BharatNotes Overview
Critical infrastructure -- the systems and assets so vital that their incapacitation would have a debilitating impact on national security, economy, public health, or safety -- has become a primary target in modern security threats. Cyber attacks on power grids, ransomware on hospitals, and satellite jamming represent a new frontier where traditional kinetic warfare converges with digital and space-based threats.
India's critical infrastructure spans power, telecom, banking, transport, defence, space, and water systems. The National Critical Information Infrastructure Protection Centre (NCIIPC), established under Section 70A of the Information Technology Act, 2000, is the nodal agency for protecting these assets. The alleged RedEcho cyber intrusion targeting India's power grid infrastructure in 2020 demonstrated the severity of this threat.
Space security has emerged as a contested domain. India's successful ASAT test (Mission Shakti, 27 March 2019) demonstrated its capability to defend space assets, while the establishment of the Defence Space Agency in 2019 signals India's recognition of space as a warfighting domain. Simultaneously, undersea cable vulnerabilities, drone threats, and electromagnetic pulse (EMP) risks represent emerging security challenges that transcend traditional categories.
Critical Infrastructure -- Definition and Sectors
Definition
| Framework | Definition |
|---|---|
| IT Act, 2000 (Section 70) | Critical Information Infrastructure (CII) means "those computer resources, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety" |
| NCIIPC | CII includes ICT resources that support critical sectors; their disruption can cascade across interconnected systems |
| Global perspective | Most countries define critical infrastructure to include physical and cyber assets essential for societal functioning |
Critical Sectors in India
| Sector | Examples of Critical Assets |
|---|---|
| Power and Energy | Power generation plants (thermal, nuclear, hydro), transmission grids, Regional Load Despatch Centres (RLDCs), oil and gas pipelines |
| Telecom | Telecom networks, internet backbone, submarine cable landing stations, data centres |
| Banking and Financial Services | Core banking systems, payment gateways (UPI, NEFT, RTGS), stock exchanges, insurance networks |
| Transport | Railways signalling systems, air traffic control, port management, highway toll systems |
| Defence | Military communication networks, command and control systems, defence manufacturing systems |
| Space | ISRO ground stations, satellite communication systems, GPS/NavIC infrastructure |
| Water | Water treatment plants, dam control systems, irrigation networks with SCADA systems |
| Government | e-Governance platforms, Aadhaar/UIDAI systems, DigiLocker, tax administration |
| Healthcare | Hospital management systems, medical device networks, telemedicine infrastructure |
NCIIPC -- National Critical Information Infrastructure Protection Centre
| Feature | Detail |
|---|---|
| Established | Gazette notification dated 16 January 2014 |
| Legal basis | Section 70A of the Information Technology Act, 2000 (amended 2008) |
| Nature | A unit of the National Technical Research Organisation (NTRO) |
| Reports to | Prime Minister's Office (PMO) through NTRO |
| Role | Designated as the National Nodal Agency for Critical Information Infrastructure Protection |
| Mandate | Identify CII, direct protective measures, oversee compliance, coordinate national-level incident response |
| Operations | Maintains a 24x7 Help Desk for incident reporting; issues advisories and alerts |
| Coordination | Works closely with CERT-In (Indian Computer Emergency Response Team) and sector-specific CERTs |
NCIIPC Functions
| Function | Detail |
|---|---|
| CII identification | Identifies and designates critical information infrastructure across sectors in consultation with sector regulators |
| Threat intelligence | Monitors cyber threats targeting CII; shares intelligence with relevant stakeholders |
| Vulnerability assessment | Conducts audits and assessments of CII systems |
| Incident response | Coordinates response to cyber incidents affecting CII in collaboration with CERT-In |
| Capacity building | Conducts training programmes, workshops, and cyber exercises for CII operators |
| Standards and guidelines | Issues guidelines for protection of CII; mandates security practices |
Related Cyber Security Bodies
| Body | Role |
|---|---|
| CERT-In | Indian Computer Emergency Response Team -- nodal agency for cyber security incident response (under MeitY) |
| NCIIPC | Specifically for Critical Information Infrastructure protection (under NTRO/PMO) |
| Defence Cyber Agency | Tri-service agency for military cyber operations |
| I4C | Indian Cyber Crime Coordination Centre (under MHA) -- coordinates cyber crime investigation |
| Sector CERTs | Sector-specific teams -- e.g., CERT-Fin (financial), RBI-CERT (banking) |
For Prelims: NCIIPC established 16 January 2014 under Section 70A of IT Act 2000; a unit of NTRO under PMO; nodal agency for CII protection. CERT-In is the nodal agency for general cyber security incident response under MeitY. CII defined as computer resources whose incapacitation would have debilitating impact on national security, economy, public health, or safety.
