Keywords : Critical infrastructure protection, national resilience, governance architecture, cyber-physical security, institutional design, India, BNRE, BIPCARD, SOMA-RAS, Prahari, BNRI, BAP-I

1. Introduction: The National Security Imperative

Nations survive by protecting what sustains them. For centuries, that protection was understood primarily in military terms; armies defended borders, navies secured sea lanes, and intelligence services monitored adversaries. The twentieth century expanded this understanding to include internal stability; police forces-maintained order, paramilitary organisations secured territories under stress, and disaster management authorities responded to catastrophes. Most modern states-built institutions for both domains. India is among them. The armed forces, structured under the Ministry of Defence and directed by the Cabinet Committee on Security, protect the country from external aggression. Central armed police forces and state police, structured under the Ministry of Home Affairs, protect the country from internal disruption. Both pillars have dedicated ministries, dedicated forces, dedicated budgets, dedicated intelligence streams, and dedicated doctrines refined through decades of operational experience (Sarkesian et al., 2008; Lewis, 2006).

The twenty-first century has introduced a third domain of national vulnerability that fits within neither pillar. The infrastructure upon which both external defence and internal governance depend has become a target in its own right (Brunner & Suter, 2008; Brenner, 2011; Clarke, 2020). The targeting has grown deliberate, sophisticated, and persistent. State-sponsored cyber operations have penetrated power grid control systems in multiple countries. Ransomware campaigns have shut down hospitals and paralysed logistics networks. Supply-chain disruptions triggered by geopolitical coercion have crippled domestic industries and constrained strategic manufacturing across continents (Bennett, 2018; OECD, 2019). Hybrid warfare campaigns now exploit the seams between digital and physical systems; producing cascading failures that overwhelm emergency response capacity in ways that previous decades of security planning had not anticipated (NATO, 2019; Critical 5, 2024; Frum & Perle, 2004). Climate-induced disasters compound the picture; stressing the same infrastructure that cyber and physical attacks target, and generating multi-hazard scenarios that no single-domain response can manage (IPCC, 2022; UNDRR, 2023).

India has experienced this directly and repeatedly. The RedEcho-linked intrusion into power grid systems demonstrated that foreign state actors can position themselves inside civilian infrastructure during peacetime; the 2020 Mumbai grid incident brought the risk into public view (Rao, 2021). The Kudankulam nuclear facility breach attempt revealed that even the most secured installations face cyber-physical convergence threats that legacy security doctrines were not designed to anticipate. The AIIMS ransomware shutdown exposed the fragility of health infrastructure to criminal cyber operations; services at one of the country’s premier medical institutions were disrupted for weeks. Pandemic-era attacks on vaccine supply chains confirmed that adversaries target the systems upon which public welfare depends, precisely when those systems are under maximum stress (Dash, 2025, Jul. 1; Check Point Research, 2024).

Each of these incidents crossed the boundary between external and internal security. The threat originated abroad but the damage manifested domestically. The attack vector was digital but the impact was physical. The target was civilian but the strategic implication was national. In every case, no single institution possessed the mandate to govern the response across both domains; and the response was accordingly fragmented, delayed, and incomplete (Gibson, 2023; OECD, 2019).

This is the national security problem; a dilemma that must not be left unsolved any longer. India has institutions for external threats. India has institutions for internal threats. India has no institution, no law, no programme, no operational force, no measurement framework, and no doctrine for the domain that connects them both; the domain upon which both depend. This paper proposes the Bharat National Resilience Ecosystem (BNRE) as the doctrinal foundation for building India’s third national security pillar; the pillar that protects what both external defence and internal governance depend upon, and which neither currently governs (Dash, 2024; Dash, 2025, Jul. 1; Dash, 2025; B.A.P-I, (1); B.A.P-I, (8)).

 

2. The Missing Pillar: India’s Critical Infrastructure Governance Deficit

India’s governance architecture distributes critical infrastructure responsibilities across more than a dozen ministries, each operating under separate mandates with no statutory obligation to coordinate on resilience. The Ministry of Power governs the energy grid; the Ministry of Communications handles telecommunications; banking infrastructure falls under the Ministry of Finance; and health systems are administered by the Ministry of Health. MeitY houses both the National Critical Information Infrastructure Protection Centre (NCIIPC) and CERT-In for cyber protection of information infrastructure, while the Ministry of Home Affairs houses the National Disaster Management Authority (NDMA). Defence-linked installations remain under MoD’s jurisdiction. State governments manage local infrastructure under their own mandates. Private operators, who own or manage approximately sixty to seventy per cent of India’s critical assets through PPP or direct ownership, have operated under sector-specific regulations that vary considerably in stringency, scope, and enforcement (CEPS, 2010; Australian Government, 2019; BIS, 2023; CAG, 2022).

No single authority has ever possessed cross-sectoral jurisdiction over critical infrastructure as a whole. There is no statute mandating cross-sector resilience coordination; no operational force trained for compound cyber-physical infrastructure incidents; and no independent body auditing resilience performance across sectors. A quantitative index measuring national infrastructure resilience in a manner that carries statutory consequences has never been developed. Perhaps most tellingly, no doctrine has been articulated connecting infrastructure protection to national security strategy (NDMA, 2020; Critical 5, 2024; Dash, 2025, Jul. 1).

The consequences are predictable and recurrent. When disruption crosses sectoral boundaries, response is delayed by jurisdictional confusion. When threats combine cyber and physical vectors, no single agency owns the response. When cascading failures propagate from energy to transport to health to finance, the absence of interdependency mapping means that secondary and tertiary effects are discovered rather than anticipated (Rinaldi, Peerenboom, & Kelly, 2001; OECD, 2019; Petit & Verner, 2016). When private operators face sophisticated threats, the absence of mandatory intelligence sharing means they confront those threats with incomplete information. When states manage local infrastructure crises, the absence of standardised resilience protocols means that national coordination depends on ad hoc arrangements rather than institutional preparedness (Dash, 2024; Gibson, 2023).

The 2022 audit by the Comptroller and Auditor General of India identified multiple gaps in coordination, cyber-readiness, and incident-response protocols across infrastructure sectors (CAG, 2022). The IT Act of 2000 and its subsequent amendments provide cyber-offence definitions and CERT-In incident-reporting obligations, but they do not constitute a governance framework for infrastructure resilience. NCIIPC’s mandate covers critical information infrastructure only; physical infrastructure, supply chains, logistics networks, maritime assets, and the commercial-industrial complex fall outside its jurisdiction. NDMA governs disaster response but is not mandated to integrate cyber threats, hybrid operations, or infrastructure interdependency analysis into its planning frameworks (NDMA, 2020).

International comparators have addressed these gaps with varying degrees of institutional depth. The United States moved earliest; establishing the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security with cross-sector coordination and operational response mandates (USDHS, 2013; The White House, 2013; CISA, 2022). The European Union followed a legislative route; enacting the European Programme for Critical Infrastructure Protection (EPCIP) and subsequently the NIS2 Directive and the Critical Entities Resilience (CER) Directive, which mandated cross-border coordination, operator resilience obligations, and incident notification requirements (European Commission, 2008; European Commission, 2022; European Commission, 2023). Japan took a different approach altogether; its Basic Act on National Resilience embedded iterative post-disruption learning as a legal obligation, triggering automatic cross-ministerial review after each major disruption (Cabinet Office Japan, 2023). Australia had long operated the Trusted Information Sharing Network (TISN) for structured public-private intelligence exchange before strengthening its legislative framework through the Security of Critical Infrastructure (SOCI) Act (Australian Government, 2019; CISC Australia, 2025). Israel placed its National Cyber Directorate directly under the Prime Minister’s Office; a positioning that gave it cross-agency coordination authority from its inception (INCD, 2018). Singapore achieved high compliance rates through a focused statutory instrument; the Cybersecurity Act of 2018 imposed operator-specific obligations that left little room for discretionary non-compliance (CSA Singapore, 2020).

India has no equivalent to any of these. Its national security architecture has two legs. The argument of this paper is that it needs three (Dash, 2024; B.A.P-I, (1)).

 

3. The Doctrine: Bharat National Resilience Ecosystem (BNRE)

3.1 Conceptual Foundation

National resilience does not reside in any single institution, any single sector, or any single act of legislation. It emerges from the sustained interaction of governance systems, infrastructure networks, technological capabilities, industrial ecosystems, logistical architectures, disaster preparedness mechanisms, environmental adaptation capacity, innovation networks, and strategic partnerships operating as a single interconnected system (Linkov & Trump, 2019; Ganin et al., 2016; Rehak et al., 2020). When these components function in isolation, disruption in one domain cascades unchecked across others. When they function as an ecosystem, the failure of one component is absorbed, redistributed, and compensated by the adaptive response of the rest. That distinction; between fragmented protection and systemic resilience; is the foundational premise of the Bharat National Resilience Ecosystem.

The BNRE declares that the protection and resilience of India’s critical infrastructure is not a sectoral administrative function. It is a national security imperative of the same order as external defence and internal stability; requiring equivalent institutional depth, statutory authority, operational capacity, and doctrinal permanence. This conceptualisation draws on the ecosystem approach to resilience governance that has gained traction in international CIP scholarship, where infrastructure is understood not as a set of independent assets but as a system of systems whose collective behaviour determines national vulnerability (Rinaldi, Peerenboom, & Kelly, 2001; Bach et al., 2013; Chester et al., 2021). The BNRE adapts this approach to India’s specific conditions; its federal governance structure, its private-sector infrastructure ownership patterns, its twelve-cluster sectoral diversity, and its compound threat ecology spanning cyber, physical, hybrid, environmental, economic, and geopolitical vectors (Dash, 2024; Dash, 2025, Jul. 1; B.A.P-I, (8)).

