Banner Slide 8

Critical Infrastructure Sectors & Dynamics | National Critical Infrastructure Protection Systems (CIPS) | Hybrid Threats Monitoring & Risk Response Systems | Cybersecurity Infrastructure & Forensic Analytics | Border Management,Immigration & Coastal Surveillance

Research Focus (s)
Sector Focus
Author Type
Article
The Convergence of Critical Infrastructure Protection and Internal Security Management in India: Institutional Deficits and the Imperative of an Integrated Architecture
Category
Strategic Digest
Published Platform
Sanaatan Sovereignty
Author Name
Dr. Padmalochan DASH
DOI :
NA (E)
BNRI :
BNRI 19002000-010003 (E)
Reviewed Date : 16-12-20
Published Date : 22-01-21
Updated Date : 11-07-26

India's critical infrastructure protection, when it comes to cyber-physical things including from the hybrid nature of threats, has remained without a dedicated statutory authority, a unified governance architecture, or an institutional mechanism where threat assessment, interdependency mapping and enforcement can integrate at the national level. This article examines the convergence of critical infrastructure vulnerabilities with the country's prevailing internal security management deficits, taking the events of 2025 including the coordinated cyber-physical assaults during Operation Sindoor as the empirical ground. By the means of comparative assessment of seven measured jurisdictions and diagnostic evaluation of the twelve-cluster BAP-I securitisation model against the existing NCIIPC framework, it is argued that sector-specific regulations and ad-hoc institutional arrangements are no longer tenable for the protection of India's critical sectors. The article traces the institutional failure to the same structural weakness that has characterised India's security reform trajectory since the post-1998 Kargil Review Committee process; and proposes the BIPCARD institutional architecture, the Critical Infrastructure Protection Act and the associated elements of SOMA, RAS, Prahari and the Bharat National Resilience Index as the integrated governance framework that the prevailing and emerging threat environment demands.

Keywords : Critical Infrastructure Protection, Internal Security Management, BAP-I Securitisation Framework, Twelve-Cluster Model, BIPCARD, CIPA, Institutional Architecture, Cyber-Physical Threats, Operation Sindoor, IT-OT Integration, NCIIPC, Governance Deficit, Cascading Failure, Interdependency Mapping, Resilience Metrics, All-Hazards Doctrine, National Security Reform, Kargil Review Committee, Counter-Terrorism Mechanism, State-Sponsored Cyber Operations, CERT-In, NATGRID, Vulnerability Assessment, India

India lacks a unified governance architecture for the protection of its critical infrastructures. This deficit has remained one of the most serious institutional voids in the country's security management calculus. No single statutory authority exists to coordinate, oversee or enforce protection standards across the sectors that constitute the backbone of the Indian State's functioning. The prevailing fragmentation of responsibilities across ministries, departments and agencies has kept the affairs of critical infrastructure protection scattered; and this fragmentation is not a recent discovery. Security analysts and policy establishments have interrogated it at several instances; the academic community has written on it in no less measure. But the institutional response has remained episodic, and by all accounts inadequate to the scale of the problem it was supposed to address.

The vulnerabilities are not accidental. They are the predictable outcome of decades of institutional neglect and habitual let-downs in the affairs of reform. The country has remained trapped in a pattern where crisis triggers attention and attention fades with the passing of the crisis.

It is argued that this failure can be traced to the same structural weakness that has plagued the country's internal security management since independence, in that the apparatus responsible for internal security has operated in isolated domains without the necessary inter-agency coordination, while enforcement elements have suffered from outdated capacity and fragmented mandate, and the political establishment has treated security reform as a matter of reactive convenience rather than sustained institutional commitment. On that account, what exists today in the domain of critical infrastructure governance is not a system; it is a collection of sector-specific arrangements held together by convention rather than by statutory design.

The events of 2025 have made the urgency of this argument impossible to defer. During Operation Sindoor in May 2025, India's retaliatory military strikes against terror infrastructure in Pakistan and Pakistan-occupied Kashmir triggered an unprecedented wave of coordinated cyberattacks against Indian critical infrastructure systems. Approximately two lakh cyber-attack attempts targeted the national power grid within a span of eight to ten days. The Power Grid Corporation of India suffered a DDoS attack that disrupted online services for over thirty-one minutes. BSNL's main website was rendered inaccessible for several days following back-to-back DDoS attacks. The President's official website was hit by a sustained DDoS assault lasting nearly nineteen hours. Hacktivist groups aligned with Pakistan launched defacement campaigns against government portals, tax platforms and education websites; while state-linked advanced persistent threat groups, namely APT36 and SideCopy, executed coordinated campaigns targeting defence networks and critical infrastructure organisations through malware-laden MSI installers and DLL sideloading techniques. For so, what Operation Sindoor revealed was not merely the hostility of adversarial actors but the structural exposure of India's critical infrastructures to coordinated multi-vector assault at a time of kinetic military confrontation.

