Power, launched April 2023 [S3]
Cybersecurity audits Over 9,700 CERT-In audits conducted in 2024–25; 200 empanelled auditing organisations [S3]
Budget allocation ₹782 crore for cybersecurity in Union Budget 2025–26 [S3]
Grid audit status 30 of 35 State Load Despatch Centres completed VAPT (Vulnerability Assessment & Penetration Testing) audits in past 5 years (as of March 2024) [S3]
Incident trend Cybersecurity incidents rose from 10.29 lakh (2022) to 22.68 lakh (2024) [S3]

5. Multi-Dimensional Analysis

Economic - Disruption of power, banking, or fuel-distribution networks can cascade into supply-chain and market instability, given the interlinkage of services like electricity, banking and transport [S5]. - Budgetary allocation (₹782 crore, 2025–26) reflects rising fiscal commitment to cyber-resilience [S3].

Geopolitical/Strategic - Critical infrastructure is a prime target for state-sponsored actors and hybrid warfare; sectors like defence, energy and telecom carry direct national-security stakes [S1].

Legal/Constitutional - Statutory backbone is Section 70A of the IT Act, 2000, which empowers the government to declare any computer resource "protected system" and designate CII [S1].

Scientific/Technological - IoT, automation and AI have improved monitoring and control of infrastructure but also created new attack vectors via previously isolated Operational Technology (OT) systems now linked to IT networks [S5].

Administrative/Governance - Multiple overlapping agencies (NCIIPC, CERT-In, sector-CERTs like CSIRT-Power) — coordination and last-mile audit compliance (e.g., 5 of 35 State Load Despatch Centres pending VAPT) remain implementation gaps [S3].

6. Recent Developments (last 12-18 months)

7. Prelims Hooks

8. Mains Relevance

9. Related Topics to Study Next

10. Common Errors / Trap Areas

11. Sources