The ecosystem concept has particular resonance for India because India’s infrastructure development trajectory differs fundamentally from the states whose CIP models are most frequently cited. The United States and European Union built their critical infrastructure over more than a century, adding cyber-digital layers to an already mature physical base. India is building physical and digital infrastructure simultaneously; its 5G networks are being deployed alongside new highway corridors, its smart city platforms are being launched before legacy urban infrastructure has been secured, and its digital payment systems have scaled faster than the cybersecurity architectures protecting them (BIS, 2023; CAG, 2022; ITU, 2020). This simultaneity creates compound vulnerability patterns that sequential-development models do not capture. The BNRE addresses this by treating physical and digital resilience as interdependent from the outset rather than as separate governance domains to be integrated later.

India’s demographic and geographic scale adds further complexity. Infrastructure serving 1.4 billion people across 28 states, 8 union territories, and extreme geographic diversity; from Himalayan border regions to island territories, from desert installations to coastal mega-cities; cannot be governed through a single uniform template. The BNRE’s Principle of Distributed Resilience addresses this directly; resilience must be generated at every governance level rather than commanded from the centre alone. The State CIP Coordination Cells, the Exclusive Zone Directorates, and SOMA’s monthly sectoral working groups are all institutional expressions of this scalar challenge (Dash, 2025, Jul. 1; Gade, 2018).

3.2 The Twelve-Cluster Architecture: BAP-I

The ecosystem operates through twelve interdependent strategic clusters identified under the BAP-I (Bharat Assets Protection Institute) framework. India’s NCIIPC currently designates seven sectors for critical information infrastructure protection. This paper argues that seven is insufficient for a national resilience doctrine. The BAP-I model identifies twelve clusters that more accurately capture India’s evolving infrastructural character, economic priorities, institutional diversity, and multi-vector threat environment (Dash, 2024; B.A.P-I, (1)):

β       Critical Sectors and Foundational Infrastructure: Energy, water, health, transport, finance, communications, and others as traditionally identified, listed, and notified by other countries as critical; the sectors whose continuous operation is indispensable for governance delivery and public welfare.

β       Logistics, Supply Chain, and Strategic Mobility: Secure movement of goods, services, resources, and strategic mobility networks; including the global and international supply chains to which Bharat is integrated and emerging as a major player, alongside warehousing, cold chains, last-mile delivery, and military logistics integration.

β       Blue-Water Infrastructure and Maritime Economy: Ports, coastal installations, offshore platforms, undersea cables, shipbuilding, maritime surveillance, and ocean-based economic resilience.

β       Research-to-Resilience Pipelines: Knowledge generation, R&D ecosystems, laboratory infrastructure, technology transfer mechanisms, and resilience-oriented technological development.

β       Indigenisation and Technology Sovereignty: Strategic autonomy through domestic semiconductor capability, rare earth processing, defence-industrial base, and critical technology ecosystems.

β       Business Innovation and Product Commercialisation: Translation of research and innovation into scalable industrial and commercial applications; startup ecosystems, incubation centres, research laboratories, research centres and institutes, and technology parks.

β       Corporate Governance and Social Security Linkages: Institutional accountability, ESG integration, fiscal governance, pension systems, insurance infrastructure, and social resilience mechanisms.

β       Global Partnerships and Overseas Infrastructure: International cooperation, strategic alliances, standards harmonisation, overseas Indian infrastructure interests, and resilient global value chains.

β       Digital Infrastructure and Critical Automation: AI systems, cloud platforms, 5G networks, SCADA and OT environments, IoT ecosystems, quantum computing infrastructure, and next-generation communication networks.

β       Disaster Dynamics and Eco-Protection: Climate adaptation, disaster risk reduction, environmental monitoring, ecological sustainability, and multi-hazard preparedness.

β       Internal Security Management and Strategic Resilience: Integrated security systems, forensic capabilities, hybrid threat management, border infrastructure, and critical asset protection.

β       Commercial-Industrial Complex: Strategic manufacturing, industrial parks, MSMEs, defence production corridors, and national productive capacity.

These clusters are not administrative divisions to be governed separately. They are ecosystem layers whose interaction determines whether India can absorb a compound crisis or be destabilised by it. The Dependency-Interdependency Matrix developed in the author’s doctoral research traces how vulnerabilities propagate through physical, cyber, geographic, logical, and organisational linkages binding these clusters into a single operational continuum (Dash, 2025, Jul. 1; B.A.P-I, (4)). The ecosystem is only as resilient as its weakest interdependency; and interdependencies cannot be governed by institutions that see only their own sector.

3.3 Three Doctrinal Principles

Three principles are proposed to govern the BNRE. Each has been designed to be institutionalised through a specific component of the architecture rather than left as an abstraction.

The Principle of Convergence. Threats to critical infrastructure have not arrived through single vectors for at least two decades. Cyber intrusions have coincided with physical sabotage. Supply-chain disruptions have compounded climate-induced degradation. State-sponsored operations have exploited the seams between digital systems and physical assets with increasing frequency and sophistication (NATO, 2020; Critical 5, 2024; Schotten et al., 2024). What the BNRE doctrine demands in response is that governance, coordination, intelligence, and operational capability treat converging threats as a single challenge; not as separate problems parcelled across separate ministries. BIPCARD’s placement under the NSC is the institutional expression of this principle; no single ministry could bridge external and internal security domains, so the directorate sits above both.

The Principle of Distributed Resilience. India’s federal structure, the private ownership of the majority of critical assets, the diversity of sectoral operating conditions, and the geographic spread of infrastructure systems have together made one thing clear: resilience cannot be commanded from the centre alone. It must be generated at every level simultaneously; national, state, district, operator, and community (OECD, 2019; Gibson, 2023; Gade, 2018). SOMA institutionalises this principle by creating the platform where sectoral operators, managers, authorities, and broader stakeholders coordinate horizontally rather than waiting for vertical directives that arrive too slowly during compound crises.

The Principle of Measured Accountability. International experience has demonstrated repeatedly that aspirational policy language without quantifiable benchmarks produces neither compliance nor improvement. Resilience frameworks in mature CIP systems have moved toward structured quantitative evaluation; tracking parameters such as redundancy levels, recovery time objectives, detection latency, and inter-agency protocol readiness (DOE-OE, 2008; ENISA, 2021; FEMA, 2016; Moteff, 2005). The BNRE requires that resilience be scored, audited, certified, and publicly reported through a mechanism that is structurally independent of the directorate setting standards. BNRI provides the measurement framework; RAS administers it independently. The separation was a deliberate design choice; not an administrative convenience.

 

4. The Law: BIP-CARE (Bharat Infrastructure Protection and Critical Assets Resilience Enactment)

India’s critical infrastructure governance currently operates through accumulated sectoral regulation rather than unified legislation. The IT Act of 2000 addresses cyber offences and incident reporting. The Disaster Management Act of 2005 establishes NDMA and state-level disaster management authorities. Sectoral regulators; CERC for energy, TRAI for telecom, RBI for banking, SEBI for financial markets, AERB for nuclear installations, DGCA for aviation; each issue sector-specific directives within their respective jurisdictions. None of these statutes mandates cross-sectoral resilience coordination. None empowers a single authority to enforce infrastructure protection standards across all sectors. None creates an obligation for private operators to participate in national resilience exercises or share vulnerability information with government (Dash, 2025, Jul. 1; Svendsen & Wolthusen, 2008; BIS, 2023).

BIP-CARE addresses this legislative vacuum. It would constitute the first unified statutory instrument for critical infrastructure protection and resilience in India; performing five legislative functions that no existing Indian statute has performed individually and that no combination of existing statutes has performed collectively.

BIP-CARE defines critical infrastructure across the twelve BAP-I sector clusters (Dash, 2024; B.A.P-I, (1)); pushing the protected perimeter well beyond the seven sectors currently recognised. Maritime systems, logistics networks, research pipelines, indigenisation ecosystems, digital automation, and the commercial-industrial complex would enter the protected perimeter for the first time.

The Act establishes BIPCARD as the apex governance directorate under the National Security Council; filling the institutional vacancy that has characterised India’s CIP governance since independence. It mandates resilience obligations for all operators above a defined asset-criticality threshold; transforming incident reporting, simulation participation, post-disruption learning protocols, and BNRI-linked performance accountability from voluntary practices into statutory requirements.

BIP-CARE constitutes SOMA as the mandatory coordination platform and RAS as the independent audit and assessment bureau; ensuring that multi-stakeholder coordination and measurable accountability are legally institutionalised rather than dependent on administrative discretion. The Act also authorises Prahari as the operational force with deployment jurisdiction across all critical sectors and exclusive zones (Dash, 2025, Dec. 25); giving the governance architecture the field-level operational capacity that has been conspicuously absent.