This was the first instance where cyber operations unfolded simultaneously with an active military campaign between India and Pakistan. The convergence of the kinetic and cyber domains in a single operational theatre has altered the threat calculus permanently.

When the scale of the broader cyber threat environment is examined, the prevailing condition substantiates the argument in terms that cannot be disputed. The India Cyber Threat Report 2026, published by Quick Heal Technologies, recorded over 265 million cyber incidents in 2025; and CERT-In alone handled over 29.44 lakh incidents during the same period, out of which 1,530 alerts, 390 vulnerability notes and 65 advisories were issued. The gravity of the situation has remained further evidenced by the Check Point State of Cyber Security in India 2025 report, which found that Indian organisations faced an average of over 2,000 cyberattacks per week, a figure that far exceeded the global average. Trojans and file infectors accounted for seventy per cent of all malware detections as per the Seqrite India Cyber Threat Report 2026; AI-generated phishing and business email compromise constituted another twenty-two per cent. By conservative estimates, losses from cyberattacks in the country crossed twenty thousand crore rupees in 2025. These are not figures that can be set aside as statistical abstractions. Keeping this prevailing scenario in attention, the argument that India's critical infrastructure protection can continue to be managed through sector-specific regulations and ad-hoc institutional arrangements is no longer tenable; and any attempt to sustain that position will be at the cost of the country's security.

So far the governance of critical infrastructure protection is concerned, the country has remained without a dedicated statutory instrument. There is no Critical Infrastructure Protection Act in place. There is no institutional mechanism where threat assessment, vulnerability analysis, interdependency mapping, resilience measurement and enforcement can integrate. The NCIIPC, established under Section 70A of the Information Technology Act, 2000 (amended 2008), remains the only designated authority for the protection of critical information infrastructure; but its mandate has remained confined to the information and cyber dimensions of seven designated sectors. The Electricity Act does not account for cyber-physical threats to the power grid. The Information Technology Act does not extend to the operational technology environments of industrial control systems. The Disaster Management Act does not incorporate the cascading failure dynamics that interdependent critical infrastructures produce. Sector-specific regulations which were never designed with the all-hazards perspective in attention have been left to carry a burden they cannot bear; and this isolation has remained the fundamental weakness.

Measured countries have done what India has not.

By the means of comparative assessment, the United States through its NIPP framework and the Cybersecurity and Infrastructure Security Agency has built a sector-specific decentralised governance model. The European Union through the NIS2 Directive has moved towards a regulation-centric approach with mandatory incident reporting and cross-border coordination. China through its Multi-Level Protection Scheme has adopted a centralised model with the state exercising direct control over critical information infrastructures; Germany through the BSI and UP KRITIS has developed a co-governance model integrating industry and government. Singapore through its Cybersecurity Act of 2018 has brought critical information infrastructure under a statutory licensing and audit framework. Japan in the aftermath of Fukushima has moved towards anticipatory governance with emphasis on resilience and preparedness. Israel through the INCD has operationalised a national-level cyber defence architecture that covers both government and critical private sector assets. Each of these countries arrived at its institutional architecture through a different path; but the destination has remained the same, that is the establishment of a dedicated authority with statutory mandate and enforcement capacity. What is noteworthy is that none of these measured countries treated critical infrastructure protection as a residual function of existing sectoral regulators. The recognition that critical infrastructures constitute an interdependent system requiring dedicated governance came first; the institutional design followed from that recognition.

India has done none of this in a consolidated manner.

The twelve-cluster model advanced under the BAP-I securitisation framework goes beyond the seven sectors currently designated by the NCIIPC. Energy. Information and communications technology. Transport. Logistics and supply chain. Blue-water and maritime. Digital infrastructure and cyber-physical convergence. Disaster dynamics. Internal security. Research-to-resilience. Indigenisation and technology sovereignty. Business innovation. Corporate governance and social security. Overseas investments and global partnerships. These clusters constitute the expanded territorial mapping of India's critical infrastructure domain; and the gap between what the NCIIPC currently covers and what the BAP-I model identifies is structural, not marginal.