Threats to Critical Infrastructure
Cyber Attacks
| Threat Type | Detail |
|---|---|
| State-sponsored attacks | Nation-state actors targeting power grids, defence systems, and financial infrastructure for espionage, disruption, or coercion |
| Ransomware | Malware that encrypts systems and demands payment; AIIMS Delhi ransomware attack (November 2022) affected hospital operations for weeks |
| Supply chain attacks | Compromise of hardware or software supply chains to insert backdoors into critical systems |
| APT (Advanced Persistent Threats) | Long-term, stealthy intrusions into networks for espionage or pre-positioning for future attacks |
Mumbai Power Grid Incident (2020)
| Feature | Detail |
|---|---|
| Date | 12 October 2020 |
| Event | Massive power outage across Mumbai lasting over 10 hours; hospitals switched to generators, trains halted, stock exchange disrupted |
| Attribution | Cybersecurity firm Recorded Future identified a China-linked threat group RedEcho as having planted malware in Indian power sector systems |
| Targets identified | At least 10 Indian power sector companies and 2 seaports; 4 of 5 Regional Load Despatch Centres targeted |
| Dispute | Maharashtra's Energy Minister confirmed cyber attack; Central government attributed the outage to human error -- attribution remains contested |
| Significance | Demonstrated the vulnerability of India's power grid to state-sponsored cyber intrusions; highlighted the cyber-physical convergence threat |
Other Threats
| Threat | Detail |
|---|---|
| Insider threats | Employees or contractors with access to critical systems who misuse access -- intentionally or through negligence |
| Physical-cyber convergence | SCADA/ICS (Industrial Control Systems) controlling physical infrastructure (dams, power plants, water treatment) are increasingly connected to networks, creating cyber-physical attack vectors |
| Drone threats | Drones used for surveillance, payload delivery (explosives), or disruption of airports and military installations |
| EMP (Electromagnetic Pulse) | Nuclear or non-nuclear EMP devices can disable electronic systems across large areas; a catastrophic threat to all networked infrastructure |
Protection Framework
| Measure | Detail |
|---|---|
| Air-gapped networks | Critical systems isolated from the internet to prevent remote cyber attacks -- used in defence and nuclear infrastructure |
| Redundancy | Backup systems and alternative pathways to ensure continuity if primary systems are compromised |
| Zero Trust Architecture | Security model that assumes no user or system is trusted by default -- continuous verification required |
| Security audits | Regular vulnerability assessments and penetration testing of critical systems mandated by NCIIPC |
| Incident response plans | Pre-defined response protocols for cyber incidents affecting CII |
| Cyber exercises | NCIIPC and CERT-In conduct regular cyber drills simulating attacks on critical infrastructure |
| Sector-specific regulations | RBI cyber security framework for banks; SEBI guidelines for stock exchanges; TRAI security regulations for telecom |
Space Security
Space as a Contested Domain
| Feature | Detail |
|---|---|
| Dependence on space | Modern military operations, communications, navigation (GPS/NavIC), weather forecasting, and surveillance depend heavily on space-based assets |
| Contested domain | Space is no longer a sanctuary -- ASAT weapons, satellite jamming, and cyber attacks on ground stations threaten space assets |
| Space powers | USA, Russia, China, and India have demonstrated ASAT capabilities |
| Militarisation vs weaponisation | Militarisation (use of space for military support -- satellite reconnaissance, communication) is widespread; weaponisation (placing weapons in space or using weapons against space assets) is the emerging concern |
Mission Shakti -- India's ASAT Test (27 March 2019)
| Feature | Detail |
|---|---|
| Date | 27 March 2019 |
| Code name | Mission Shakti |
| Target | Microsat-R -- a 740 kg satellite launched by ISRO on 24 January 2019 specifically to serve as the target |