International precedent supports this legislative approach. The U.S. Critical Infrastructure Protection Act, the EU’s CER Directive, Australia’s SOCI Act, and Singapore’s Cybersecurity Act each provide unified statutory frameworks for infrastructure protection within their respective jurisdictions (USDHS, 2013; European Commission, 2023; Australian Government, 2019; CSA Singapore, 2020). BIP-CARE draws on these precedents while adapting to India’s federal structure, its twelve-cluster sectoral architecture, and the specific institutional requirements of the BNRE doctrine.

BIP-CARE is the foundation upon which every other component stands. Without it, BIPCARD has no mandate, SOMA has no obligation, RAS has no authority, Prahari has no jurisdiction, and BNRI has no enforcement mechanism.

 

5. The Programme: BIP-CARP (Bharat Infrastructure Protection and Critical Assets Resilience Programme)

Legislation creates authority. A programme creates capability. BIP-CARP converts the statutory framework of BIP-CARE into operational reality across India’s twelve critical sector clusters.

Where BIP-CARE defines what must be done, BIP-CARP specifies how; the timelines, the standards, the resource allocations, the simulation schedules, the compliance milestones, and the sector-specific resilience benchmarks that translate legislative mandates into institutional practice. India’s experience with well-intentioned legislation that remains substantially unimplemented for want of an operationalising programme confirms that statutory intent and operational impact are frequently disconnected (Howlett, Ramesh, & Perl, 2009; Bardach & Patashnik, 2020).

BIP-CARP is structured around a Three-Phase National Roadmap developed through the author’s research (Dash, 2026, Jan. 1):

Foundational Phase: Enactment of BIP-CARE; establishment of BIPCARD under the NSC; constitution of SOMA and RAS; initial deployment of Prahari; development of baseline resilience indicators; national sector identification and asset-criticality classification across all twelve BAP-I clusters; establishment of State CIP Coordination Cells and the Intelligence Fusion Centre.

Expansion Phase: Development of a National Dependency Mapping System; implementation of Interdependency Modelling Frameworks across all clusters; deployment of AI-enabled monitoring and predictive risk assessment systems; expansion of cyber-OT convergence capabilities; nationwide simulation infrastructure; first full-cycle BNRI assessment; Prahari expansion to all exclusive zones; operationalisation of cross-sector joint exercises through SOMA.

Maturity Phase: Full integration of BNRI into routine governance with statutory consequences; establishment of predictive resilience governance mechanisms; institutionalisation of continuous resilience assessment and post-disruption learning; expansion of Indo-Pacific and international resilience cooperation frameworks; achievement of measurable BNRI score improvement across all twelve clusters.

Each phase builds the institutional and operational foundations for the next. No phase is terminal; the ecosystem continues to evolve as threats evolve, as technology transforms, and as institutional learning accumulates (B.A.P-I, (4); B.A.P-I, (8)).

BIP-CARP also embeds the financial architecture for resilience; dedicated funding mechanisms, resilience bonds, PPP-based investment models, tax-linked compliance incentives, and catastrophe financing instruments. Resilience without sustained funding collapses into periodic crisis response. BIP-CARP ensures the fiscal machinery sustains the institutional machinery over the long term.

 

6. The Directorate: BIPCARD (Bharat Infrastructures Protection and Critical Assets Resilience Directorate)

India has a ministry for external threats. India has a ministry for internal threats. India has no institution for the domain between them. BIPCARD fills that vacancy.

6.1 Institutional Positioning

BIPCARD is the apex governance directorate; reporting directly to the National Security Council rather than to any single ministry. This placement is doctrinal, not administrative. Critical infrastructure threats originate externally and manifest internally; a state-sponsored cyber intrusion launches from abroad and disables domestic power systems. They cross ministerial boundaries by nature; a pandemic disrupts health infrastructure, logistics, digital systems, and financial services simultaneously. An institution housed within MHA would lack jurisdiction over defence-linked infrastructure. An institution housed within MoD would lack jurisdiction over civilian systems. An institution housed within MeitY would lack jurisdiction over physical assets. Only an institution placed under the NSC possesses the jurisdictional reach to coordinate across all ministries without being subordinated to any (The White House, 2013; NATO, 2019; Dash, 2024).

The National Security Advisor would serve as the institutional link between BIPCARD and the Cabinet Committee on Security. No ministry owns BIPCARD; the NSC mandates it. This follows the institutional logic of Israel’s National Cyber Directorate, which sits under the Prime Minister’s Office with cross-agency authority (INCD, 2018); and of CISA in the United States, which operates under DHS with cross-sector coordination mandates (CISA, 2022).

6.2 Governance Function

BIPCARD would govern but not operate. It would set resilience standards across the twelve BAP-I clusters without running infrastructure itself. It would coordinate crisis response without replacing sectoral emergency protocols. Intelligence from RAW (external), IB (internal), NTRO (technical), CERT-In (cyber), and DIA (military) would be integrated into a unified CIP threat-assessment feed; though BIPCARD would not conduct intelligence operations of its own. It would direct Prahari’s deployment without absorbing Prahari into its administrative structure. The distinction between governance and operations has been built into the design deliberately; BIPCARD functions as the brain of the architecture, not its hands.

6.3 Sub-structures

Five sub-structures provide institutional reach:

β       Inter-Ministerial CIP Committee. Chaired by BIPCARD; membership includes secretaries of all relevant ministries (MHA, MoD, MeitY, Power, Communications, Finance, Health, Transport, Petroleum, Commerce). Meets quarterly for policy alignment; convenes on emergency basis during crisis. Resolves jurisdictional overlaps and synchronises cross-ministerial budgetary priorities.

β       State CIP Coordination Cells. One per state and union territory; reporting dually to state government and BIPCARD. Manages state-level infrastructure mapping, local operator compliance, district-level disaster-CIP integration, and feeds ground-level intelligence upward. Addresses the federal asymmetry inherent in proposing a national model for a country where infrastructure governance is constitutionally distributed across centre and state jurisdictions (Dash, 2025, Jul. 1).

β       Intelligence Fusion Centre for CIP. Brings together external, internal, technical, cyber, and military intelligence into a single threat-assessment feed for infrastructure protection. Produces sector-specific advisories, real-time alerts during hybrid operations, and quarterly National CIP Threat Assessment reports. This is the intelligence bridge between external and internal security domains for infrastructure that currently does not exist in India’s institutional architecture.

β       Exclusive Zone Protection Directorates. Specialised governance units for domains that fall outside standard ministerial jurisdiction: defence installations and cantonments; nuclear facilities under AERB/DAE; maritime zones involving Navy, Coast Guard, and state maritime boards; Special Economic Zones with private governance structures; space and satellite infrastructure under DoS/ISRO; and border infrastructure under BSF/ITBP/SSB. Each Directorate operates under BIPCARD’s mandate with protocols adapted to the security classification, operational sensitivity, and jurisdictional complexity of its zone type (Dash, 2024; B.A.P-I, (1)).

β       BAP-I Sector Cluster Desks. Twelve dedicated desks; one per BAP-I cluster. Each desk is responsible for sector-specific resilience standards, threat monitoring, dependency tracking, and coordination with operators, regulators, and state cells within its cluster.

6.4 The Exclusive Zone Challenge

India’s infrastructure includes zones that fall outside standard ministerial jurisdiction; zones where civilian regulators have limited or no access, where security classifications restrict information sharing, and where overlapping institutional mandates create governance vacuums. These zones represent some of India’s most strategically significant infrastructure and simultaneously some of its most governance-deficient.

Defence infrastructure zones; cantonments, ordnance factories, strategic command installations, and defence production corridors; operate under MoD classification rules that exclude civilian oversight. Nuclear zones; power plants, fuel processing facilities, research reactors, and waste storage sites; fall under AERB and DAE jurisdiction with consequence thresholds so extreme that any resilience failure carries national-scale implications. Maritime exclusive zones involve overlapping jurisdiction between the Indian Navy, Coast Guard, Ministry of Shipping, state maritime boards, and port trusts; a coordination challenge that intensifies during compound crises involving both security threats and environmental hazards. Special Economic Zones operate under private governance structures with state regulatory gaps that leave infrastructure protection dependent on operator discretion. Space and satellite infrastructure; ISRO ground stations, satellite command facilities, and GPS networks; carry dual-use civilian-military character that complicates regulatory ownership. Border infrastructure; cross-border pipelines, frontier trade points, and strategic roads; involves BSF, ITBP, SSB, and civilian operators under conditions where threat assessment and infrastructure protection must function simultaneously (Dash, 2025, Jul. 1; B.A.P-I, (1)).

The Exclusive Zone Protection Directorates within BIPCARD address this challenge by providing dedicated governance units for each zone type; each operating under BIPCARD’s overarching mandate but with adapted protocols that respect classification requirements, operational sensitivity, and jurisdictional complexity. Prahari embedded units within each zone provide the operational presence that closes the governance-operations gap.

6.5 The Intelligence Fusion Function

India’s intelligence architecture for infrastructure protection is currently fragmented across agencies with distinct mandates and limited cross-feed mechanisms. RAW monitors external threats but has no institutional channel for communicating infrastructure-specific assessments to civilian operators. IB monitors internal threats but its focus is primarily political and terrorist rather than infrastructure-systemic. NTRO provides technical intelligence but its outputs do not feed into sectoral resilience planning. CERT-In receives cyber incident reports but lacks the mandate to integrate physical, environmental, and geopolitical threat dimensions. DIA provides military intelligence that rarely reaches civilian infrastructure governance (Dash, 2024; OECD, 2019).

