India’s critical information infrastructure (CII), spanning power grids, financial networks, transport systems and health services, is seen as increasingly vulnerable to cyberattacks, with experts warning that even small disruptions could trigger cascading effects on citizens and the economy.
“Any disruption in power has domino effects on communications, highways, mobile networks and other critical services,” said Col Pradeep Bhat (Retd), who earlier served at the National Critical Information Infrastructure Protection Centre (NCIIPC), the apex body responsible for securing vital cyber assets. Pointing to attacks on power systems during the Russia–Ukraine conflict, he stressed that India must address these threats with urgency, adopting a proactive rather than reactive posture.
Adding to this, Arun Goyal, former member of the Central Electricity Regulatory Commission (CERC), noted that India’s integration of renewable energy, distributed generation and smart grids has increased complexity in maintaining operational stability. He said that maintaining grid frequency now relies on “sophisticated demand-side management, smart metres and time-of-day metering,” underscoring the need to secure the more than 25 million smart metres deployed nationwide.
Experts who participated in the roundtable discussion organised by IndiaTech.org and APCO on securing critical information infrastructure emphasised that the risks are not confined to energy. K Subramaniam, Director General, Comptroller and Auditor General of India (CAG), noted that the growing deployment of Internet of Things (IoT) devices and software in public services introduces new vulnerabilities. “IoT devices, software systems and supply chains must be rigorously verified to prevent exploitation or operational failures,” he said, linking infrastructure reliability directly to cybersecurity assurance.
Concurring with this, Amit Rao, Vice President at Device Authority and the founding member of IoT Security Foundation’s Bangalore Chapter, pointed out that the diversity and complexity of IoT devices create systemic risks. “OEMs require clear baseline guidance from the government to meet security objectives. Multiple agencies working independently is positive, but harmonisation is essential,” he added.
Some initiatives are attempting to fill that gap. The IoT Security System and the National Trust Centre offer lifecycle oversight, from vendor registration through to device decommissioning. Swati Samaddar, head of government affairs at CP Plus, a major home-grown manufacturer of security and surveillance equipment, noted that these frameworks “ensure minimum security standards while promoting domestic innovation and manufacturing in critical technology sectors.”
Still, experts say the regulatory balance is delicate. Excessive requirements risk making Indian products globally uncompetitive. “If we impose Level 4 standards when the market is at Level 1 or 2, products risk becoming uncompetitive internationally,” said Jitender Sandhu, country manager for India and ASEAN at Telit Cinterion.
To offset that risk, complementary measures such as the Production Linked Incentive (PLI) scheme, domestic intellectual property promotion and partnerships with countries like Japan, Korea and Taiwan must be encouraged, Sandhu added.
Procurement and trust
Procurement has emerged as a frontline tool in securing India’s critical infrastructure. Experts say the way devices and services are purchased, verified and monitored can determine whether vulnerabilities creep into the system.
Centralised vendor registries are being developed to track supplier credentials, certifications, contract performance and ethical practices. “By reducing reliance on fragmented systems, centralised registries enable more secure procurement decisions,” said Prashant Kumar Mittal, Deputy Director General, National Informatics Centre. Linking procurement directly to digital trust, Mittal argued that registries can strengthen resilience across power, health, telecom and financial services.
Verification, however, must go beyond paperwork. Col Amitabh Bhardwaj (Retd), project consultant at IITM Pravartak Technologies Foundation, explained that protocols should assess both hardware and embedded software, including hidden or latent functionalities that could later be exploited. Without lifecycle oversight, experts warn, even certified devices can become weak links.
The risks extend to the open tender process. Depending solely on lowest-cost bids may leave systems exposed to foreign intellectual property or unverified suppliers. Procurement policy, therefore, is being reframed as a strategic lever in national security governance.
Industry voices also stress the role of procurement in supporting domestic innovation. Rao of Device Authority noted that many early-stage innovators abandon projects due to lack of market assurance or predefined procurement support. Experts argue that frameworks combining trusted vendor systems with predictable demand signals are essential to avoid technology gaps.
Kamal Kumar Agarwal, Deputy Director General at the Department of Telecommunications, said harmonised procurement standards “reduce exposure to geopolitical risks and market concentration challenges.” Agreeing with this, Rohit Chauhan, head of corporate affairs at Tata Consultancy Services, added that “shared frameworks help balance innovation with security, supporting economic growth and national resilience.”
Artificial Intelligence risks
Artificial intelligence (AI) is becoming integral to critical infrastructure, but experts warn it is a double-edged sword. Used responsibly, AI enables predictive monitoring and early detection of anomalies. Left unchecked, it creates fresh attack surfaces that can be exploited at scale.
“Security needs to be addressed at procurement and operational stages. Too often, weaknesses appear after systems go live,” said Ajay Kumar Narula, Chief Information Security Officer at Sterlite Technologies. He argued that AI cannot be bolted on as an afterthought but must be built into organisational processes from the start.
Legal clarity is another missing link. Dr. Pawan Duggal, a Supreme Court cyberlaw specialist, called for safe harbour provisions and updated liability frameworks to protect operators and innovators. Without such measures, he warned, reverse engineering and automated AI-driven attacks could undermine confidence in core services.
The mobility sector illustrates these risks vividly. Fractal.ai global CIO Manish Tiwari noted that connected vehicles generate vast data volumes that, if compromised, could ripple across networks. India has introduced AIS 189 and 190 cybersecurity standards for connected scooters and bikes — seen as a first step toward a regulated, resilient ecosystem.
Human capability is equally important. The National Skill Development Corporation estimates that nearly 28 percent of India’s workforce occupies low-competency roles, a gap that could blunt the effectiveness of AI-enabled systems. “Upskilling is urgent if we want to build resilience into our digital systems,” said Vice President Rishikesh Patankar.
Stating that there is no silver bullet to cybersecurity, CERT-In Director Anil Sagar stresses the need for regular drills, vulnerability management and risk-based monitoring to complement technical safeguards. Other experts, including Col Bhat, argue that trusted vendor systems and inter-agency coordination are indispensable to critical information infrastructure security and to prevent failures across sectors.