| Altitude | Target struck at approximately 283 km in Low Earth Orbit (LEO) |
| Weapon | Modified PDV Mk-II (ballistic missile defence interceptor) |
| Launch site | Integrated Test Range (ITR), Abdul Kalam Island (Wheeler Island), Odisha |
| Interception time | Target hit 168 seconds after launch |
| Significance | India became the 4th country (after USA, Russia, China) to successfully test an ASAT weapon |
| Space debris | Conducted at low altitude to ensure debris decayed rapidly; India argued minimal long-term debris generation |
| Announced by | Prime Minister Narendra Modi in a national address |
For Prelims: Mission Shakti -- 27 March 2019; target Microsat-R at 283 km altitude; weapon PDV Mk-II; India became 4th country with ASAT capability (after USA, Russia, China); launched from Abdul Kalam Island (ITR), Odisha.
Defence Space Agency (DSA)
| Feature | Detail |
|---|---|
| Established | 1 June 2019 |
| Nature | Tri-service agency of the Indian Armed Forces |
| Headquarters | Bengaluru |
| Composition | Military personnel from Army, Navy, and Air Force |
| Mandate | Protect Indian interests in outer space; develop space warfare strategy; deal with potential space conflicts |
| Functions | Space situational awareness, satellite operations for defence, space-based ISR (Intelligence, Surveillance, Reconnaissance), counter-space operations |
Outer Space Treaty, 1967
| Feature | Detail |
|---|---|
| Full name | Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, including the Moon and Other Celestial Bodies |
| Adopted | 1967; entered into force 10 October 1967 |
| Key provisions | (1) Space exploration is free for all nations; (2) No country can claim sovereignty over outer space or celestial bodies; (3) Nuclear weapons and WMDs prohibited in space; (4) Moon and celestial bodies used for peaceful purposes only; (5) States liable for damage caused by space objects |
| India | Signed March 1967; ratified 1982 |
| Limitation | Does not ban conventional weapons in space or ASAT tests -- this is the legal gap that allows ASAT weapons |
| Other space treaties | India has signed all 5 UN space treaties; ratified 4 (not ratified the Moon Agreement, 1979) |
Space Threats
| Threat | Detail |
|---|---|
| ASAT weapons | Kinetic kill vehicles (as tested by India, China, USA, Russia) that physically destroy satellites |
| Satellite jamming | Disrupting satellite signals (GPS, communication) through electronic interference |
| Satellite spoofing | Sending false signals to deceive GPS or communication receivers -- can misdirect navigation systems |
| Cyber attacks on ground stations | Hacking satellite control centres to commandeer or disable satellites |
| Space debris | Debris from ASAT tests and collisions threatens all operational satellites -- Kessler Syndrome (cascading collisions) is a long-term concern |
| GPS dependency | India's armed forces, aviation, shipping, and civilian navigation depend on GPS (USA) -- vulnerability if signals are jammed or spoofed; NavIC provides Indian alternative |
India's Space Situational Awareness
| Feature | Detail |
|---|---|
| Network for Space Objects Tracking and Analysis (NETRA) | ISRO project for monitoring space debris and protecting Indian space assets |
| ISTRAC | ISRO Telemetry, Tracking and Command Network -- tracks Indian satellites |
| NavIC | Indian Regional Navigation Satellite System -- India's indigenous alternative to GPS; 7 satellites providing navigation coverage over India and surrounding region |
| Significance | Reduces dependence on foreign navigation systems; ensures continuity during conflict |
International Space Governance and India's Position
Key International Frameworks
| Framework | Detail |
|---|---|
| Outer Space Treaty (1967) | Foundation treaty; prohibits WMDs in space; India ratified 1982 |
| Rescue Agreement (1968) | Mandates rescue and return of astronauts; return of space objects; India ratified |
| Liability Convention (1972) | Establishes liability for damage caused by space objects; launching state absolutely liable for ground damage; India ratified |
