homeinformation technology News

Explained: What is protected system and the need for securing critical infrastructure

Explained: What is protected system and the need for securing critical infrastructure

By Akanksha Upadhyay  Jun 22, 2022 11:41:16 AM IST (Updated)

The IT ministry declared IT resources of ICICI Bank, HDFC Bank and UPI managing entity NPCI as ‘critical information infrastructure’. Under the CII banner, any unauthorised person accessing these resources may be jailed for up to 10 years. But what is ‘critical information infrastructure’, and who protects it?

The IT resources of ICICI Bank, HDFC Bank, and UPI managing entity National Payments Corporation of India (NPCI) have been declared as "critical information infrastructure" by the Ministry of Electronics and Information Technology (MeitY).

Recommended Articles

View All

"The central government, hereby, declares the computer resources relating to the core banking solution, real-time gross settlement, and NEFT (national electronic fund transfer), comprising structured financial messaging server, being critical information infrastructure of the ICICI Bank," MeitY said in a notification dated June 18. The computer resources of its associated units were also declared "protected systems" by MeitY.
In two similarly-worded notifications, MeitY declared the IT resources of HDFC Bank and NPCI as critical infrastructure.
What is critical infrastructure?
The Information Technology Act, 2000, defines “critical information infrastructure” as a “computer resource, the incapacitation or destruction of which shall have a debilitating impact on national security, economy, public health or safety”.
The government, under the Act, has the power to declare any data, database, IT network or communications infrastructure as critical to protecting that digital asset. Any unauthorised person accessing critical information infrastructure may be jailed for up to 10 years.
How is it different from a protected system?
A protected system is when the government notifies that the digital network/IT resources of an entity is extended protected status, implying that any harm to them will be a matter of national security.
"Looking at sophisticated cyber attacks, it is high time all banks and financial institutions get themselves notified as a protected system. Similarly, the control system of all the electricity, oil, airports, railways, metros, and transport systems are critical infrastructure and must be declared as protected systems," said Triveni Singh, SP, Cyber Crime, Uttar Pradesh Police.
Rakshit Tandon, a cyber security expert and cyber security consultant to the Internet and Mobile Association of India (IAMAI), also said every bank and financial institution should come under the ambit of critical infrastructure.
"Given the interconnectedness of critical IT resources in a country, disruptions can have a cascading effect across sectors. However, the government has its own parameters to declare an infrastructure critical. The NSE, too, should be declared a protected system. The country could go into a financial crisis if an attack were to take place on NSE's infra," Tandon said.
Who can access a protected system?
The IT Act authorises access to IT resources of these entities:
  • Designated employees
  • Authorised team members of contractual managed service providers
  • Third-party vendors who have been authorised by a team for need-based access
  • Any consultant, regulator, government official, auditor and stakeholder authorised by the entities on a case-to-case basis
  • According to cybercrime and privacy lawyer Prashant Mali, this notification means all ethical hackers, bug bounty hunters, or other hackers need to stay away from ICICI Bank, HDFC Bank, and NPCI servers or they would be prosecuted for cyber terrorism, which is a non-bailable offence.
    The need for securing critical infrastructure
    Mali also said that the provision of declaring critical infrastructure a protected system existed in law since 2009. However, given the higher number of cyber attacks on these infrastructures, the government is now getting into action to declare some of these protected systems.
    "I feel many more systems should be declared protected and national law enforcement agencies. When they initiate any kind of action against hackers, they should host their names and case details on public government websites for everyone to take note of. This is important to end the jungle-raj of these hackers in cyberspace," said Mali.
    Check out our in-depth Market Coverage, Business News & get real-time Stock Market Updates on CNBC-TV18. Also, Watch our channels CNBC-TV18, CNBC Awaaz and CNBC Bajar Live on-the-go!