The institutional architecture proposed under the BAP-I framework consists of five elements. BIPCARD as the apex coordinating authority. SOMA as the situational and operational monitoring apparatus. RAS as the risk assessment structure. Prahari as the enforcement and compliance mechanism. The Bharat National Resilience Index as the measurement and benchmarking instrument. This architecture has been designed with a desire to address the eleven structural requirements identified for a credible critical infrastructure protection programme in India; these requirements include the need for a statutory mandate, a designated national authority, standardised vulnerability assessment protocols, mandatory physical and cyber protection standards, IT-OT integration frameworks, interdependency mapping capabilities, all-hazards preparedness doctrine, public-private partnership mechanisms, resilience metrics and simulation and red-teaming capabilities among other considerations.

Whether this architecture can function in the absence of political commitment is the question. The answer drawn from India's own experience with internal security reform is not encouraging.

The Kargil Review Committee came out with precise reform plans; the Group of Ministers' report carried those plans forward with extensive recommendations. The National Security Council was established. The National Security Advisory Board was constituted. The Strategic Policy Group and the National Security Council Secretariat were created. After the Twenty-Six Eleven Mumbai attack, the National Investigation Agency was established, the Multi-Agency Centre was strengthened, the NATGRID was conceived. The idea of the National Counter Terrorism Centre was floated as a well-established proposal. Yet the pattern that has remained consistent through all these phases is the pattern of initial momentum followed by bureaucratic lethargy and political disengagement. The NCTC could not be materialised because the states opposed it on the ground of constitutional jurisdiction; and the Centre did not pursue the matter with the resolve it warranted. The NATGRID suffered delays that stretched across years. The NSC system has not functioned to the level it was desired; the prevailing shortcoming of clear-cut guidelines did not allow the apparatus to deliver what was expected. Even the agencies that were established remained understaffed and under-resourced. The NIA, for instance, has been operating with a thirty per cent manpower shortage of its sanctioned strength. For so, the institutional mechanisms that were designed with considerable sophistication on paper have remained diminished in their operational manifestation.

It is to mention that certain recent policy developments have taken place which, while welcome, do not amount to the institutional architecture that the scale of the challenge demands. The Union Budget 2025-26 allocated 782 crore rupees for cybersecurity, and CERT-In's 2025 audit guidelines have placed accountability on critical infrastructure operators for mandatory annual third-party audits covering IT, OT, cloud, supply chain and physical security. In August 2025, the country declassified its Joint Doctrine for Cyberspace Operations; this has been a significant step, in that the doctrine conceptualised cyber operations as a response option to inimical action against national sovereignty and was said to have incorporated lessons from the Operation Sindoor experience. The Digital Personal Data Protection Act has introduced compliance obligations on data fiduciaries. On the side of industry and expert recommendations, the Trusted Bharat Critical Infrastructure Report 2025 has proposed a ten billion dollar National Cyber Resilience Fund and a public-private Cyber Resilience Taskforce. All of these are steps which deserve recognition. But none of them, taken individually or in combination, constitutes the dedicated statutory authority with enforcement mandate that a credible critical infrastructure protection programme requires. The country has remained in the habit of accumulating piecemeal measures while deferring the institutional question; and the experience of internal security reform has already demonstrated what happens when that deferment is allowed to persist.

The nefarious design of state actors and their proxies has not remained confined to the perpetration of terrorism through conventional means and methods of terror. Now the cyber-physical domain has emerged as the new front of confrontation, and this emergence changes the entire calculus. Or more precisely, the front is not new, but one whose operational intensity has escalated to the point where the existing governance apparatus has been found incapable of managing it. The involvement of antagonistic states in targeting India's critical infrastructures is no longer a matter of speculation; the Operation Sindoor episode alone evidenced it at a scale that the country had not previously confronted. In the same vein, the wild non-state actors and organised crime networks have started exploiting the vulnerabilities in critical infrastructure systems for financial gain and for the sustenance of their terror modules. Fake currency networks, hawala channels and smuggling operations that have historically sustained terrorism in the country are finding new operational ground in the cyber domain.