The Intelligence Fusion Centre for CIP within BIPCARD brings these five streams into a single, infrastructure-specific threat assessment feed. The Centre produces quarterly National CIP Threat Assessments integrating external intelligence on state-sponsored operations, internal intelligence on domestic threat actors, technical intelligence on cyber vulnerabilities, cyber incident data from CERT-In, and military intelligence on threats to defence-linked infrastructure. During crisis activation, the Centre provides real-time threat briefs to BIPCARD’s crisis coordination mechanism and to SOMA’s joint operations mode. Sanitised versions are shared with private operators through SOMA; ensuring that the entities running India’s infrastructure have access to the threat intelligence they need to protect it.

This function does not exist in India’s current institutional architecture. It is perhaps the single most consequential operational innovation proposed in this paper; because without it, every other component of the architecture operates with incomplete threat information (B.A.P-I, (8)).

 

7. The Platform: SOMA (Sectoral Operators, Managers, and Authorities)

Command structures produce compliance. Coordination platforms produce capability. India’s critical infrastructure governance needs both; SOMA provides the second.

7.1 The Coordination Deficit

The protection of critical infrastructure involves stakeholders who do not answer to the same authority, do not operate under the same mandates, do not share the same incentive structures, and frequently do not communicate with one another until a crisis forces them to. Ministry secretaries govern policy. Sectoral regulators enforce sector-specific standards. State governments manage local implementation. Private operators run the actual infrastructure. Intelligence agencies possess threat information that operators need but rarely receive. Operators possess vulnerability information that government needs but rarely collects (USDHS, 2013; Australian Government, 2019; OECD, 2019).

India has convened ad hoc inter-ministerial groups for specific crises. It has established voluntary industry forums that meet periodically. None of these is permanent; none is mandatory; none integrates all stakeholder categories within a single platform with statutory authority. The U.S. ISACs (Information Sharing and Analysis Centers) and Australia’s TISN provide partial models for structured public-private coordination, but neither combines all four stakeholder categories (operators, managers, authorities, and broader stakeholders) within a single mandatory forum (USDHS, 2013; Australian Government, 2019).

7.2 SOMA’s Design

SOMA is the permanent multi-stakeholder coordination platform where four categories of participants sit as equals:

β       Sectoral Operators: Private and public entities that own, manage, or operate critical infrastructure across all twelve BAP-I clusters above the asset-criticality threshold defined by BIP-CARE.

β       Managers: State CIP Coordination Cell heads, district-level infrastructure managers, and PPP management entities who administer infrastructure at sub-national levels.

β       Authorities: Ministry secretaries, sectoral regulators (CERC, TRAI, RBI, SEBI, AERB, DGCA), NCIIPC, CERT-In, and NDMA who govern and regulate infrastructure.

β       Stakeholders: Intelligence community representatives (sanitised briefings), academia and research institutions (IITs, DRDO, CSIR, ISRO), industry associations (CII, FICCI, NASSCOM), and international liaison officers (Critical 5, Quad, Indo-Pacific partners).

 

Under BIP-CARE, participation is mandatory for all entities above the asset-criticality threshold. Quarterly plenary sessions bring all categories together. Monthly sectoral working groups address BAP-I cluster-specific coordination. Real-time crisis activation converts SOMA from coordination mode to joint operations mode during national infrastructure incidents. The annual National Infrastructure Resilience Simulation, mandated by BIP-CARE and administered through SOMA, tests the ecosystem’s collective capability under simulated compound-threat scenarios (Dash, 2024; B.A.P-I, (8)).

7.3 The Annual National Infrastructure Resilience Simulation

Among SOMA’s most consequential functions is the annual National Infrastructure Resilience Simulation; the largest regular test of the ecosystem’s collective capability. Mandated by BIP-CARE and administered through SOMA, the simulation brings together all four stakeholder categories in a structured exercise that tests cross-sector coordination, inter-agency communication, intelligence sharing protocols, and crisis decision-making under simulated compound-threat conditions.

The simulation is designed around realistic compound scenarios drawn from India’s documented threat experience and from international case evidence. A typical scenario might combine a state-sponsored cyber intrusion into energy grid SCADA systems with a simultaneous natural disaster affecting the same geographic region, supply-chain disruptions constraining emergency logistics, and disinformation campaigns targeting public confidence in government response capability. The scenario unfolds over a multi-day exercise in which participants must respond in real time; making decisions under incomplete information, coordinating across institutional boundaries, and managing cascading consequences as they develop (Dash, 2024; CISA, 2022; TRB & NRC, 2006).

The simulation tests not only operational response but institutional learning. After-action reviews are mandatory and are published through RAS. Findings feed directly into BIPCARD’s policy revision cycle, SOMA’s next quarterly coordination agenda, and Prahari’s training pipeline. International observers from partner nations may participate; contributing to India’s strategic positioning as a resilience governance leader in the Indo-Pacific region (B.A.P-I, (8); NATO, 2019).

No equivalent exercise currently exists in India. The closest precedents are CERT-In’s periodic cyber drills and NDMA’s disaster simulation exercises; but none combines cyber, physical, environmental, supply-chain, and information warfare dimensions within a single cross-sector exercise. The annual simulation fills this gap and provides the most visible demonstration of the BNRE’s operational coherence.

7.4 SOMA’s Digital Platform

Between sessions, SOMA operates through a secure digital communication platform that enables real-time information sharing across stakeholder categories. The platform hosts sanitised threat advisories from the Intelligence Fusion Centre, operator vulnerability notifications, sector-specific coordination channels, and a secure repository of after-action reviews, BNRI assessment data, and best-practice guidance. The platform is not a passive information portal; it is an active coordination tool that maintains the relationships SOMA builds during plenary sessions and working groups throughout the interval between meetings (Dash, 2025, Jul. 1; OECD, 2019).

 

8. The Auditor: RAS (Resilience Assessment and Synchronisation)

What cannot be measured cannot be governed. What is measured by the same body that sets the standards cannot be trusted. RAS solves both problems.

8.1 Independence as Design Principle

RAS is the independent audit and assessment bureau. Its independence from BIPCARD is structural and deliberate; the directorate that sets resilience standards must not be the same body that judges whether those standards are met. This separation is not procedural formality. It is the mechanism through which the entire architecture maintains credibility with private operators who must comply, state governments who must cooperate, international partners who must recognise India’s resilience claims, and the Indian public who must trust that their infrastructure is actually protected (Lincoln & Guba, 1985; OECD, 2019; Patton, 2015).

8.2 Functions

RAS performs six distinct functions:

β       BNRI Administration. Conducts the twelve-domain scoring framework across all BAP-I clusters; publishes sector-cluster and national BNRI scores annually (B.A.P-I, (4)).

β       Compliance Audit. Verifies operator adherence to BIP-CARE mandates through both scheduled and surprise audits.

β       Resilience Certification. Issues tiered certification aligned with the BNRI classification framework; from Strategic Resilience at the apex to Critical Risk at the base.

β       Incident Post-Mortem. Conducts independent post-disruption analysis within ninety days of any significant infrastructure failure; examining what failed, why cascading effects were or were not contained, and what institutional changes are required.

β       Annual National Resilience Report Card. A public document presenting national and sectoral BNRI scores, published for parliamentary scrutiny and public accountability.

β       Synchronisation. This function distinguishes RAS from a conventional audit bureau. RAS does not merely score and report. It ensures that every finding translates into institutional action. Sector weaknesses identified by RAS become SOMA’s next coordination priority. Operator non-compliance flagged by RAS triggers Prahari’s next audit deployment. Systemic patterns detected by RAS inform BIPCARD’s next policy revision. The assessment loop closes; every measurement produces action, and every action is subsequently measured again (Dash, 2026, Jan. 1; B.A.P-I, (4)).

8.3 The Synchronisation Mechanism in Detail

The synchronisation function deserves particular attention because it is what prevents RAS from becoming another paper-producing audit body whose reports gather dust on bureaucratic shelves. India’s governance history is replete with audit bodies whose findings are published, acknowledged, and then ignored. The CAG produces hundreds of audit reports annually; their implementation rate is widely recognised as inadequate. RAS is designed to avoid this fate through three structural safeguards (CAG, 2022; Dash, 2026, Jan. 1).

First, RAS findings are linked to mandatory institutional responses within defined timelines. When RAS identifies a sector weakness, BIPCARD is statutorily required to issue a remediation directive within sixty days. When RAS flags operator non-compliance, Prahari is mandated to conduct a verification audit within ninety days. When RAS detects systemic patterns across multiple sectors, SOMA is required to include the pattern as an agenda item in its next plenary session. These are not discretionary responses; they are BIP-CARE obligations.

Second, RAS’s annual National Resilience Report Card is presented to Parliament. This creates political accountability that bureaucratic reporting channels alone cannot generate. When a state’s BNRI score falls into the Vulnerable or Critical Risk category, the Report Card makes that fact public. Parliamentary scrutiny, media attention, and electoral accountability then generate pressure for remediation that internal governance mechanisms may lack the institutional power to produce.

Third, RAS benchmarks India’s BNRI against international resilience indices annually. This creates reputational accountability at the international level. India’s strategic ambitions; its candidacy for permanent UNSC membership, its leadership of the G20, its Indo-Pacific partnerships; all benefit from demonstrated resilience governance capability. A poor BNRI score, published internationally, carries diplomatic costs that no single ministry would wish to bear (B.A.P-I, (4); OECD, 2019).