| Registration Convention (1976) | Requires registration of space objects with the UN; India ratified |
| Moon Agreement (1979) | Declares Moon and its resources as "common heritage of mankind"; India has not ratified (like most space powers) |
India's Position on Space Governance
| Feature | Detail |
|---|---|
| No First Placement | India supports the principle of no first placement of weapons in outer space |
| PAROS | India supports the Prevention of an Arms Race in Outer Space (PAROS) resolution at the UN |
| Artemis Accords | India signed the Artemis Accords in June 2023 -- US-led framework for cooperative lunar exploration |
| Space debris mitigation | India follows IADC Space Debris Mitigation Guidelines; Mission Shakti conducted at low altitude to minimise debris |
| Indian Space Policy 2023 | Liberalised space sector; IN-SPACe as regulatory body; encourages private sector participation |
Undersea Cable Vulnerability
| Feature | Detail |
|---|---|
| Scale | Over 95% of international data traffic passes through undersea fibre optic cables |
| India's dependence | India's internet connectivity, financial transactions, and communications heavily depend on submarine cables landing at Chennai, Mumbai, and Kochi |
| Threats | Sabotage (state or non-state actors cutting cables), natural damage (earthquakes, anchors, trawlers), and espionage (tapping cable traffic) |
| Examples | Multiple cable cuts have disrupted internet in regions worldwide; the Red Sea cable damage (2024) affected India-Europe connectivity |
| Protection | Cable landing stations are designated as critical infrastructure; monitoring through NCIIPC; redundancy through multiple cable routes |
Drone Threats to Critical Infrastructure
| Feature | Detail |
|---|---|
| Emerging threat | Drones (UAVs) used for surveillance, payload delivery (explosives, contraband), and disruption of sensitive installations |
| India-specific | Drone-based attacks on Jammu Air Force Station (June 2021) -- first such attack on a military installation in India |
| Airport disruption | Drone sightings near airports cause shutdowns -- Gatwick (UK, 2018) demonstrated the economic impact |
| Critical infrastructure | Power plants, refineries, military bases, nuclear installations, and ports all vulnerable |
| Counter-drone measures | Anti-drone systems (detection radar, jamming, directed energy), drone regulations (DGCA), and no-drone zones around critical infrastructure |
Cross-paper relevance
- GS3 — Internal Security (primary) — Critical infrastructure protection: NCIIPC, CIIEX 2024, power grid/banking/telecom/nuclear security, drone attack on Jammu AFB (2021)
- GS3 — Science-Technology — Space security: Mission Shakti ASAT test (2019), IN-SPACe, ISRO commercialisation, space debris ethics, space militarisation debate
- GS2 — Governance dimension: NCIIPC under NTRO, CERT-In 9,700 audits (2024-25), NCRF 2024, institutional framework for CII protection
- Essay — Recurring theme: "India in space — civilian and strategic dimensions" (2022); "Protecting the arteries of modern civilisation" (2021)
Recent Developments (2024–2026)
NCIIPC CIIEX 2024 and CERT-In Audits Scale-Up
In April 2024, NCIIPC organised the Critical Information Infrastructure Security Exercise (CIIEX 2024) for Chief Information Security Officers (CISOs), Chief Technology Officers (CTOs), and Chief Risk Officers (CROs) of all CII-designated entities — a hands-on cyber defence exercise simulating coordinated attacks on critical infrastructure. NCIIPC also released the National Cyber Security Reference Framework (NCRF 2024) — shared with over 100 critical sector entities — as an interim governance framework while India's comprehensive National Cyber Security Strategy remains under finalisation. Separately, CERT-In conducted over 9,700 cybersecurity audits across critical sectors in 2024-25, through 200 empanelled cybersecurity organisations, as stated by the Union Minister of State for Electronics and IT in July 2025. These audits represent a significant scaling-up of India's critical infrastructure audit regime.
