Critical Infrastructure Sectors & Dynamics | National Critical Infrastructure Protection Systems (CIPS) | Hybrid Threats Monitoring & Risk Response Systems | Cybersecurity Infrastructure & Forensic Analytics | Border Management,Immigration & Coastal Surveillance
|
India's critical infrastructure protection, when it comes to
cyber-physical things including from the hybrid nature of threats, has
remained without a dedicated statutory authority, a unified governance
architecture, or an institutional mechanism where threat assessment,
interdependency mapping and enforcement can integrate at the national level.
This article examines the convergence of critical infrastructure
vulnerabilities with the country's prevailing internal security management
deficits, taking the events of 2025 including the coordinated cyber-physical
assaults during Operation Sindoor as the empirical ground. By the means of
comparative assessment of seven measured jurisdictions and diagnostic
evaluation of the twelve-cluster BAP-I securitisation model against the
existing NCIIPC framework, it is argued that sector-specific regulations and
ad-hoc institutional arrangements are no longer tenable for the protection of
India's critical sectors. The article traces the institutional failure to the
same structural weakness that has characterised India's security reform
trajectory since the post-1998 Kargil Review Committee process; and proposes
the BIPCARD institutional architecture, the Critical Infrastructure
Protection Act and the associated elements of SOMA, RAS, Prahari and the
Bharat National Resilience Index as the integrated governance framework that
the prevailing and emerging threat environment demands. |
Keywords : Critical Infrastructure Protection, Internal Security Management, BAP-I Securitisation Framework, Twelve-Cluster Model, BIPCARD, CIPA, Institutional Architecture, Cyber-Physical Threats, Operation Sindoor, IT-OT Integration, NCIIPC, Governance Deficit, Cascading Failure, Interdependency Mapping, Resilience Metrics, All-Hazards Doctrine, National Security Reform, Kargil Review Committee, Counter-Terrorism Mechanism, State-Sponsored Cyber Operations, CERT-In, NATGRID, Vulnerability Assessment, India
India lacks a unified governance
architecture for the protection of its critical infrastructures. This deficit
has remained one of the most serious institutional voids in the country's
security management calculus. No single statutory authority exists to coordinate,
oversee or enforce protection standards across the sectors that constitute the
backbone of the Indian State's functioning. The prevailing fragmentation of
responsibilities across ministries, departments and agencies has kept the
affairs of critical infrastructure protection scattered; and this fragmentation
is not a recent discovery. Security analysts and policy establishments have
interrogated it at several instances; the academic community has written on it
in no less measure. But the institutional response has remained episodic, and
by all accounts inadequate to the scale of the problem it was supposed to
address.
The vulnerabilities are
not accidental. They are the predictable outcome of decades of institutional
neglect and habitual let-downs in the affairs of reform. The country has
remained trapped in a pattern where crisis triggers attention and attention
fades with the passing of the crisis.
It is argued that this failure can be
traced to the same structural weakness that has plagued the country's internal
security management since independence, in that the apparatus responsible for
internal security has operated in isolated domains without the necessary
inter-agency coordination, while enforcement elements have suffered from
outdated capacity and fragmented mandate, and the political establishment has
treated security reform as a matter of reactive convenience rather than
sustained institutional commitment. On that account, what exists today in the
domain of critical infrastructure governance is not a system; it is a
collection of sector-specific arrangements held together by convention rather
than by statutory design.
The events of 2025 have made the urgency of
this argument impossible to defer. During Operation Sindoor in May 2025,
India's retaliatory military strikes against terror infrastructure in Pakistan
and Pakistan-occupied Kashmir triggered an unprecedented wave of coordinated
cyberattacks against Indian critical infrastructure systems. Approximately two
lakh cyber-attack attempts targeted the national power grid within a span of
eight to ten days. The Power Grid Corporation of India suffered a DDoS attack
that disrupted online services for over thirty-one minutes. BSNL's main website
was rendered inaccessible for several days following back-to-back DDoS attacks.
The President's official website was hit by a sustained DDoS assault lasting
nearly nineteen hours. Hacktivist groups aligned with Pakistan launched
defacement campaigns against government portals, tax platforms and education
websites; while state-linked advanced persistent threat groups, namely APT36
and SideCopy, executed coordinated campaigns targeting defence networks and
critical infrastructure organisations through malware-laden MSI installers and
DLL sideloading techniques. For so, what Operation Sindoor revealed was not
merely the hostility of adversarial actors but the structural exposure of India's
critical infrastructures to coordinated multi-vector assault at a time of
kinetic military confrontation.