 

9. The Force: Prahari

Governance without field presence is abstraction. Policy without operational capacity is documentation. Prahari makes the BNRE architecture real at the point where infrastructure meets threat.

9.1 The Operational Vacuum

External security has its force in the armed services. Internal security has its force in central police organisations. Critical infrastructure has had no equivalent. When a cyber-physical attack targets a power grid, no dedicated force responds with the compound skill set required; understanding both SCADA protocols and physical security, both digital forensics and emergency restoration, both intelligence assessment and field-level operational coordination. The response has historically fallen between CERT-In (cyber), state police (physical), NDMA (disaster), and the concerned sectoral operator; none mandated to lead, none trained for the compound scenario, and none accountable for the outcome across all domains (Dash, 2025, Jul. 1; Ani, He, & Tiwari, 2019).

9.2 Prahari’s Design

Prahari is proposed as the operational force within the BNRE architecture (Dash, 2025, Dec. 25). As advanced by BAP-I, Prahari would not be a single-service body. Its personnel are proposed to be drawn from defence, police, paramilitary, special forces, cyber security, disaster management, engineering, and private sector specialist pools; even including private security professionals, thereby cultivating a multi-domain expertise ecosystem for protection and resilience response that matches the multi-domain character of the threats it must confront. A hybrid attack on a power grid, for instance, requires responders who understand both SCADA systems and physical security protocols. A supply-chain disruption at a port requires personnel who understand logistics operations, maritime security, and cyber-physical convergence simultaneously. No single existing Indian service trains for these compound scenarios. The proposed Prahari; India’s critical infrastructure protection force; would be built to do so (Dash, 2025, Jul. 1).

9.3 Deployment Functions

Seven deployment functions structure Prahari’s operations:

1.          Field protection teams stationed at high-criticality infrastructure sites across all twelve BAP-I clusters.

2.          Cyber-physical rapid response units trained for converged hybrid scenarios; deployable within hours of crisis activation.

3.          Simulation and red-teaming teams conducting mandatory stress tests, war-gaming, and resilience exercises across sectors.

4.          Compliance verification teams supporting RAS through field-level audit execution and operator assessment.

5.          Exclusive zone embedded units operating within defence installations, nuclear facilities, maritime zones, SEZs, space infrastructure, and border systems; zones that no other civilian body can access.

6.          SOMA liaison officers embedded within the coordination platform to ensure intelligence flow between SOMA and field operations.

7.          State coordination officers posted to each State CIP Coordination Cell for national-state operational coherence.

Prahari will operate under BIPCARD’s mandate. It will implement what BIPCARD directs. It will execute what BIP-CARP programmes. It will support what RAS audits. It will protect what SOMA coordinates. India’s critical infrastructure has been unguarded not because threats were absent but because no Prahari was ever mandated to stand at the gate (Dash, 2025, Dec. 25; B.A.P-I, (1)).

9.4 Training and Operational Doctrine

Prahari’s multi-domain mandate requires a training architecture that no single existing Indian institution provides. Military academies train for kinetic threats. Police academies train for law enforcement. CERT-In provides cyber incident response training. NDMA trains for disaster management. None trains for the compound scenarios that define modern infrastructure threats; where a ransomware attack coincides with a physical sabotage attempt during a cyclone, or where a supply-chain disruption is exploited by adversaries to deepen a logistics crisis through targeted cyber operations.

Prahari’s training doctrine must therefore be built from the ground up. The proposed training pipeline would draw on three tiers. Foundational training at existing national institutions; the National Defence Academy for strategic and tactical fundamentals, NIELET and IITs for technical cyber-physical skills, and NDMA’s training institutes for disaster management competence. Specialised training through a dedicated Prahari Training Centre; focused on compound scenario simulation, SCADA and OT security operations, red-teaming methodology, infrastructure-specific threat assessment, and multi-agency coordination under crisis conditions. Continuous professional development through annual simulation cycles conducted within SOMA’s framework and through embedded deployments at actual infrastructure sites across all twelve BAP-I clusters.

The personnel model is equally distinctive. Rather than recruiting from a single service, Prahari is proposed to draw seconded officers from the armed forces (for strategic threat assessment and physical security), state and central police (for operational coordination and legal enforcement), CERT-In and NCIIPC alumni (for cyber-physical response), NDMA cadres (for disaster integration), and private sector specialists (for domain-specific technical expertise in energy, telecom, finance, logistics, and digital systems). This mosaic composition would mirror the mosaic character of the threats Prahari addresses. No single professional background produces the complete capability. The compound nature of the force reflects the compound nature of the challenge (Dash, 2025, Dec. 25; Ani, He, & Tiwari, 2019; Nickolov, 2005).

 

10. The Instrument: BNRI (Bharat National Resilience Index)

Resilience declared without measurement is aspiration. Resilience measured without consequence is bureaucracy. BNRI makes resilience both measurable and consequential.

10.1 Domain Structure

The Bharat National Resilience Index aggregates twelve domains into a single composite score weighted by sector-cluster risk profile (B.A.P-I, (4)):

Domain	Weight (%)	Strategic Rationale
Governance Capability	10	Institutional readiness, regulatory maturity, coordination capacity
Legal Readiness	5	Statutory framework completeness, enforcement capability
Physical Infrastructure Resilience	15	Redundancy, failover capacity, structural integrity
Cyber Security and OT Protection	15	Digital defence posture, SCADA security, threat detection
Disaster Preparedness	10	Multi-hazard readiness, climate adaptation, emergency protocols
Technology Sovereignty	10	Indigenous capability, strategic autonomy, critical technology base
Supply Chain Resilience	10	Supplier diversity, logistics continuity, import dependency management
Interdependency Management	10	Cross-sector mapping, cascade failure prevention, simulation capacity
Economic Continuity	5	Fiscal resilience, business continuity, economic recovery capacity
PPP Integration	5	Public-private collaboration depth, intelligence sharing maturity
Innovation Capacity	5	AI adoption, predictive analytics, adaptive technology deployment
Recovery Effectiveness	10	MTTR, service restoration speed, post-disruption learning

Physical infrastructure resilience and cyber security receive the highest individual weightings at fifteen per cent each; reflecting the research finding that these two domains bear the greatest cascading failure risk across India’s infrastructure ecosystem (Dash, 2025, Jul. 1; DOE-OE, 2008; ENISA, 2021).

10.2 Classification Framework

BNRI Score	Strategic Classification
90-100	Strategic Resilience
80-89	Highly Resilient
70-79	Resilient
60-69	Moderately Resilient
50-59	Vulnerable
Below 50	Critical Risk

Under BIP-CARE, BNRI scores carry statutory consequences. Operators scoring below defined thresholds face mandatory remediation timelines. Sectors classified as Vulnerable or Critical Risk trigger escalated BIPCARD intervention. State-level scores inform central resource allocation for infrastructure resilience funding. National scores are published annually in the National Resilience Report Card and presented to Parliament (Dash, 2026, Jan. 1; B.A.P-I, (4)).

BNRI is administered by RAS, not by BIPCARD. The body setting standards does not score compliance. This separation ensures that BNRI scores are credible to all stakeholders. BNRI is the number that tells India where it stands; RAS ensures the number tells the truth.

10.3 Weighting Rationale

The domain weightings are not arbitrary. They derive from the threat assessment and interdependency analysis conducted throughout the author’s research programme (Dash, 2025, Jul. 1; B.A.P-I, (4)).

Physical infrastructure resilience and cyber security receive the highest weightings because the empirical evidence consistently demonstrates that failures in these two domains carry the greatest cascading potential. The 2020 Mumbai grid incident, the AIIMS ransomware shutdown, and the Kudankulam breach attempt each originated in either physical or cyber vulnerabilities and propagated across multiple other domains within hours. When physical infrastructure fails, every dependent system; digital, financial, logistical, health; fails with it. When cyber security is breached, the digital control layers governing physical infrastructure become attack surfaces rather than defence mechanisms (Rinaldi, Peerenboom, & Kelly, 2001; Rao, 2021; Petit & Verner, 2016).

Governance capability, disaster preparedness, technology sovereignty, supply-chain resilience, interdependency management, and recovery capability each receive moderate weightings because they function as enabling systems. Their impact on resilience is real but mediated through other domains. Strong governance capability does not directly prevent a cyberattack; but it determines whether the institutional response to that cyberattack is coordinated or fragmented. Disaster preparedness does not prevent a cyclone; but it determines whether infrastructure recovery takes days or months. These are the domains that determine the system’s absorptive capacity rather than its resistance capacity (OECD, 2019; FEMA, 2016; Ganin et al., 2016).

Legal readiness, economic continuity, PPP integration, and innovation capacity receive the lowest individual weightings because their impact compounds over time rather than manifesting in immediate crisis performance. A strong legal framework does not prevent today’s attack; but it determines whether the governance architecture exists to prevent tomorrow’s. Innovation capacity does not restore today’s failed system; but it determines whether next-generation systems are designed with resilience embedded from the outset. These are structural enablers whose absence degrades the ecosystem slowly and whose presence strengthens it cumulatively (DOE-OE, 2008; ENISA, 2021; Linkov & Trump, 2019).

The weighting framework is not static. BIP-CARP’s Maturity Phase includes provision for periodic recalibration of BNRI weightings as India’s threat environment evolves, as new interdependencies emerge, and as operational experience from RAS assessments reveals which domains carry greater cascading significance than the initial calibration assumed (Dash, 2026, Jan. 1; B.A.P-I, (4)).

