Cyber vulnerabilities at the highest point in eight quarters, shows data

Medium risk and high-risk vulnerabilities have also been rising

One of the objectives of the IT division under the Central Electricity Authority (CEA) is to set up a Computer Security Incident Response Team (CSIRT). Given how attacks on utilities have been increasing, media reports suggest that the government may soon be moving towards this goal.

While the National Critical Information Infrastructure Protection Centre (NCIIPC) is the primary body that lays down guidelines for critical infrastructure, the CEA’s new team will coordinate with NCIIPC and CERT-In (Indian Computer Emergency Response Team) to strengthen cybersecurity.

A Business Standard analysis shows that India may be in dire need of this given how the vulnerabilities have been rising; the vulnerabilities were at the highest point in eight quarters.

Data released by NCIIPC shows that between September and November 2021, 4,629 vulnerabilities were reported, of which nearly 83.3 per cent were of the medium to high severity. Compared to a year ago, there was a 13 per cent rise in reported vulnerabilities (see chart 1).

While high-risk vulnerabilities were lower last year, the number of medium-risk vulnerabilities increased compared to September and November 2020.

The analysis shows that medium-risk vulnerabilities were at their second highest level in the last 12 quarters for which data is available (see chart 2). High-risk vulnerabilities had crossed the 900-mark for the fourth time since 2018.

India was ranked 10th in the Global Cybersecurity Index released by the International Telecommunication Union (ITU), which evaluates countries based on their frameworks on cybersecurity. A study by Comparitech had shown India to be one of the least safe countries, out of 60, when it came to cybersecurity.

A report by cybersecurity firm CloudSEK last year had found that 13 installations in India — the highest in the world — were vulnerable as they were using default credentials (see chart 3). India, meanwhile, is yet to announce its National Cybersecurity Strategy 2021.