UPSC angle: NCIIPC CIIEX 2024, NCRF 2024, and CERT-In's 9,700+ audits (2024-25) — are specific verified figures connecting institutional framework with operational capability for GS-III.
Undersea Cable Damage — Red Sea Crisis Impact on India (2024)
The Red Sea crisis (2024), driven by Houthi attacks on commercial shipping, caused damage to multiple submarine cables in the region, disrupting internet and data connectivity between Asia, Europe, and Africa. Several cables routing through the Red Sea were either damaged or rerouted, affecting India's data bandwidth, cloud connectivity, and financial transaction latency. This incident underscored the vulnerability of India's internet infrastructure to geopolitical crises in distant regions. India's three major cable landing stations (Mumbai, Chennai, Kochi) handle over 95% of India's international internet traffic, and their disruption would have cascading effects on banking, telecom, and e-governance systems. NCIIPC and CERT-In issued advisories to affected entities to activate backup routes and alternative capacity.
UPSC angle: Red Sea crisis undersea cable damage — submarine cable vulnerability, India's cable landing stations (Mumbai, Chennai, Kochi), NCIIPC response — directly tests the "undersea cable as critical infrastructure" dimension for GS-III.
ISRO Space Cybersecurity Training Initiative (2024–2025)
In a recognition of the growing cyber-physical threat to space infrastructure, India's National Security Council Secretariat (NSCS), ISRO, and Rashtriya Raksha University (RRU) jointly organised cybersecurity training for ISRO personnel in 2024. This initiative reflects growing awareness that ground stations, satellite control networks, and launch facilities face cyber threats from state-sponsored actors. India's NETRA (Network for Space Objects Tracking and Analysis) system continues to evolve for space situational awareness. In 2024, ISRO launched INSAT-3DS (February 2024, geostationary meteorological satellite) and advanced preparations for Gaganyaan (human spaceflight). The Defence Space Agency (DSA) has been working on Space Situational Awareness protocols for India's growing constellation of defence satellites.
India achieved a landmark capability milestone: PSLV-C60 / SpaDeX mission (Space Docking Experiment) successfully demonstrated in-orbit docking on 16 January 2025, making India the 4th country after USA, Russia, and China to achieve rendezvous and docking in space. This capability is essential for future space station operations, satellite servicing, and crew transfer missions — all with direct defence-space security implications.
UPSC angle: NSCS-ISRO-RRU cybersecurity training, space as a critical infrastructure domain, DSA Space Situational Awareness, and India's defence satellite protection measures — link space security with cybersecurity for GS-III.
India-Pakistan Drone Warfare and Critical Infrastructure Risk (May 2025)
The May 2025 India-Pakistan crisis (Operation Sindoor) demonstrated the real threat of drone attacks on critical infrastructure. Pakistan's response included drone and missile strikes targeting Amritsar, Jalandhar, Ludhiana, and Chandigarh — cities hosting key power, telecom, and military infrastructure. India deployed counter-drone systems (radar, jamming, directed energy) in a concerted counter-UAS (Unmanned Aerial System) response. The crisis exposed: (1) the need for hardened critical infrastructure against drone swarms; (2) the importance of air-gapped SCADA systems for power grids near border areas; (3) CISF and CRPF rapid-reaction protocols for protecting industrial installations under air threat. Post-crisis reviews have led to accelerated deployment of counter-drone systems at airports, power plants, and defence installations.