 

11. The Governance Loop

The architecture is not linear. It is circular; and the circularity is what makes it self-correcting and capable of evolving with time in response to threat evolution.

BIPCARD sets resilience standards across the twelve BAP-I clusters. Prahari implements those standards at the field level. RAS audits compliance and scores BNRI. RAS findings feed back to BIPCARD for policy revision. SOMA coordinates all stakeholders around the updated priorities. Prahari adjusts operational deployment. RAS measures again. The cycle continues (Dash, 2024; B.A.P-I, (8)).

Disruption accelerates the loop. BIPCARD activates crisis coordination. SOMA shifts to joint operations mode. Prahari deploys rapid response. After the crisis, RAS conducts post-disruption analysis within ninety days. Findings feed into BIPCARD’s next policy cycle and SOMA’s next coordination agenda. Lessons are absorbed institutionally; not lost to bureaucratic amnesia. Japan’s Basic Act on National Resilience provides the closest international precedent for this closed-loop approach, where post-disruption learning is a legal obligation rather than a discretionary practice (Cabinet Office Japan, 2023).

The loop never opens. Every finding produces institutional action. Every action is audited. Every audit informs policy. This is what distinguishes a resilience architecture from a protection programme. A protection programme reacts to what happened. A resilience architecture learns from what happened and reorganises to prevent recurrence. The governance loop is the mechanism through which learning becomes institutional rather than individual; permanent rather than episodic.

11.1 The Loop in Practice: A Compound Crisis Scenario

Consider a scenario that illustrates how the governance loop functions under stress. A state-sponsored cyber operation targets SCADA systems controlling a regional power grid in western India. The attack coincides with a monsoon-season cyclone that has damaged physical transmission infrastructure in the same region. Financial systems dependent on the power grid begin experiencing transaction failures. Hospital backup generators, already under load from the cyclone, face fuel supply disruptions as logistics networks are simultaneously affected.

Under India’s current institutional arrangements, this scenario produces jurisdictional paralysis. CERT-In handles the cyber dimension. NDMA handles the cyclone. The state power utility handles grid restoration. RBI and NPCI monitor financial system impacts. State disaster management authorities coordinate local relief. None is mandated to see the compound picture. None owns the cross-sector response.

Under the BNRE architecture, the response proceeds through the governance loop. BIPCARD’s Intelligence Fusion Centre detects the compound threat pattern through its integrated feed from NTRO (identifying the cyber intrusion’s external origin), CERT-In (confirming the SCADA compromise), and NDMA (tracking the cyclone impact). BIPCARD activates crisis coordination. SOMA shifts to joint operations mode; the regional power operator, state CIP cell, CERT-In, NDMA, financial regulators, logistics operators, and health infrastructure managers are brought into a single coordination frame within hours. Prahari’s cyber-physical rapid response unit deploys to the affected grid control centre while Prahari field teams coordinate with state authorities on physical infrastructure restoration. The crisis is managed as one event across all affected sectors rather than as four separate incidents handled by four separate agencies.

After the crisis, RAS conducts the mandatory ninety-day post-disruption analysis. It finds that the grid operator’s SCADA security scored below the BNRI threshold in the previous annual assessment; a finding that BIPCARD had flagged but the operator had not remediated within the mandated timeline. RAS publishes the finding. BIPCARD revises the compliance enforcement timeline for all Tier-A energy operators. SOMA’s next quarterly plenary includes a lessons-learned session from the incident. Prahari’s training pipeline incorporates the scenario into its simulation library. The BNRI scoring for the next annual assessment cycle includes updated indicators derived from the incident. The loop closes; and the system is measurably better prepared for the next compound event (Dash, 2024; Dash, 2026, Jan. 1; B.A.P-I, (4); B.A.P-I, (8)).

 

12. Comparative Positioning

No existing Indian institutional arrangement combines all seven functions (legislation, programme, governance, coordination, audit, operations, measurement) within one architecture. No single international model does either.

Model	Governance	Coordination	Independent Audit	Dedicated Force	Composite Index	Unified Legislation
CISA (USA)	Yes	Partial (ISACs)	No	No	No	CIPMA (partial)
EPCIP/NIS2 (EU)	Cross-border	Partial	Peer review	No	No	NIS2 + CER
NCSC/NPSA (UK)	Advisory	Forums	No	No	No	Partial
INCD (Israel)	Under PM	Limited	No	Partial	No	Partial
TISN (Australia)	Networked	Yes	Partial	No	No	SOCI Act
Basic Act (Japan)	Cross-ministry	Yes	Post-disruption review	No	No	Basic Act
BNRE (India)	BIPCARD	SOMA	RAS	Prahari	BNRI	BIP-CARE

The United States comes closest with CISA’s broad mandate, but lacks an independent audit body, a dedicated operational force, and a composite national resilience index. The European Union provides a strong legislative framework through NIS2 and CER but has no operational arm and no centralised measurement instrument. Japan embeds post-disruption learning as a legal obligation but has no dedicated CIP force. Australia’s TISN provides structured public-private coordination but operates within a voluntary framework that lacks the enforcement teeth of the proposed SOMA. Israel’s INCD sits under the PM’s office with cross-agency authority but is confined to cyber threats; physical, environmental, and supply-chain dimensions fall outside its scope (The White House, 2013; European Commission, 2023; Cabinet Office Japan, 2023; Australian Government, 2019; INCD, 2018).

The BNRE is the first model to integrate all seven functions across all threat domains within a single constitutional perch under a National Security Council. This is not a claim of superiority over more mature systems. It is a recognition that India’s specific conditions; its federal governance, its twelve-cluster sectoral diversity, its sixty-to-seventy per cent private infrastructure ownership, its exclusive zone complexities, its compound threat ecology; require an architecture that no existing model provides ready-made (Dash, 2024; B.A.P-I, (1); B.A.P-I, (8)).

12.1 Lessons from International Experience

Several operational lessons emerge from the comparative assessment that inform the BNRE’s design. The United States experience demonstrates that cross-sector coordination requires statutory backing; CISA’s effectiveness stems from its legal mandate rather than from voluntary inter-agency goodwill. The sector-specific risk management plans under NIPP provide a model for how the twelve BAP-I Sector Cluster Desks within BIPCARD should function (The White House, 2013; CISA, 2022).

The European experience demonstrates that cross-border resilience coordination is possible when legislative frameworks mandate it; the NIS2 Directive’s incident notification requirements and the CER Directive’s operator resilience obligations provide templates for BIP-CARE’s compliance architecture (European Commission, 2022; European Commission, 2023).

Japan’s experience demonstrates that post-disruption learning can be institutionalised as a legal obligation rather than left to administrative discretion; the Basic Act on National Resilience’s requirement for automatic post-disruption review provides the model for RAS’s mandatory ninety-day post-mortem function (Cabinet Office Japan, 2023).

Australia’s experience demonstrates that structured public-private intelligence sharing requires institutional permanence; the TISN’s long operational history confirms that ad hoc coordination arrangements atrophy over time while permanent platforms accumulate institutional trust. SOMA draws directly from this lesson (Australian Government, 2019; CISC Australia, 2025).

Israel’s experience demonstrates that placing the CIP governance body under the head of government rather than under a line ministry provides the jurisdictional reach necessary for cross-agency coordination; BIPCARD’s placement under the NSC follows this institutional logic (INCD, 2018).

Singapore’s experience demonstrates that small, focused statutory instruments can achieve high compliance rates; the Cybersecurity Act’s operator-specific obligations provide a model for how BIP-CARE’s compliance mandates should be structured (CSA Singapore, 2020).

None of these lessons is adopted wholesale. Each is adapted to India’s specific institutional, political, and operational conditions. The BNRE is comparative in its evidence base but indigenous in its institutional design (Dash, 2024; B.A.P-I, (1)).

 

13. Implementation Considerations

13.1 Political and Institutional Resistance

Any proposal to create a new apex body under the NSC will encounter resistance from ministries that currently exercise autonomous jurisdiction over their respective infrastructure sectors. The Ministry of Power may resist ceding resilience oversight to BIPCARD. MeitY may view the proposal as encroaching on NCIIPC’s mandate. MHA may perceive BIPCARD as competing with NDMA’s disaster management jurisdiction. These are not hypothetical objections; they are predictable institutional responses to any cross-cutting governance reform in India’s ministerial system (Howlett, Ramesh, & Perl, 2009).

The design of the BNRE architecture anticipates this resistance through three mechanisms. First, BIPCARD does not replace existing agencies; it coordinates them. NCIIPC continues to protect critical information infrastructure. NDMA continues to manage disaster response. Sectoral regulators continue to enforce sector-specific standards. BIPCARD adds a coordination layer; it does not subtract existing mandates. Second, SOMA gives every ministry a seat at the table; the Inter-Ministerial CIP Committee ensures that no secretary is excluded from the policy process. Third, BIP-CARE’s statutory basis means that the architecture is legislated rather than administrative; making it harder to dismantle through ministerial manoeuvring.

13.2 Federal Coordination

India’s federal structure means that many critical infrastructure assets fall under state jurisdiction. Power distribution is a state subject. Water supply is administered locally. Land-use decisions that affect infrastructure siting are state prerogatives. State police forces are the first responders to most infrastructure incidents. Any national CIP architecture must therefore navigate the centre-state relationship with care (Dash, 2025, Jul. 1).

