The recent report in the New York Times that China had brought India’s financial capital — Mumbai — to a halt by hacking the electricity supply grid has not come as a surprise to the CTOs (chief technology officers) and cyber security experts. Indian companies, including critical infrastructure providers such as power grids, ports and radar systems, lack the IT infrastructure to prevent hacking from hostile state actors like China and North Korea, warn security experts.
Last week, the United States government warned of yet another breach of critical systems tied to Microsoft Exchange email systems that the company has blamed on China. The breach has impacted thousands of organisations in the US and its impact on India is still unknown. Microsoft said China’s Hafnium had tried to steal information from groups such as infectious disease researchers, law firms, higher education institutions and defence contractors. Similar attacks on Indian vaccine firms were also reported before the US announced the breach.
In India, there has been an alarming 210 per cent year-on-year increase in cyberattacks targeting Indian companies and a 250 per cent increase targeting Indian government agencies and other critical infrastructures, according to CYFIRMA, a threat discovery and cyber intelligence company.
Chris DiGiamo, principal security architect of security firm Mandiant, said all Indian companies must first isolate internet-facing systems and strictly monitor application-logs to identify anomalous activity. In addition to patching the software as soon as it is available, experts have recommended organisations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.
Critical infrastructure providers such as airlines, ports, civilian radar systems, apart from defence companies, are usual targets of cyberattacks. The attacks have increased manifold since the lockdown was announced last year — mainly due to the rise in work from home workforce, massive spike in digital transactions, geopolitical tensions, and low cybersecurity maturity among businesses.
While Indian companies said they are ready for any attacks, security experts are not convinced. Airlines such as Air India said they are aware about the cyber threats prevalent in India and are following the industry-standard precautions to ensure the safety and security of its IT infrastructure. “Air India is in regular touch with the regulatory authorities of India like CERT-in and the National Critical Information Infrastructure Protection Centre and is adhering to all the guidelines provided by them to us,” said an Air India spokesperson.
Experts said based on their research, they have noticed state-sponsored and financially motivated hackers are particularly keen on Indian government agencies and Indian power, electricity and port companies. “Our research showed the suspected threat actors were mainly sponsored by China, Pakistan and North Korea. The hackers’ objectives were centred on smearing India’s reputation, causing productivity loss, creating operational damage and seeking financial gains,” said Kumar Ritesh, founder CEO of CYFIRMA.
Since India also lacks a cohesive nationwide cyber-strategy, policies and procedures, hackers are using this loophole to hack into systems. Experts said regulations around data privacy, protection and penalty should be enacted and enforced as these measures will help businesses evaluate their cybersecurity posture and seek ways to improve. Currently, incident reporting is not mandatory. “By making it compulsory, there will be a body of research data that can provide insights on threats to India and inform the government on strategies it can undertake to strengthen the nation’s cyber posture,” said Ritesh.
CTOs said they are taking additional measures since the lockdown to keep their systems safe. “We have invested in world-class systems to prevent hacking. In the past, we have noticed that container traffic was disrupted by hacking but we managed to get back the system on track within hours,” said the CTO of a port company requesting anonymity.
But the problem does not end at the large companies; several mid-tiered companies have low cybersecurity infrastructure that can impact the supply chain of big companies. Businesses have traditional approaches towards IT projects where resources are focused on building the digital systems, and cybersecurity requirements are relegated to an afterthought. This presents profound challenges as frequently actions are only taken after a data breach or cyberattack has occurred. The situation is compounded by the fact that over 46 per cent of commercial businesses are operating on traditional legacy systems.
“These are aged technologies, which are no longer supported by their vendors, and they present cybersecurity gaps, loopholes and vulnerabilities that hackers can exploit to gain entry to corporate networks,” said Ritesh.
In order to prevent such attacks, experts said, India requires a holistic approach involving the government, police and businesses. “The utility sector and the PSUs in general need to get into deploying the latest technology to deal with these threats. The confluence of operational technology and the information technology systems is important to get visibility to tackle such attacks,” said a security expert on condition of anonymity.
Additional reporting by Aneesh Phadnis and Shivani Shinde