Internal Security

Basics of Cyber Security

Internal Security·Revision Notes

Critical Information Infrastructure — Revision Notes

Constitution VerifiedUPSC Verified
Version 1Updated 7 Mar 2026

Explore This Topic

DefinitionDetailed ExplanationLegal PrecedentsSecurity FrameworkLegal ReformsUPSC ImportancePrelims StrategyMains StrategyPrelims MCQsMains QuestionsMCQ PracticePredicted 2026Revision NotesCurrent Affairs

⚡ 30-Second Revision

  • CII:Critical Information Infrastructure. Systems vital for national security, economy, public health, safety.
  • IT Act 2000, Sec 70:Legal basis for 'Protected System' affecting CII.
  • NCIIPC:National Critical Information Infrastructure Protection Centre. Nodal agency for CII protection. Under NSCS. Est. 2014.
  • CERT-In:Indian Computer Emergency Response Team. General cyber incident response, advisories. Coordinates with NCIIPC.
  • Key Sectors:Power, Telecom, Banking, Transportation, Government.
  • Threats:APTs, Ransomware (OT), Supply Chain, Insider Threat.
  • Vulnerabilities:Legacy SCADA/ICS, IT-OT convergence.
  • Mnemonics:

- POWER-BANK-TELECOM: Key CII sectors (Power, Banking, Telecom, Transportation, Government). - NCIIPC-CERT-LEGAL: NCIIPC (nodal), CERT-In (coordination), LEGAL (IT Act Sec 70).

2-Minute Revision

Critical Information Infrastructure (CII) forms the digital and physical backbone of a nation, encompassing vital sectors like Power, Telecommunications, Banking, Transportation, and Government networks.

Its protection is paramount for national security and economic stability. In India, the IT Act, 2000 (especially Section 70), provides the legal framework, establishing 'Protected Systems' and the National Critical Information Infrastructure Protection Centre (NCIIPC) in 2014.

NCIIPC, functioning under the NSCS, is the nodal agency for CII, focusing on threat intelligence, vulnerability assessment, and incident response, coordinating closely with CERT-In and sectoral regulators.

Major threats include state-sponsored Advanced Persistent Threats (APTs), ransomware targeting Operational Technology (OT) systems, and supply chain compromises, as evidenced by incidents like the 2020 Mumbai power grid attack and the 2021 AIIMS ransomware incident.

India's strategy emphasizes resilience, public-private partnerships, and alignment with international frameworks like NIST CSF. The continuous evolution of cyber threats necessitates an adaptive, multi-stakeholder approach to safeguard these critical assets.

5-Minute Revision

Critical Information Infrastructure (CII) is defined as the vital digital and physical assets whose disruption would have a debilitating impact on national security, economic stability, public health, or safety.

India's legal foundation for CII protection is rooted in the Information Technology Act, 2000, particularly Section 70, which allows for the designation of 'Protected Systems.' The IT (Amendment) Act, 2008, further solidified this by enabling the establishment of the National Critical Information Infrastructure Protection Centre (NCIIPC) in 2014.

NCIIPC, operating under the National Security Council Secretariat (NSCS), serves as the national nodal agency. Its core functions include identifying critical sectors (Power, Telecommunications, Banking & Financial, Transportation, Government), collecting and disseminating threat intelligence, conducting vulnerability assessments, coordinating incident response, and formulating security policies.

NCIIPC collaborates extensively with CERT-In, which handles broader cyber security incidents and advisories, and with various sectoral regulatory bodies like the RBI and CEA. The threat landscape for CII is complex and includes sophisticated state-sponsored Advanced Persistent Threats (APTs) aiming for long-term infiltration, financially motivated ransomware groups increasingly targeting Operational Technology (OT) systems, and supply chain compromises that exploit third-party vulnerabilities.

The 2020 Mumbai power grid cyberattack highlighted the risks to SCADA/ICS systems, while the 2021 AIIMS ransomware incident underscored vulnerabilities in critical healthcare infrastructure. These events emphasize the need for robust cyber resilience, proactive threat intelligence, network segmentation, and comprehensive incident response plans.

India's National Cyber Security Strategy 2023/2024 aims to strengthen this framework through enhanced public-private partnerships, indigenous technology development, and international cooperation, aligning with global best practices like the NIST Cybersecurity Framework.

From a UPSC perspective, understanding the institutional coordination, legal provisions, sectoral vulnerabilities, and India's strategic response to evolving cyber threats is crucial for both Prelims and Mains.

