A major cyberattack has crippled one of the largest pipelines in the United States, Colonial Pipeline, which carries about 45% of all fuel consumed on the country’s East Coast. The ransomware attack has disrupted fuel supplies and caused a spike in gas prices in some parts of the country. U.S. authorities have blamed Darkside, a Russia-based criminal group, for the attack but so far have ruled out the Russian government’s involvement.
The attack on Colonial Pipeline fits the broader trend of recent years where cyberattacks on critical infrastructure have escalated. Critical infrastructure facilities are those systems and services, which require to be operational at all times like traffic systems, banks and digital payment systems, power grids, oil pipelines and nuclear reactors. For years, security researchers have speculated about the possibility of sabotaging critical infrastructure operations. Now, adversarial states, keen to settle their geopolitical scores, have shown that such disruptions are no longer a piece of fiction. To evade attribution, some states have also utilised rogue non-state actors as proxies in launching these debilitating cyberattacks.
In 2010, the Stuxnet malware, allegedly designed by the United States and Israel, demonstrated for the first time how such sabotage might pan out in real life. The malware targeted Natanz reactor, a major Iranian nuclear facility. It caused centrifuges to malfunction, thus successfully derailing the progress of the Iranian nuclear programme. However, the virus also caused significant disruptions outside Iran, infecting over 100,000 systems in 115 countries. Likewise, in December 2015, suspected Russian hackers breached power grids at the height of the winter season and disrupted power supplies in parts of Ukraine. The attack came on the heels of the Russia-Ukraine confrontation over the disputed territory of Crimea.
For India, too, the spectre of a crippling cyberattack on critical infrastructure by adversarial states and rogue non-state actors is a clear and present danger.
The Stuxnet virus, which targeted Iran, had also deeply penetrated Indian servers, infecting between 10,000 to 80,000 computers. There were no reports of a significant disruption, but these infections made India the third largest victim of the Stuxnet, after Iran and Indonesia. In another major incident, a malware attack in September 2019 on Kudankulam nuclear reactor in Tamil Nadu breached its administrative network. The malware was reportedly custom-designed, signifying that it was a deliberate hack. Most recently, at the height of border stand-off with China’s Peoples Liberation Army in eastern Ladakh, a China-linked hacker group RedEcho targeted India’s power sector, ports and parts of the railway infrastructure. This attack on the power sector can be blamed for a massive power outage in Mumbai in October 2020.
Data from India’s Computer Emergency Response Team (CERT) and National Critical Infrastructure Protection Centre (NCIIPC), the two government bodies which keep an eye on malicious cyber activities, have noted several attacks on India’s critical infrastructure. These attacks have only increased in scale and frequency over the years. Last year, National Security Advisor Ajit Doval mentioned that attacks targeting the defence and critical infrastructure had surged during the outbreak of the COVID-19 pandemic.
This has made critical infrastructure protection a major cybersecurity priority for India.
After the Stuxnet experience, the government established the NCIIPC in 2014 as the nodal agency to work with the public and private sectors for plugging gaps in their critical infrastructure systems. NCIIPC’s main contribution: detailed operational and technical guidelines for critical infrastructure operators to secure their systems. It also brings out the Common Vulnerabilities and Exposures reports, which alert operators on incoming threats. Further, dedicated CERTs (CERT-Thermal, CERT-Hydro, CERT-Transmission) disseminate information about cyber incidents in the power sector.
Yet, multiple issues complicate India’s comprehensive response. One of the significant challenges is the inhibition in the private sector (and the public sector too) to information sharing about the vulnerability of their systems. By revealing their vulnerabilities and, therefore, their proprietary information, businesses fear exposing themselves and losing a competitive edge over rivals. Alternatively, critical infrastructure operators have resorted to plugging the security gaps in their systems whenever faced with a cyberattack or data breach. Indian regulators have often complained that this reticent approach of operators and businesses is tactical and short-term, overlooking the possibility of concerted cyber warfare by adversarial states against India.
Given the mutual distrust and vulnerability of public and private sector, the solution involves taking a shared responsibility approach through a public-private partnership for critical infrastructure protection. These should focus on building an institutional framework, expanding and deepening capacity, creating security standards and strict audits and evolving a cybersecurity incident reporting framework.
India may not have witnessed the kind of cyberattack depicted in the 2007 Hollywood film Die Hard 4.0, which cripples transportation, financial and other critical sectors across the United States. But our threat canvas and vulnerabilities are expanding. Hence, only an integrated, whole-of-the-ecosystem approach for securing critical infrastructure will be successful.
This article was first published in the Hindustan Times.
Sameer Patil is Fellow, International Security Studies Programme, Gateway House.