UPSC angle: Drone attacks on critical infrastructure during Operation Sindoor — counter-UAS systems, SCADA air-gapping, CISF rapid reaction — are cutting-edge security developments linking space/tech security with internal security for GS-III.
Key Terms for Quick Revision
| Term | Meaning |
|---|---|
| CII | Critical Information Infrastructure -- IT Act definition: computer resources whose incapacitation has debilitating impact on national security/economy/safety |
| NCIIPC | National Critical Information Infrastructure Protection Centre -- under NTRO/PMO; Section 70A IT Act; established 16 January 2014 |
| CERT-In | Indian Computer Emergency Response Team -- nodal agency for cyber security under MeitY |
| RedEcho | China-linked threat group attributed with targeting India's power grid infrastructure (2020) |
| Mission Shakti | India's ASAT test -- 27 March 2019; target Microsat-R at 283 km; PDV Mk-II; India 4th ASAT nation |
| DSA | Defence Space Agency -- tri-service; established 1 June 2019; HQ Bengaluru |
| Outer Space Treaty | 1967; prohibits WMDs in space; peaceful use of celestial bodies; India signed 1967, ratified 1982 |
| NavIC | Indian Regional Navigation Satellite System -- indigenous GPS alternative; 7 satellites |
| NETRA | ISRO project for space situational awareness and debris tracking |
| SpaDeX | Space Docking Experiment — PSLV-C60; India achieved in-orbit docking 16 January 2025; India 4th country (after USA, Russia, China) to demonstrate this capability |
| Kessler Syndrome | Cascading collisions in orbit creating ever-more debris -- makes space increasingly unusable |
| SCADA | Supervisory Control and Data Acquisition -- systems controlling physical infrastructure (power, water, dams) |
| EMP | Electromagnetic Pulse -- can disable electronic systems across large areas |
Exam Strategy
For Mains Answer Writing: Critical infrastructure and space security questions require you to demonstrate understanding of the convergence of cyber and physical threats. For CII protection, discuss the NCIIPC framework, the Mumbai 2020 power grid incident as a case study, and the need for public-private partnership (most critical infrastructure is privately operated). For space security, trace India's journey: Mission Shakti (2019) to DSA (2019) to the broader space threat landscape. Discuss the gap in the Outer Space Treaty (no ban on conventional weapons/ASAT) and the need for a new space governance framework. Connect emerging threats -- drones, undersea cables, EMP -- to the evolving nature of warfare.
For Prelims: NCIIPC (Section 70A IT Act, under NTRO/PMO, established 2014); CERT-In (under MeitY); Mission Shakti (27 March 2019, Microsat-R, 283 km, PDV Mk-II, 4th ASAT nation); DSA (1 June 2019, Bengaluru, tri-service); Outer Space Treaty 1967 (prohibits WMDs in space, India ratified 1982); NavIC (7 satellites, Indian GPS alternative); CII definition (IT Act Section 70); Jammu Air Force drone attack (June 2021).
Vocabulary
Key Terms
Kinetic Kill Vehicle
- Definition: A Kinetic Kill Vehicle (KKV) is a guided "hit-to-kill" interceptor that destroys a target — a ballistic missile warhead, re-entry vehicle or satellite — purely through the energy of a high-speed physical collision, carrying no explosive warhead. It homes onto and rams the target using onboard seekers and small thrusters, relying on kinetic energy alone for destruction.