This was the first
instance where cyber operations unfolded simultaneously with an active military
campaign between India and Pakistan. The convergence of the kinetic and cyber
domains in a single operational theatre has altered the threat calculus permanently.
When the scale of the broader cyber threat
environment is examined, the prevailing condition substantiates the argument in
terms that cannot be disputed. The India Cyber Threat Report 2026, published by
Quick Heal Technologies, recorded over 265 million cyber incidents in 2025; and
CERT-In alone handled over 29.44 lakh incidents during the same period, out of
which 1,530 alerts, 390 vulnerability notes and 65 advisories were issued. The
gravity of the situation has remained further evidenced by the Check Point
State of Cyber Security in India 2025 report, which found that Indian
organisations faced an average of over 2,000 cyberattacks per week, a figure
that far exceeded the global average. Trojans and file infectors accounted for
seventy per cent of all malware detections as per the Seqrite India Cyber
Threat Report 2026; AI-generated phishing and business email compromise
constituted another twenty-two per cent. By conservative estimates, losses from
cyberattacks in the country crossed twenty thousand crore rupees in 2025. These
are not figures that can be set aside as statistical abstractions. Keeping this
prevailing scenario in attention, the argument that India's critical
infrastructure protection can continue to be managed through sector-specific
regulations and ad-hoc institutional arrangements is no longer tenable; and any
attempt to sustain that position will be at the cost of the country's security.
So far the governance
of critical infrastructure protection is concerned, the country has remained
without a dedicated statutory instrument. There is no Critical Infrastructure
Protection Act in place. There is no institutional mechanism where threat assessment,
vulnerability analysis, interdependency mapping, resilience measurement and
enforcement can integrate. The NCIIPC, established under Section 70A of the
Information Technology Act, 2000 (amended 2008), remains the only designated
authority for the protection of critical information infrastructure; but its
mandate has remained confined to the information and cyber dimensions of seven
designated sectors. The Electricity Act does not account for cyber-physical
threats to the power grid. The Information Technology Act does not extend to
the operational technology environments of industrial control systems. The
Disaster Management Act does not incorporate the cascading failure dynamics
that interdependent critical infrastructures produce. Sector-specific regulations
which were never designed with the all-hazards perspective in attention have
been left to carry a burden they cannot bear; and this isolation has remained
the fundamental weakness.
Measured countries have
done what India has not.
By the means of comparative assessment, the
United States through its NIPP framework and the Cybersecurity and
Infrastructure Security Agency has built a sector-specific decentralised
governance model. The European Union through the NIS2 Directive has moved
towards a regulation-centric approach with mandatory incident reporting and
cross-border coordination. China through its Multi-Level Protection Scheme has
adopted a centralised model with the state exercising direct control over
critical information infrastructures; Germany through the BSI and UP KRITIS has
developed a co-governance model integrating industry and government. Singapore
through its Cybersecurity Act of 2018 has brought critical information
infrastructure under a statutory licensing and audit framework. Japan in the
aftermath of Fukushima has moved towards anticipatory governance with emphasis
on resilience and preparedness. Israel through the INCD has operationalised a
national-level cyber defence architecture that covers both government and
critical private sector assets. Each of these countries arrived at its
institutional architecture through a different path; but the destination has
remained the same, that is the establishment of a dedicated authority with
statutory mandate and enforcement capacity. What is noteworthy is that none of
these measured countries treated critical infrastructure protection as a
residual function of existing sectoral regulators. The recognition that
critical infrastructures constitute an interdependent system requiring
dedicated governance came first; the institutional design followed from that
recognition.
India has done none of
this in a consolidated manner.
The twelve-cluster model advanced under the
BAP-I securitisation framework goes beyond the seven sectors currently
designated by the NCIIPC. Energy. Information and communications technology.
Transport. Logistics and supply chain. Blue-water and maritime. Digital
infrastructure and cyber-physical convergence. Disaster dynamics. Internal
security. Research-to-resilience. Indigenisation and technology sovereignty.
Business innovation. Corporate governance and social security. Overseas
investments and global partnerships. These clusters constitute the expanded
territorial mapping of India's critical infrastructure domain; and the gap
between what the NCIIPC currently covers and what the BAP-I model identifies is
structural, not marginal.