The proliferation of destructive technologies accessible to non-state elements has made the task of containment harder than it was even a decade ago. The nexus between state-sponsored cyber operations and the broader strategy of India's containment by adversarial powers has gathered ground; and this nexus, when examined in amalgamation with the activities of the non-state elements, presents a threat picture that the existing institutional arrangements are simply not equipped to manage. The Star Health data leak of 2024 exposing the records of thirty-one million policyholders, the AIIMS ransomware attack of 2022, the BSNL data breach of 2024, the WazirX compromise, the Kudankulam malware incident of 2019 and the RedEcho intrusion into India's power grid are cases in point. Each exposed the fact that a unified response mechanism did not exist. Mandatory cross-sector reporting protocols had not been formalised. No institutional authority with the mandate to enforce protection standards across the full spectrum of critical sectors was in place; and it has been this very void, recurring incident after incident, that has remained the most damaging indictment of the prevailing governance arrangement.

Several gaps remain unaddressed; and these gaps are not peripheral but foundational. India lacks a standardised vulnerability assessment framework applicable across all twelve clusters. No systematic study of cascading failure dynamics across sectors has been undertaken at the national level. Mandatory physical protection standards for critical assets do not exist. The integration of information technology and operational technology environments remains weak; and the two lakh cyberattacks on the power grid during Operation Sindoor exposed precisely this IT-OT vulnerability at the operational level. Resilience metrics are missing. The culture of simulation and red-teaming exercises is non-existent. Public-private partnership frameworks for the sharing of threat intelligence between government and the operators of critical assets have not been formalised. The absence of a national-level interdependency mapping exercise means that the cascading consequences of a targeted attack on one sector upon the functioning of others remain largely unknown to the policy establishment. A statutory instrument is required. An institutional architecture with clear mandate, adequate resources and enforcement authority is required. Taken into consideration the scale of the challenge, anything less than a dedicated Critical Infrastructure Protection Act will remain insufficient.

The register of threats that India confronts at this juncture is not what it was two decades ago. The emanating threats from the regional sphere, the extra-territorial dimensions of terrorism, the growing sophistication of cyber-physical attacks and the increasing interdependence of infrastructure systems have dissolved the traditional boundaries between internal security and critical infrastructure protection. India experienced over 265 million cyber incidents in a single year. It blocked two lakh attacks on its power grid during ten days of military operations. State-sponsored APT campaigns targeted its defence and critical infrastructure simultaneously. The country's cybersecurity market itself is projected to grow from 5.56 billion dollars in 2025 to 12.9 billion dollars by 2030; and the pace of this growth is an admission that the threat is not receding but escalating. Separate institutional silos cannot hold. The country tried that approach for decades and the outcome has been a trail of failures, each more serious than the previous.

On that very basis, the argument for an integrated architecture that brings together internal security management with the governance requirements of critical infrastructure protection stands justified. The BAP-I twelve-cluster securitisation model, the proposed CIPA and the institutional elements of BIPCARD, SOMA, RAS, Prahari and BNRI represent one such integrated architecture. The design exists. The justification has been established through diagnostic assessment of the prevailing gaps and through comparative evaluation of what the measured countries have accomplished. What has not yet been demonstrated is the political and bureaucratic will to translate this design into institutional reality.

The experience of internal security management reform since 1998 offers both the precedent and the caution. India has shown the capacity to conceptualise institutional mechanisms of considerable sophistication when compelled by crisis; this much the post-1998 and post-Twenty-Six-Eleven experiences have established beyond question. But the implementation of those mechanisms has invariably fallen short of the design. The KRC recommendations were not implemented in totality; and that failure of implementation is what gave scope for the Twenty-Six Eleven attack to succeed. This is the lesson that the political establishment has received but has not yet internalised.

For so, the impending task is not merely the formulation of another institutional proposal. The task is to ensure that the political, bureaucratic and security establishments commit to sustained implementation with the seriousness that the prevailing and emerging threats demand. The protection of India's critical infrastructures cannot be deferred to a more convenient time. The threats are impending. The vulnerabilities are apparent. The institutional void is well-established. Operation Sindoor has demonstrated that the next confrontation will be fought simultaneously in the kinetic and cyber domains; and the country's critical infrastructures will be the first targets. What remains impending is the will to act; and the country must confront this question now, without the deferment that has characterised its security reform trajectory since independence.

No PDF available
Dr. Padmalochan DASH

Dr. Padmalochan DASH

Dr. Dash is a defence and security expert with a strong focus on India’s evolving security architecture. He writes extensively on politics, diplomacy, and international affairs, while specialising in internal security and critical infrastructure protection. His work bridges policy, strategy, and practice, offering insights that connect ground realities with national resilience imperatives.