BharatNotes What is Critical Infrastructure?
Critical infrastructure comprises the assets, systems and networks — whether physical or virtual — that are so vital to a country that their incapacitation or destruction would have a debilitating effect on national security, the economy, public health or safety. The concept covers both physical assets (power plants, dams, ports, hospitals) and the digital systems that run them. The digital subset is termed Critical Information Infrastructure (CII), which the Explanation to Section 70 of India's Information Technology Act, 2000 defines as a "computer resource, the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety". Internationally, the United States identifies 16 critical infrastructure sectors under Presidential Policy Directive 21, coordinated by CISA.
India's Legal and Institutional Framework
| Provision/Body | Role |
|---|---|
| Section 70, IT Act 2000 | Government may declare any CII a "protected system"; unauthorised access punishable with imprisonment up to 10 years |
| Section 70A (2008 amendment) | Basis for NCIIPC — National Critical Information Infrastructure Protection Centre, notified 16 January 2014; a unit of NTRO (under the PMO); national nodal agency for CII protection |
| Section 70B | Basis for CERT-In (under MeitY, operational since 2004); national nodal agency for cyber-incident response; its 2022 Directions mandate reporting of cyber incidents within 6 hours |
| National Cyber Security Policy, 2013 | First overarching policy framework envisaging a secure cyber ecosystem |
NCIIPC has identified seven critical sectors: Power & Energy; Banking, Financial Services & Insurance (BFSI); Telecom; Transport; Government; Strategic & Public Enterprises; and Health.
Why It Matters
Attacks on critical infrastructure can cripple essential services without a single shot being fired, making it a preferred target of hostile states and cyber-criminal groups. India has faced significant incidents: the Kudankulam Nuclear Power Plant's administrative network was infected by the Dtrack malware (reported October 2019, attributed by researchers to the North Korea-linked Lazarus group), and the AIIMS Delhi ransomware attack (23 November 2022) paralysed hospital information systems for over two weeks, forcing a return to paper records. Recognising the financial sector's sensitivity, MeitY declared the IT resources of ICICI Bank, HDFC Bank and NPCI (which operates UPI) as Critical Information Infrastructure (notification of 16 June 2022).
Current Status (as of mid-2026)
Government measures include CERT-In's mandatory 6-hour incident-reporting regime (in force since June 2022), sectoral CERTs, regular security audits of critical-sector entities, NCIIPC advisories and exercises, and Cyber Crisis Management Plans for government and critical sectors. PIB releases (2025) report stepped-up CERT-In audits and protection measures across critical sectors amid a rising volume of attacks on Indian infrastructure.
UPSC Angle
For Prelims, remember: NCIIPC (Section 70A, under NTRO/PMO) protects CII, while CERT-In (Section 70B, under MeitY) handles incident response — a classic confusion pair — along with the seven NCIIPC critical sectors. For Mains GS3, link critical infrastructure protection to cyber security challenges, digital economy vulnerabilities (UPI, power grids), and use Kudankulam and AIIMS as case studies while discussing gaps such as legacy systems and the absence of an updated national cyber security strategy.