The institutional architecture proposed
under the BAP-I framework consists of five elements. BIPCARD as the apex
coordinating authority. SOMA as the situational and operational monitoring
apparatus. RAS as the risk assessment structure. Prahari as the enforcement and
compliance mechanism. The Bharat National Resilience Index as the measurement
and benchmarking instrument. This architecture has been designed with a desire
to address the eleven structural requirements identified for a credible
critical infrastructure protection programme in India; these requirements
include the need for a statutory mandate, a designated national authority,
standardised vulnerability assessment protocols, mandatory physical and cyber
protection standards, IT-OT integration frameworks, interdependency mapping
capabilities, all-hazards preparedness doctrine, public-private partnership
mechanisms, resilience metrics and simulation and red-teaming capabilities
among other considerations.
Whether this
architecture can function in the absence of political commitment is the
question. The answer drawn from India's own experience with internal security
reform is not encouraging.
The Kargil Review Committee came out with
precise reform plans; the Group of Ministers' report carried those plans
forward with extensive recommendations. The National Security Council was
established. The National Security Advisory Board was constituted. The
Strategic Policy Group and the National Security Council Secretariat were
created. After the Twenty-Six Eleven Mumbai attack, the National Investigation
Agency was established, the Multi-Agency Centre was strengthened, the NATGRID
was conceived. The idea of the National Counter Terrorism Centre was floated as
a well-established proposal. Yet the pattern that has remained consistent
through all these phases is the pattern of initial momentum followed by
bureaucratic lethargy and political disengagement. The NCTC could not be
materialised because the states opposed it on the ground of constitutional
jurisdiction; and the Centre did not pursue the matter with the resolve it
warranted. The NATGRID suffered delays that stretched across years. The NSC
system has not functioned to the level it was desired; the prevailing
shortcoming of clear-cut guidelines did not allow the apparatus to deliver what
was expected. Even the agencies that were established remained understaffed and
under-resourced. The NIA, for instance, has been operating with a thirty per
cent manpower shortage of its sanctioned strength. For so, the institutional
mechanisms that were designed with considerable sophistication on paper have
remained diminished in their operational manifestation.
It is to mention that certain recent policy
developments have taken place which, while welcome, do not amount to the
institutional architecture that the scale of the challenge demands. The Union
Budget 2025-26 allocated 782 crore rupees for cybersecurity, and CERT-In's 2025
audit guidelines have placed accountability on critical infrastructure
operators for mandatory annual third-party audits covering IT, OT, cloud,
supply chain and physical security. In August 2025, the country declassified
its Joint Doctrine for Cyberspace Operations; this has been a significant step,
in that the doctrine conceptualised cyber operations as a response option to
inimical action against national sovereignty and was said to have incorporated
lessons from the Operation Sindoor experience. The Digital Personal Data
Protection Act has introduced compliance obligations on data fiduciaries. On
the side of industry and expert recommendations, the Trusted Bharat Critical
Infrastructure Report 2025 has proposed a ten billion dollar National Cyber
Resilience Fund and a public-private Cyber Resilience Taskforce. All of these
are steps which deserve recognition. But none of them, taken individually or in
combination, constitutes the dedicated statutory authority with enforcement
mandate that a credible critical infrastructure protection programme requires.
The country has remained in the habit of accumulating piecemeal measures while
deferring the institutional question; and the experience of internal security
reform has already demonstrated what happens when that deferment is allowed to
persist.
The nefarious design of state actors and
their proxies has not remained confined to the perpetration of terrorism
through conventional means and methods of terror. Now the cyber-physical domain
has emerged as the new front of confrontation, and this emergence changes the
entire calculus. Or more precisely, the front is not new, but one whose
operational intensity has escalated to the point where the existing governance
apparatus has been found incapable of managing it. The involvement of
antagonistic states in targeting India's critical infrastructures is no longer
a matter of speculation; the Operation Sindoor episode alone evidenced it at a
scale that the country had not previously confronted. In the same vein, the
wild non-state actors and organised crime networks have started exploiting the
vulnerabilities in critical infrastructure systems for financial gain and for
the sustenance of their terror modules. Fake currency networks, hawala channels
and smuggling operations that have historically sustained terrorism in the
country are finding new operational ground in the cyber domain.