The State CIP Coordination Cells within BIPCARD’s structure address this through dual reporting; each cell reports to both the state government and BIPCARD. This preserves state autonomy on operational matters while ensuring national coherence on standards, intelligence sharing, and crisis coordination. The model draws from the institutional design of State Disaster Management Authorities under the DM Act 2005; which similarly operate under both state and national mandates (NDMA, 2020).

13.3 Private Sector Engagement

The fact that sixty to seventy per cent of India’s critical infrastructure is privately owned or operated under PPP models means that the BNRE’s effectiveness depends fundamentally on private sector cooperation. This cooperation cannot be voluntary. International experience consistently demonstrates that voluntary compliance regimes in infrastructure protection produce patchy adherence, inconsistent reporting, and governance gaps precisely where risk is highest (CEPS, 2010; Australian Government, 2019; OECD, 2019).

BIP-CARE addresses this through mandatory participation above the asset-criticality threshold. But mandate alone does not produce cooperation; it produces compliance at minimum cost. SOMA’s design addresses the deeper challenge by creating a platform where private operators receive tangible value; sanitised threat intelligence, joint simulation participation, access to government planning priorities, and peer learning from other operators. The incentive structure shifts from pure compliance to mutual benefit. Resilience financing mechanisms within BIP-CARP, including tax incentives for operators meeting BNRI benchmarks, further align private commercial interest with national resilience objectives.

13.4 Resource and Capacity Requirements

The BNRE architecture requires substantial investment in human capital, technological infrastructure, and institutional capacity. Prahari’s multi-domain personnel model demands a training pipeline that does not currently exist. BIPCARD’s Intelligence Fusion Centre requires secure communication systems, cleared analysts, and data-sharing protocols across agencies with different classification cultures. RAS’s BNRI administration requires a cadre of assessors with cross-sectoral technical expertise. SOMA’s secure digital platform requires investment in communications infrastructure that enables real-time information sharing across stakeholder categories.

The Three-Phase National Roadmap within BIP-CARP sequences these investments to match institutional absorptive capacity. The Foundational Phase focuses on legislative and organisational establishment. The Expansion Phase builds technological and operational capacity. The Maturity Phase institutionalises continuous assessment and international integration. This sequencing ensures that the architecture does not attempt to build everything simultaneously; a common failure mode in governance reform that results in institutional overload and implementation paralysis (Dash, 2026, Jan. 1; B.A.P-I, (4)).

 

14. Doctrinal Positioning: The Third Pillar of National Security

India’s national security rests on three pillars. Two exist. One does not.

Pillar	Strategic Direction	Governance	Coordination	Audit	Force	Measurement
External Security	CCS/NSC	MoD/MEA	Service HQ	Defence audit	Armed Forces	Readiness indices
Internal Security	CCS/NSC	MHA	State-Centre	NHRC/Judicial	CRPF/BSF/Police	Security indices
Critical Infrastructure	NSC	BIPCARD	SOMA	RAS	Prahari	BNRI

The third pillar is what this doctrine builds. It does not propose a single reform or a single institution. It proposes an interconnected governance ecosystem in which law (BIP-CARE), programme design (BIP-CARP), governance direction (BIPCARD), multi-stakeholder coordination (SOMA), independent accountability (RAS), operational force (Prahari), and quantitative measurement (BNRI) function as interdependent components of a single national resilience doctrine operating under the overarching philosophy of the Bharat National Resilience Ecosystem (Dash, 2024; B.A.P-I, (1); B.A.P-I, (4); B.A.P-I, (8)).

The cultural naming grounds the architecture in Indian identity. SOMA-RAS draws from Sanskrit; Soma is the nectar that sustains, Ras is the essence that measures. Prahari carries the weight of the sentinel tradition. BIPCARD, BIP-CARE, and BIP-CARP form a unified naming family. BNRI and BNRE carry the national prefix. The architecture is not imported. It is built from comparative learning but constructed for Indian conditions; India’s federal structure, its sectoral diversity, its private-sector infrastructure ownership patterns, its exclusive zone complexities, its intelligence architecture, and its specific threat ecology.

 

15. International Implications and Exportability

The BNRE doctrine, while designed for India’s specific conditions, carries implications for the broader international discourse on critical infrastructure protection; particularly for developing nations in the Global South that confront similar structural challenges.

Most existing CIP models were designed by and for advanced industrial democracies with mature regulatory institutions, well-resourced governance systems, and relatively homogeneous administrative structures. The United States, European Union, Japan, and Australia built their CIP architectures upon institutional foundations that had been strengthened over decades of peacetime governance evolution. Developing nations; including India’s neighbours in South Asia, partner nations in Southeast Asia and Africa, and strategic partners across the Indo-Pacific; face a different challenge. They must build CIP governance while simultaneously building the infrastructure itself, often under conditions of resource constraint, institutional fragmentation, and acute hybrid threat exposure (OECD, 2019; UNDRR, 2023; Critical 5, 2024).

The BNRE’s design accounts for these conditions in ways that established Western models do not. The twelve-cluster BAP-I framework captures sectoral realities; including logistics, maritime, indigenisation, and commercial-industrial domains; that are peripheral in models designed for post-industrial economies but central to developing ones. The three-phase roadmap sequences institutional development to match absorptive capacity rather than assuming pre-existing governance maturity. The SOMA platform integrates private operators who own most of the infrastructure; a reality in PPP-dependent developing economies that European models, designed around public-utility traditions, do not fully address. The governance loop’s self-correcting mechanism provides a pathway for institutional learning in systems that lack the accumulated institutional memory of mature democracies.

The BNRE may therefore function not only as India’s national doctrine but as a reference architecture for similar jurisdictions. The Quad framework, the Indo-Pacific Economic Framework for Prosperity, and India’s bilateral partnerships with ASEAN, African Union, and Pacific Island states each include infrastructure resilience as a cooperation priority. A well-articulated Indian doctrine, operationalised domestically, would provide the institutional credibility necessary to export resilience governance models to partner nations facing comparable challenges (Dash, 2024; B.A.P-I, (8)).

This is not a secondary consideration. India’s strategic influence increasingly depends not only on military capability and economic weight but on its capacity to offer governance models that work in the conditions where most of the world’s population actually lives. The BNRE, if successfully implemented, becomes an exportable demonstration of how a large, federal, developing democracy can build integrated national resilience under conditions of complexity, resource constraint, and persistent hybrid threat exposure.

 

16. Conclusion

India built institutions for external security decades ago. India built institutions for internal security alongside them. The third pillar; the institutional architecture for the protection and resilience of critical infrastructure; remains unbuilt. The threats that demand it are not hypothetical. They are documented, recurring, and escalating. India’s infrastructure has been targeted by state-sponsored cyber operations, criminal ransomware campaigns, supply-chain coercion, and climate-induced compound disasters. Each incident confirmed the same structural deficit; fragmented governance, absent coordination, no operational force, no measurement, no doctrine.

The BNRE is the doctrine that builds the missing pillar. BIP-CARE is the law that gives the doctrine statutory force. BIP-CARP is the programme that operationalises the law through a phased national roadmap. BIPCARD is the directorate that governs from the apex; placed under the NSC to bridge external and internal security. SOMA is the platform that ensures every stakeholder category; operators, managers, authorities, and broader participants; sits at the table as equals. RAS is the bureau that measures resilience, audits compliance, and synchronises findings back into the governance cycle so that every assessment produces institutional action. Prahari is the force that makes governance tangible at the infrastructure site; the sentinel that stands where no force has stood before. BNRI is the instrument that quantifies; the number that tells India where it stands, administered independently so the number tells the truth.

The governance loop ensures that the system learns from what it encounters and reorganises to address what it discovers. Standards are set, implemented, audited, and revised in a continuous cycle that accelerates during crisis and persists during normalcy. No component functions alone; each depends on the others, and the architecture’s strength lies in its interdependence; the same principle it applies to the infrastructure it protects.

The three doctrinal principles; Convergence, Distributed Resilience, and Measured Accountability; translate into institutional realities rather than remaining as policy language. The twelve BAP-I clusters redefine what India must protect. The BNRI quantifies how well India protects it. The governance loop ensures that protection improves continuously rather than episodically. The cultural naming; SOMA-RAS, BIPCARD, Prahari; grounds the architecture in Indian identity while the comparative evidence base ensures international credibility.

The architecture is designed to evolve. The Three-Phase Roadmap sequences implementation over a trajectory that matches India’s institutional absorptive capacity. The BNRI’s weighting framework can be recalibrated as threat patterns shift. SOMA’s composition can expand as new stakeholder categories emerge. Prahari’s training pipeline can incorporate new capability domains as technology evolves. BIP-CARE’s provisions can be amended as operational experience accumulates. The BNRE is not a blueprint that assumes perfect foresight. It is a living doctrine that builds in the mechanisms for its own adaptation.

India’s external security institutions defend the nation from threats beyond its borders. India’s internal security institutions defend the nation from threats within its territory. The BNRE defends what both depend upon; the infrastructure, the systems, and the sectoral ecosystems without which neither external deterrence nor internal governance can function. The third pillar is overdue. This paper presents its blueprint, and the argument for building it grows more urgent with every compound crisis that India’s unprotected infrastructure is forced to absorb.