- Context: KKVs are the lethal payload of modern exo-atmospheric (above-atmosphere) missile defence and anti-satellite (ASAT) systems, where closing speeds run to several kilometres per second so that impact alone shatters the target. They are central to systems such as the US Exoatmospheric Kill Vehicle (EKV) and India's PDV Mk-II interceptor. India demonstrated indigenous KKV technology on 27 March 2019 in Mission Shakti, when a DRDO PDV Mk-II struck the Microsat-R satellite at roughly 300 km altitude, making India the fourth nation after the US, Russia and China to demonstrate an ASAT capability.
- UPSC Relevance: For GS Paper 3 (Science & Technology, Defence and Internal Security), KKVs link the themes of missile defence, ASAT weapons, space security and indigenous defence R&D (DRDO). This is a foundational concept that underpins questions on India's Ballistic Missile Defence programme, Mission Shakti, and the militarisation of space. Prelims can test the "hit-to-kill" principle (no warhead, kinetic destruction) and Mains can probe the strategic, debris and arms-control implications of India's 2019 ASAT test. No verified UPSC PYQ exists for this exact term, so candidates should treat it as supporting knowledge for the wider space-and-defence question family.
Critical Infrastructure
- Definition: Critical infrastructure refers to those assets, systems and networks — physical or virtual — so vital to a nation that their incapacitation or destruction would have a debilitating impact on national security, the economy, public health or safety. In India, its digital subset, Critical Information Infrastructure (CII), is defined in the Explanation to Section 70 of the IT Act, 2000 as a "computer resource, the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety".
- Context: As economies digitise, sectors such as power grids, banking, telecom, transport and healthcare have become prime targets for cyberattacks, including state-sponsored ones. India responded by inserting Sections 70A and 70B into the IT Act (2008 amendment), creating the NCIIPC (notified 16 January 2014, under NTRO) as the nodal agency for protecting Critical Information Infrastructure, with CERT-In handling broader cyber-incident response. Incidents like the Kudankulam nuclear plant malware infection (2019) and the AIIMS Delhi ransomware attack (November 2022) have made critical infrastructure protection a core national security concern.
- UPSC Relevance: This is a foundational GS3 concept under internal security ("basics of cyber security") and underpins questions on cyber security architecture, NCIIPC/CERT-In, the IT Act, and security challenges to India's digital economy. In Prelims, UPSC tests institutional facts — which body protects CII, its parent organisation (NTRO), and the critical sectors identified. In Mains, it appears through questions on cyber threats to critical infrastructure, India's preparedness, and the cyber-security framework; the AIIMS and Kudankulam attacks serve as ready case studies.
Critical Information Infrastructure
- Definition: Critical Information Infrastructure (CII) is defined in the Information Technology Act, 2000 (Explanation to Section 70) as a computer resource the incapacitation or destruction of which shall have a debilitating impact on national security, economy, public health or safety.
- Context: CII covers the digital backbone of essential services such as power grids, banking and financial systems, telecom, transport and government networks, where a cyberattack could cascade into national-level disruption. India's framework rests on Section 70 of the IT Act, 2000 (which lets the appropriate Government declare CII-linked computer resources as "protected systems") and Section 70A (inserted by the 2008 amendment), which mandates a national nodal agency. That agency is the National Critical Information Infrastructure Protection Centre (NCIIPC), set up by gazette notification on 16 January 2014 as a unit of the National Technical Research Organisation (NTRO).
- UPSC Relevance: This is a foundational GS3 (internal security / cyber security) concept that underpins questions on cyber threats to national security, protection of critical infrastructure, and the institutional architecture of Indian cybersecurity (NCIIPC, CERT-In, NTRO). For Prelims, aspirants should know the defining statute (IT Act, 2000), the relevant sections (70 and 70A), the nodal agency (NCIIPC) and its parent body (NTRO). For Mains, it links to debates on cyber resilience, public-private cooperation in security, and gaps in India's cyber defence — and pairs naturally with CERT-In, the National Cyber Security Policy and data-protection law. No verified UPSC PYQ exists for this exact term; treat it as a high-yield concept rather than citing a specific past question.