The proliferation of destructive
technologies accessible to non-state elements has made the task of containment
harder than it was even a decade ago. The nexus between state-sponsored cyber
operations and the broader strategy of India's containment by adversarial
powers has gathered ground; and this nexus, when examined in amalgamation with
the activities of the non-state elements, presents a threat picture that the
existing institutional arrangements are simply not equipped to manage. The Star
Health data leak of 2024 exposing the records of thirty-one million
policyholders, the AIIMS ransomware attack of 2022, the BSNL data breach of
2024, the WazirX compromise, the Kudankulam malware incident of 2019 and the
RedEcho intrusion into India's power grid are cases in point. Each exposed the
fact that a unified response mechanism did not exist. Mandatory cross-sector
reporting protocols had not been formalised. No institutional authority with
the mandate to enforce protection standards across the full spectrum of
critical sectors was in place; and it has been this very void, recurring
incident after incident, that has remained the most damaging indictment of the
prevailing governance arrangement.
Several gaps remain unaddressed; and these
gaps are not peripheral but foundational. India lacks a standardised
vulnerability assessment framework applicable across all twelve clusters. No
systematic study of cascading failure dynamics across sectors has been
undertaken at the national level. Mandatory physical protection standards for
critical assets do not exist. The integration of information technology and
operational technology environments remains weak; and the two lakh cyberattacks
on the power grid during Operation Sindoor exposed precisely this IT-OT
vulnerability at the operational level. Resilience metrics are missing. The
culture of simulation and red-teaming exercises is non-existent. Public-private
partnership frameworks for the sharing of threat intelligence between
government and the operators of critical assets have not been formalised. The
absence of a national-level interdependency mapping exercise means that the
cascading consequences of a targeted attack on one sector upon the functioning
of others remain largely unknown to the policy establishment. A statutory
instrument is required. An institutional architecture with clear mandate,
adequate resources and enforcement authority is required. Taken into
consideration the scale of the challenge, anything less than a dedicated
Critical Infrastructure Protection Act will remain insufficient.
The register of threats that India
confronts at this juncture is not what it was two decades ago. The emanating
threats from the regional sphere, the extra-territorial dimensions of
terrorism, the growing sophistication of cyber-physical attacks and the increasing
interdependence of infrastructure systems have dissolved the traditional
boundaries between internal security and critical infrastructure protection.
India experienced over 265 million cyber incidents in a single year. It blocked
two lakh attacks on its power grid during ten days of military operations.
State-sponsored APT campaigns targeted its defence and critical infrastructure
simultaneously. The country's cybersecurity market itself is projected to grow
from 5.56 billion dollars in 2025 to 12.9 billion dollars by 2030; and the pace
of this growth is an admission that the threat is not receding but escalating.
Separate institutional silos cannot hold. The country tried that approach for
decades and the outcome has been a trail of failures, each more serious than
the previous.
On that very basis, the
argument for an integrated architecture that brings together internal security
management with the governance requirements of critical infrastructure
protection stands justified. The BAP-I twelve-cluster securitisation model, the
proposed CIPA and the institutional elements of BIPCARD, SOMA, RAS, Prahari and
BNRI represent one such integrated architecture. The design exists. The
justification has been established through diagnostic assessment of the
prevailing gaps and through comparative evaluation of what the measured
countries have accomplished. What has not yet been demonstrated is the
political and bureaucratic will to translate this design into institutional
reality.
The experience of internal security
management reform since 1998 offers both the precedent and the caution. India
has shown the capacity to conceptualise institutional mechanisms of
considerable sophistication when compelled by crisis; this much the post-1998
and post-Twenty-Six-Eleven experiences have established beyond question. But
the implementation of those mechanisms has invariably fallen short of the
design. The KRC recommendations were not implemented in totality; and that
failure of implementation is what gave scope for the Twenty-Six Eleven attack
to succeed. This is the lesson that the political establishment has received
but has not yet internalised.
For so, the impending task is not merely
the formulation of another institutional proposal. The task is to ensure that
the political, bureaucratic and security establishments commit to sustained
implementation with the seriousness that the prevailing and emerging threats
demand. The protection of India's critical infrastructures cannot be deferred
to a more convenient time. The threats are impending. The vulnerabilities are
apparent. The institutional void is well-established. Operation Sindoor has
demonstrated that the next confrontation will be fought simultaneously in the
kinetic and cyber domains; and the country's critical infrastructures will be
the first targets. What remains impending is the will to act; and the country
must confront this question now, without the deferment that has characterised
its security reform trajectory since independence.