Cybersecurity has become a critical issue worldwide, and India’s PSUs are not exempt from this evolving threat landscape. Bhavya Bagga from CXO News and APAC News Network sheds light on the cybersecurity challenges faced by the PSUs and the tactics to mitigate them:
PSUs play a crucial role in the Indian economy by providing essential services to the citizens, creating employment opportunities, and contributing to infrastructure development. They are significant for the country’s economic development as they encourage private investment, promote exports, and allow the government to intervene directly or indirectly in the economy to achieve socio-economic objectives. However, many of these PSUs spanning sectors like power, oil and gas, transportation, and defense, are often vulnerable to cybersecurity challenges for various reasons.
The Current Cybersecurity Landscape in Indian PSUs
These challenges range from significant cybersecurity risks due to technological vulnerabilities, human resource limitations, and their critical role in national infrastructure.
The increasing digitization of these entities exposes them to cyber threats arising from potential IT infrastructure weaknesses. Inadequate cybersecurity training among employees further exacerbates these risks by increasing the likelihood of unintentional breaches. Additionally, the interconnected nature of PSUs amplifies their vulnerability, as cybercriminals can exploit weaknesses across their networks.
Given their essential role in the economy and infrastructure, these vulnerabilities make PSUs prime targets for cyber attacks aimed at disrupting services and causing economic disruption. This underscores the urgent need for comprehensive cybersecurity measures to protect these crucial entities.
Supply chain vulnerabilities
The supply chain vulnerabilities in PSUs pose a significant threat due to weaknesses in software or hardware components used by governments and businesses.
The global cyberattack on SolarWinds in December 2020, which impacted Indian organizations like the National Informatics Centre (NIC) and the Ministry of Electronics and Information Technology (MeitY), exemplifies the potential risks faced by PSUs in India.
“Analysis suggests that by managing the intrusion through multiple servers based in the United States and mimicking legitimate network traffic, the attackers were able to circumvent threat detection techniques employed by both SolarWinds, other private companies, and the federal government,” commented SolarWinds in its analysis of the attack.
Cyber threats target digital transfers, making supply chains a key focus for attackers. In the PSU sector, software supply chain attacks occur when hackers infiltrate a software vendor’s network to insert harmful code into the software provided to customers. This compromises the data and systems of those customers. The goal of these attacks is to exploit weaknesses in an organization’s digital supply chain through its software or service providers, ultimately allowing attackers to breach the organization’s systems.
Skill Gap
One of the most pressing issues faced by these organizations is the acute shortage of skilled cybersecurity professionals in India. This shortage is particularly severe in the public sector, where the demand for cybersecurity expertise far exceeds the available supply.
Subhash Chand, Chief Information Security Officer (CISO), ICAR-Indian Agricultural Statistics Research Institute said on managing the gap in the workforce from the relevant skill set, “Skillset is a big challenge in PSU. The technology providers come with their own skill sets and we adopt the technology but the gap comes when we adopt the tech without relevant skill sets. When we transform our systems because we buy the technology we can’t implement it. Skillset is the major challenge that every organization tries to cover. The technology has its competency, so it must be implemented accurately. We put our best efforts and also outsource the skillset to balance the challenges.”
This skill gap leaves many PSUs vulnerable, as they lack the necessary workers to effectively defend against and respond to cyber threats. The shortage is attributed to a combination of technical and social factors, including inadequate training programs, limited awareness of cybersecurity careers, and a lack of incentives to attract talent to the public sector.
- Legacy Systems
Another significant challenge is the reliance on legacy systems, particularly in sectors like power where Operational Technology (OT) systems are critical. Legacy systems and supply chain vulnerabilities pose significant hurdles in the cybersecurity efforts of PSUs.
Salman Mahmmood, Dy. General Manager (General), Food Corporation of India said, “PSUs deal with critical government data so we have to ensure security. We have to be mindful of the scripted data, transcription, and data security. First, we need to define the objective, then pick the data, and then quantum the data that needs to be migrated. With technology evolving day by day, the risks can also be resolved quickly.”
The power sector, in particular, faces unique challenges because many of its OT systems are outdated yet essential for operations.
In a conversation with APAC News Network, Ashish Goel, Deputy General Manager (IT) at CSIRT-Power, emphasized that securing these OT systems is a major concern, as they are more susceptible to attacks than modern IT systems. External attackers are becoming increasingly adept at exploiting these vulnerabilities, making it clear that PSUs need to focus not only on prevention but also on resilience and recovery. “The major challenge in the power industry is securing OT systems, which have a longer lifespan than IT systems but are more vulnerable to attacks,” said Ashish Goel DGM (IT), CSIRT-Power.
Enhancing Cybersecurity in India’s Public Sector
India’s Public Sector Undertakings (PSUs) are at a critical juncture as they face escalating cybersecurity threats in an increasingly digital landscape. To combat these challenges, a comprehensive approach is essential, one that blends modernization, technology, and workforce development.
Legacy systems are now potential weak points in their cybersecurity defenses. A phased modernization of these outdated systems is crucial, emphasizing integrating security measures from the design stage. This proactive approach will help mitigate vulnerabilities that could be exploited by cybercriminals.
The adoption of advanced cybersecurity technologies is equally important. AI-based threat detection and machine learning for predictive analysis can play a significant role in identifying and neutralizing threats before they cause damage. Blockchain technology, known for its secure data handling capabilities, could also be a game-changer in safeguarding sensitive information.
Operational technology (OT) networks, particularly in sectors like power, need special attention. These systems are often more vulnerable due to their long lifespans and require strong protection measures to prevent potential breaches that could have widespread consequences.
To bridge the existing skill gap in cybersecurity, PSUs must invest in continuous training and development programs for their workforce. Collaboration with academic institutions and private sector experts can further enhance their ability to stay ahead of emerging threats.
- The Need for Skilled Manpower and Modernization
The shortage of skilled manpower increases the vulnerabilities associated with legacy systems. Without a strong workforce of cybersecurity experts, PSUs struggle to maintain, update, and secure these critical systems. In addition to addressing the manpower shortage, there is a pressing need for the modernization of IT and OT systems across PSUs.
Modernizing these systems would involve not only upgrading hardware and software but also implementing best practices in cybersecurity, such as regular quality checks, data governance, and the adoption of international standards. This would help PSUs to better defend against the evolving cyber threats they face and reduce their overall risk.
• Legal and Regulatory Frameworks: Building a Resilient Cybersecurity Infrastructure
It is important to have a strong legal and regulatory framework for improving cybersecurity within India’s PSUs. There is a need for strong procedural cybersecurity laws that can effectively prevent, investigate, and respond to cybercrimes targeting the public sector. Such laws are essential for creating a legal environment that supports cybersecurity resilience and ensures that PSUs have the necessary tools to combat cyber threats.
India’s government has been actively working on developing and implementing cybersecurity laws, but there is still much work to be done. A comprehensive legal framework, combined with effective enforcement, is crucial for enhancing the cybersecurity posture of India’s PSUs.
A Path Forward for Cybersecurity in Indian PSUs
India’s public sector undertakings (PSUs) face complex cybersecurity challenges involving manpower, technology, and legal issues. To address these, the government, private sector, and educational institutions must work together. By building a skilled workforce, updating outdated systems, and improving legal frameworks, India can strengthen the cybersecurity of its PSUs.
Bhavya Bagga, APAC News Network
Discussion about this post