References

1.       Ani, U. D., He, H., & Tiwari, A. (2019, Feb. 4). Review of cybersecurity issues in industrial critical infrastructure: Manufacturing in perspective. Journal of Cyber Security Technology, 1(1), 32-74.

2.       Australian Government. (2019). Critical infrastructure resilience strategy. Department of Home Affairs.

3.       B.A.P-I. (1). Twelve strategic thematic stacks: Thematic research architecture for national resilience. Bharat Assets Protection Institute.

4.       B.A.P-I. (4). Bharat National Resilience Index: Calculation, weighting, and classification framework. Bharat Assets Protection Institute.

5.       B.A.P-I. (8). Integrated national resilience architecture: Ecosystem model for India’s critical infrastructure protection. Bharat Assets Protection Institute.

6.       Bach, C., Bouchon, S., Fekete, A., Birkmann, J., & Serre, D. (2013). Adding value to critical infrastructure research and disaster risk management. International Journal of Disaster Risk Reduction, 5, 70-80.

7.       Bardach, E., & Patashnik, E. M. (2020). A practical guide for policy analysis (6th ed.). CQ Press.

8.       Bennett, B. T. (2018). Understanding, assessing, and responding to terrorism (2nd ed.). Wiley.

9.       BIS. (2023). Information security management systems guidelines. Bureau of Indian Standards.

10.   Brenner, J. (2011, Sept. 6). America the vulnerable. Penguin Press.

11.   Brunner, E. M., & Suter, M. (2008, Jul.). International CIIP handbook 2008/2009. Center for Security Studies, ETH Zurich.

12.   Cabinet Office Japan. (2023, Sept. 12). Fundamental plan for national resilience. Government of Japan.

13.   CAG. (2022). Audit report on cybersecurity preparedness. Comptroller and Auditor General of India.

14.   CEPS. (2010). Bentham Institute report on protecting critical infrastructure. Centre for European Policy Studies.

15.   Check Point Research. (2024, Sept. 4). Cyber attack trends: 2024 mid-year report. Check Point Software Technologies.

16.   Chester, M., Markolf, S., & Allenby, B. (2021). Infrastructure and the environment in the Anthropocene. Journal of Industrial Ecology, 25(1), 1021-1031.

17.   CISA. (2022, Aug.). Cross-sector cybersecurity performance goals. Cybersecurity and Infrastructure Security Agency.

18.   CISC Australia. (2025, Apr.). Critical infrastructure security compliance report. Australian Government.

19.   Clarke, R. A. (2020). The fifth domain: Defending our country, our companies, and ourselves in the age of cyber threats. Penguin Press.

20.   Critical 5. (2024). Forging resilience in an era of hybrid threats. Critical Five Partnership.

21.   CSA Singapore. (2020). Singapore’s cybersecurity strategy. Cyber Security Agency of Singapore.

22.   Dash, P. (2024). Bharat Assets Protection Institute: Thematic research architecture for national resilience. B.A.P-I Working Paper Series.

23.   Dash, P. (2025). Towards institutionalising India’s critical infrastructure protection programme. Forum for Integrated National Security (FINS). https://finsindia.org/towards-institutionalising-india-critical-infrastructure-protection-programme.html

24.   Dash, P. (2025, Dec. 25). Prahari: An indigenous operational framework for India’s critical information infrastructure protection. Bharat Assets Protection Institute.

25.   Dash, P. (2025, Jul. 1). Critical infrastructure protection in India: Sectoral vulnerabilities and governance imperatives. B.A.P-I Policy Brief.

26.   Dash, P. (2025, Jul. 1). Towards a critical infrastructure protection programme for India: Reconceptualising sectoral priorities for strategic resilience and national security. Forum for Integrated National Security (FINS). https://finsindia.org/towards-a-critical-infrastructure-protection-programme-for-india-dr-padmalochan-dash.html

27.   Dash, P. (2026, Jan. 1). Three-phase national roadmap for India’s critical infrastructure resilience. B.A.P-I Strategic Document.

28.   DOE-OE. (2008). Roadmap to achieve energy delivery systems cybersecurity. U.S. Department of Energy.

29.   ENISA. (2021). ENISA threat landscape 2021. European Union Agency for Cybersecurity.

30.   European Commission. (2008). Council Directive 2008/114/EC on European critical infrastructures. Official Journal of the European Union.

31.   European Commission. (2022). Directive (EU) 2022/2555 (NIS2). Official Journal of the European Union.

32.   European Commission. (2023, Dec. 6). Directive (EU) 2022/2557 on the resilience of critical entities (CER Directive). Official Journal of the European Union.

33.   FEMA. (2016). National disaster recovery framework (2nd ed.). U.S. Department of Homeland Security.

34.   Frum, D., & Perle, R. (2004). An end to evil: How to win the war on terror. Random House.

35.   Gade, R. N. (2018). Critical infrastructure protection: An Indian perspective. Journal of Defence Studies, 12(3), 45-68.

36.   Ganin, A. A., et al. (2016, Jan. 19). Operational resilience: Concepts, design and analysis. Scientific Reports, 6, 19540.

37.   Gibson, W. (2023, Jun. 13). Critical infrastructure protection: Global challenges and national responses. Journal of Infrastructure Security, 14(2), 112-138.

38.   Howlett, M., Ramesh, M., & Perl, A. (2009). Studying public policy (3rd ed.). Oxford University Press.

39.   INCD. (2018). Israel National Cyber Directorate: Operational framework. Prime Minister’s Office.

40.   IPCC. (2022). Climate change 2022: Impacts, adaptation and vulnerability. IPCC.

41.   ITU. (2020). Global cybersecurity index 2020. International Telecommunication Union.

42.   Lewis, T. G. (2006). Critical infrastructure protection in homeland security. Wiley.

43.   Lincoln, Y. S., & Guba, E. G. (1985). Naturalistic inquiry. Sage.

44.   Linkov, I., & Trump, B. D. (2019). The science and practice of resilience. Springer.

45.   Moteff, J. D. (2005, Feb. 4). Risk management and critical infrastructure protection. Congressional Research Service.

46.   NATO. (2019). NATO resilience and Article 3. North Atlantic Treaty Organisation.

47.   NATO. (2020). Strengthened resilience commitment. NATO Summit Communique.

48.   NDMA. (2020). National disaster management plan. Government of India.

49.   Nickolov, E. (2005). Critical information infrastructure protection: Analysis, evaluation and expectations. Information and Security, 17, 105-119.

50.   OECD. (2019). Good governance for critical infrastructure resilience. OECD.

51.   Patton, M. Q. (2015). Qualitative research and evaluation methods (4th ed.). Sage.

52.   Petit, F., & Verner, D. (2016). Resilience measurement index. Argonne National Laboratory.

53.   Rao, S. (2021). Mumbai power outage: Chinese cyber threat to India’s critical infrastructure. Observer Research Foundation.

54.   Rehak, D., Senovsky, P., Hromada, M., & Lovecek, T. (2020). Cascading impact assessment in critical infrastructure systems. International Journal of Critical Infrastructure Protection, 30, 100378.

55.   Rinaldi, S. M., Peerenboom, J. P., & Kelly, T. K. (2001). Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Systems Magazine, 21(6), 11-25.

56.   Sarkesian, S. C., Williams, J. A., & Cimbala, S. J. (2008). US national security: Policymakers, processes, and politics (4th ed.). Lynne Rienner.

57.   Schotten, H. D., et al. (2024). Resilience of communication networks for critical infrastructure. IEEE Communications Magazine, 62(1), 108-114.

58.   Svendsen, N. K., & Wolthusen, S. D. (2008). Connectivity models of interdependency in mixed-type critical infrastructure networks. Information Security Technical Report, 12(1), 44-55.

59.   The White House. (2013). Presidential Policy Directive 21: Critical infrastructure security and resilience.

60.   TRB & NRC. (2006). Transportation research board and national research council: Making the nation safer. National Academies Press.

61.   UNDRR. (2023). Global assessment report on disaster risk reduction. United Nations Office for Disaster Risk Reduction.

62.   USDHS. (2013). National Infrastructure Protection Plan (NIPP). U.S. Department of Homeland Security.

 

Declaration: This paper is derived from the author's independent academic research programme on Critical Infrastructure Protection in India. Artificial intelligence-based language tools were employed in a limited capacity confined exclusively to language polishing, editorial consistency, grammatical refinement, and structural formatting; at no stage were such tools used for the generation of ideas, formulation of arguments, design of institutional architectures, development of analytical frameworks, construction of policy prescriptions, or production of original scholarly content. All intellectual contributions contained in this paper, including the conceptualisation and design of the Bharat National Resilience Ecosystem (BNRE), BIP-CARE, BIP-CARP, BIPCARD, SOMA, RAS, the Prahari framework, BNRI, and the BAP-I twelve-cluster securitisation model, are the sole intellectual property of the author; developed through original research, comparative analysis, and independent scholarly reasoning. Should any passage be identified by AI-detection systems as resembling machine-generated text, such identification would reflect the inherent limitations of detection algorithms in distinguishing AI-assisted language polishing from AI-generated content, and would not indicate that the intellectual contribution is anything other than the author's own. The author accepts full academic and professional responsibility for every claim, argument, framework, and recommendation advanced in this paper, and makes this declaration in compliance with evolving institutional and publication standards governing the ethical use of AI tools in scholarly research.

No PDF available