Prelims Revision Notes

    1
  1. CII Definition:Computer resource, incapacitation/destruction = debilitating impact on national security, economy, public health/safety. Not explicitly defined in main IT Act sections, but derived from Sec 70 and NCIIPC mandate.
    2. 2
  2. IT Act 2000:Section 70 - 'Protected System' (any computer resource affecting CII). IT (Amendment) Act 2008 - introduced Sec 70A (NCIIPC establishment) and 70B (NCIIPC mandate).
    3. 3
  3. NCIIPC:National Critical Information Infrastructure Protection Centre. Est. 2014. Nodal agency for CII. Functions under NSCS. Mandate: protect CII from cyber threats. Functions: identification, threat intel, vulnerability, incident response, policy, capacity building.
    4. 4
  4. CERT-In:Indian Computer Emergency Response Team. National CSIRT. Handles general cyber incidents, advisories. Coordinates with NCIIPC for CII incidents.
    5. 5
  5. Key CII Sectors:Power & Energy (SCADA/EMS), Telecommunications, Banking & Financial Services, Transportation (Aviation, Railways), Government Networks & e-Governance, Strategic & Public Enterprises, Healthcare (emerging focus).
    6. 6
  6. Major Threats:APTs (state-sponsored, stealthy), Ransomware (increasingly targets OT), Supply Chain Compromise (e.g., SolarWinds), Insider Threat, DDoS.
    7. 7
  7. Vulnerabilities:Legacy OT/ICS systems, IT-OT convergence, human error, unpatched systems, lack of segmentation.
    8. 8
  8. Case Studies:Mumbai Power Grid (2020) - SCADA/EMS, suspected state-sponsored. AIIMS Ransomware (2021) - healthcare, data encryption, service disruption.
    9. 9
  9. International Frameworks:NIST CSF (Identify, Protect, Detect, Respond, Recover), ISO 27001/27019 (energy).
    10. 10
  10. Policy:National Cyber Security Strategy (NCSS) 2023/2024 - aims for resilience, public-private partnership, indigenous tech.

Mains Revision Notes

    1
  1. Introduction:Define CII, its strategic importance (national security, economy, public safety). Mention India's digital transformation context.
    2. 2
  2. Institutional Framework:

* NCIIPC: Mandate, functions (proactive & reactive), reporting to NSCS. Role in threat intelligence, vulnerability assessment, incident coordination. * CERT-In: Broader mandate, coordination with NCIIPC (information sharing, joint response for CII). * Sectoral Regulators: RBI (financial), CEA (power), DoT (telecom) – their specific guidelines and enforcement.

    1
  1. Legal Basis:IT Act 2000 (Sec 70, 70A, 70B) – 'Protected System' concept, NCIIPC establishment. Discuss its strengths as a foundation and limitations in dynamic threat landscape.
    2. 2
  2. Threats & Vulnerabilities:

* Evolving Threats: APTs (state-sponsored), Ransomware (OT impact), Supply Chain (SolarWinds), Hybrid Warfare implications. * Sectoral Vulnerabilities: SCADA/ICS (legacy, IT-OT convergence), financial (API, phishing), telecom (signaling), transport (GPS spoofing). * Challenges: Public-private coordination, skill gap, resource constraints, attribution, cross-border nature of threats.

    1
  1. Measures & Strategies:

* National Cyber Security Strategy: Key pillars (resilience, capacity, R&D, international cooperation). * Technical: Network segmentation, robust access control, continuous monitoring (OT-specific), secure development, backups. * Organizational: Public-private partnerships, incident response plans, awareness training, regular audits. * International: Alignment with NIST CSF, ISO standards, cyber diplomacy, bilateral/multilateral cooperation.

    1
  1. Case Studies (Lessons Learned):Mumbai power grid (OT security, threat intel), AIIMS ransomware (healthcare CII, data backup, awareness). Use these to illustrate points.
    2. 2
  2. Conclusion:Emphasize a holistic, adaptive, and multi-stakeholder approach for building cyber resilience. Connect to India's strategic autonomy and digital future.

Vyyuha Quick Recall

VYYUHA QUICK RECALL MNEMONICS

    1
  1. POWER-BANK-TELECOM (P-B-T):

* Power & Energy * Banking & Financial Services * Telecommunications * (Extend to include Transportation and Government Networks for a more complete list of key CII sectors. Think 'P-B-T-T-G' for a comprehensive recall of major CII sectors.) * How to use: This mnemonic helps you quickly recall the primary sectors that constitute Critical Information Infrastructure in India, crucial for both Prelims and Mains questions asking for examples or sectoral analysis.

    1
  1. NCIIPC-CERT-LEGAL (N-C-L):

* NCIIPC: The National Critical Information Infrastructure Protection Centre (the nodal agency). * CERT-In: The Indian Computer Emergency Response Team (the coordinating agency for broader cyber security).

* LEGAL: The Information Technology Act, 2000 (especially Section 70, 70A, 70B) (the foundational legal framework). * How to use: This mnemonic helps you remember the three core pillars of India's institutional and legal framework for CII protection, essential for questions on governance, roles, and legal provisions.

Featured
🎯PREP MANAGER
Your 6-Month Blueprint, Updated Nightly
AI analyses your progress every night. Wake up to a smarter plan. Every. Single. Day.

Related Topics

Ad Space
🎯PREP MANAGER
Your 6-Month Blueprint, Updated Nightly
AI analyses your progress every night. Wake up to a smarter plan. Every. Single. Day.