National Critical Information Infrastructure Protection Centre

National Critical Information Infrastructure Protection Centre (NCIIPC) is an organisation of the Government of India created under Section 70A of the Information Technology Act, 2000 (amended 2008), through a gazette notification on 16 January 2014.^[1]^[2]^[3] Based in New Delhi, India, it is designated as the National Nodal Agency in terms of Critical Information Infrastructure Protection.^[4] It is a unit of the National Technical Research Organisation (NTRO) and therefore comes under the Prime Minister's Office (PMO).^[5]

Critical Information Infrastructure

The Information Technology Act, 2000 defines Critical Information Infrastructure (CII) as “… those computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety".^[2]

NCIIPC has broadly identified the following as ‘Critical Sectors’ :-

Power & Energy
Banking, Financial Services & Insurance
Telecom
Transport
Government
Strategic & Public Enterprises

Information Security Practices and Procedures for Protected System Rules, 2018 ^[6]^[7]

Vision

"To facilitate safe, secure and resilient Information Infrastructure for Critical Sectors of the Nation."^[8]

Mission

"To take all necessary measures to facilitate protection of Critical Information Infrastructure, from unauthorized access, modification, use, disclosure, disruption, incapacitation or destruction through coherent coordination, synergy and raising information security awareness among all stakeholders. " ^[8]

Functions and Duties

National nodal agency for all measures to protect the nation's critical information infrastructure.
Protect and deliver advice that aims to reduce the vulnerabilities of critical information infrastructure, against cyber terrorism, cyber warfare and other threats.
Identification of all critical information infrastructure elements for approval by the appropriate Government for notifying the same.
Provide strategic leadership and coherence across Government to respond to cyber security threats against the identified critical information infrastructure.
Coordinate, share, monitor, collect, analyze and forecast, national-level threats to CII for policy guidance, expertise sharing and situational awareness for early warning or alerts. The basic responsibility for protecting CII system shall lie with the agency running that CII.
Assisting in the development of appropriate plans, adoption of standards, sharing of best practices and refinement of procurement processes in respect of protection of Critical Information Infrastructure.
Evolving protection strategies, policies, vulnerability assessment and auditing methodologies and plans for their dissemination and implementation for protection of Critical Information Infrastructure.
Undertaking research and development and allied activities, providing funding (including grants-in-aid) for creating, collaborating and development of innovative future technology for developing and enabling the growth of skills, working closely with wider public sector industries, academia et al. and with international partners for protection of Critical Information Infrastructure.
Developing or organising training and awareness programs as also nurturing and developing of audit and certification agencies for protection of Critical Information Infrastructure.
Developing and executing national and international cooperation strategies for protection of Critical Information Infrastructure.
Issuing guidelines, advisories and vulnerability or audit notes etc. relating to protection of critical information infrastructure and practices, procedures, prevention and response in consultation with the stakeholders, in close coordination with Indian Computer Emergency Response Team and other organisations working in the field or related fields.
Exchanging cyber incidents and other information relating to attacks and vulnerabilities with Indian Computer Emergency Response Team and other concerned organisations in the field.
In the event of any threat to critical information infrastructure, the National Critical Information Infrastructure Protection Centre may call for information and give directions to the critical sectors or persons serving or having a critical impact on Critical Information Infrastructure.

Operations

NCIIPC maintains a 24x7 Help Desk to facilitate reporting of incidents. Toll Free No. 1800-11-4430.
Issues advisories or alerts and provide guidance and expertise-sharing in addressing the threats/vulnerabilities for protection of CII.
In the event of a likely/actual national-level threat, it plays a pivotal role to coordinate the response of the various CII stakeholders in close cooperation with CERT-India.

Programs

NCIIPC runs a number of programs to engage with its stakeholders. Some of them are as follows:

Responsible Vulnerability Disclosure Program (RVDP)
Incident Response (IR)
Malware Reporting
Internship Courses
Research Scholars, etc.

Initiatives

Some of the major NCIIPC initiatives are as follows:

Incident Response and Responsible Vulnerability Disclosure program- NCIIPC runs these programs for reporting any Vulnerability in Critical Information Infrastructures.
PPP for Training- Identification of PPP entities for partnership and formulation of training requirements and guidelines for conducting training for all stakeholders.
CII Range to simulate real world threat– IT and OT simulations for critical sectors to test the defense of CII.
Cyber Security Preparedness Survey, Risk Assessment, Audit, review and Compliance.
Interns, Research Scholars & Cyber Security professionals- NCIIPC Internship program (both Full-time and Part-time) is available throughout the year.

NCIIPC Newsletter

NCIIPC releases its quarterly newsletter encompassing latest developments in the field of Critical Information Infrastructure (CII) and its protection along with various initiatives taken by NCIIPC to spread awareness and best practices and much more.

April 2024
January 2024
October 2023
July 2023
April 2023
January 2023
October 2022
July 2022
April 2022
January 2022
October 2021
July 2021
April 2021
January 2021
October 2020
July 2020
April 2020
January 2020
October 2019
July 2019
April 2019
January 2019
October 2018
July 2018
April 2018
January 2018
October 2017
July 2017
April 2017
January 2017

NCIIPC Guidelines

NCIIPC releases SOPs and Guidelines for CISOs, CII Organisations and others to enhance the cybersecurity defence posture. Below are the copies:

Cyber Security Audit : Baseline Requirements
NCIIPC COVID-19 Guidelines
SOP : Public-Private-Partnership
Guidelines for Identification of CII
Rules for the Information Security Practices and Procedures for Protected System
National Cyber Security Policy, 2013
Roles and Responsibilities of CISOs
Guidelines for Protection of CII
Evaluating Cyber Security in CII
SOP : Incident Response
SOP : Audit of CII/Protected Systems

References

^ "Archived copy" (PDF). Archived from the original (PDF) on 19 January 2017. Retrieved 4 January 2017.{{cite web}}: CS1 maint: archived copy as title (link)
^ a b "The Information Technology ACT" (PDF). 2008. Archived from the original (PDF) on 3 January 2017. Retrieved 3 January 2017.
^ "Archived copy" (PDF). Archived from the original (PDF) on 25 January 2017. Retrieved 2 January 2017.{{cite web}}: CS1 maint: archived copy as title (link)
^ "NCIIPC: It's Time to Step Forward And Protect Our Critical Infrastructures from Cyber Attacks".
^ "Guidelines for Identification of Critical Information Infrastructure" (PDF). Archived from the original (PDF) on 13 May 2020. Retrieved 21 July 2020.
^ "Archived copy" (PDF). Archived from the original (PDF) on 2 September 2018. Retrieved 22 October 2018.{{cite web}}: CS1 maint: archived copy as title (link)
^ "The NCIIPC & Its Evolving Framework - Digital Policy Portal". www.digitalpolicy.org.
^ a b NCIIPC. "National Critical Information Infrastructure Protection Centre". Nciipc.gov.in. Retrieved 19 July 2018.

External links

Official website