TMCnet News

Beware of the bugs ; Cyber attacks on India's critical infrastructure, such as telecommunications and energy networks, have occurred and can occur... [Business Today (India)]
[February 11, 2013]

Beware of the bugs ; Cyber attacks on India's critical infrastructure, such as telecommunications and energy networks, have occurred and can occur... [Business Today (India)]


(Business Today (India) Via Acquire Media NewsEdge) Beware of the bugs ; Cyber attacks on India's critical infrastructure, such as telecommunications and energy networks, have occurred and can occur again. Can they be thwarted In early July last year, a staffer at the secretive National Technical Research Organisation (NTRO) noticed odd "signals" on his monitoring system. Using complex algorithms that NTRO had been developing since 2010, he categorised these signals as a precursor to a major cyber attack. The agency, run under the Prime Minister's Office, immediately sent a warning up the chain of command. Inexplicably, the warning went unheeded. That mistake would result in the single-largest cyber attack ever carried out against India.



On July 12, several high-level officials reported their emails had been hacked into. This included officials from the Ministry of External Affairs, Ministry of Home Affairs, Defence Research and Development Organisation (DRDO), and the Indo-Tibetan Border Police (ITBP), the paramilitary unit deployed along much of the country's 3,500 km border with China. The hackers even breached the main National Informatics Centre email server, which serves all government departments. An investigation put the total number of hacked accounts at roughly 12,000.

The scale of the breach may suggest that the hackers were trying to steal any information they could lay their hands on, but NTRO officials believe otherwise. "Ministries like Panchayati Raj, Women and Child Development, and Statistics were not touched. The hackers focused on the ones with secrets," says a senior NTRO officer on condition of anonymity. "They stole secret information such as deployment locations of troops and communication between ITBP (commanders) and home ministry officials." Officials say while any number of countries could be after secrets from the foreign and home ministries and DRDO, only one would be interested in ITBP - China, with which India has a long- running boundary dispute that even led to a brief, but bloody, war in 1962.


Cyber security experts believe most cyber attacks on India are from groups based in China. But India is not the only one on these hackers' radar. The United States is also probing hacking incidents by Chinese groups. One example was the hacking of Lockheed Martin's futuristic F-35 stealth fighter programme. It is widely believed that the hackers stole design features which ultimately helped China with its J-20 and J-31 stealth fighter programmes.

China denies such allegations. A spokesperson at the Chinese embassy in New Delhi told Business Today in an email that China opposes hacker attacks and has made laws to ban them. "China is also one of the main victims of hacker attacks... China is ready to continue its cooperation with the international community aimed at ensuring cyber security," the spokesperson said.

The damage cyber attacks can cause was spelt out by US President Barack Obama in an article in The Wall Street Journal in July last year. "In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home," he wrote, arguing for stringent cyber security legislation. "Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency the loss of electricity can bring businesses, cities and entire regions to a standstill." Indeed, such attacks have already been carried out. On April 27, 2007, Estonia ground to a halt when its parliament, ministries, banks and media suffered a wave of cyber attacks. Russia was the main suspect, considering the attacks took place around the same time Estonia decided to relocate a Soviet-era war memorial. Again, in August 2008, Georgia's government and media websites were knocked offline and phone lines jammed at just the time it went to war with Russia over South Ossetia.

Some of the world's biggest companies have also been victims of cyber attacks. In August 2012, Saudi Aramco, the Gulf kingdom's national oil producer, reported an attack that damaged 30,000 computers on its network.

Though the attackers did not reach their intended target - the company's production network - it is not difficult to imagine the global consequences of a disruption in supply from the world's largest oil exporter. Can India thwart such attacks on its critical infrastructure such as transport and communications networks, oil refineries and nuclear power plants Is the government even taking this threat seriously In December, Cabinet Secretary Ajit Seth told a conference of Chief Information Security Officers of important ministries that "the government is fully conscious of the threat to our cyber space". Privately, cyber security experts called this lip service. They point to the mass email hacking of last year, which used a technique called a "Zero Day" (see The Zero Day Nightmare on the next page). Zero Day attacks are unstoppable, but what worsened matters, say investigators, is that most systems did not have updated security software.

Until recently, the responsibility for shielding the country from cyber attacks devolved on the Indian Computer Emergency Response Team (CERT-In), set up under the Department of Information Technology in 2004. Since then, the number of reported cyber security incidents - phishing, defaced websites, network breaches, virus attacks - has grown from 23 to 13,301 in 2011 (see Worrying Trend). Experts say the actual number may be 10 times higher as most victims either do not know or do not admit their systems were hacked into.

In July last year, the government split CERT-In's responsibilities so that serious threats were not lost in the deluge of minor issues. CERT-In now protects cyber assets in non-critical areas while a new body called the National Critical Information Infrastructure Protection Centre (NCIIPC) protects assets in sensitive sectors such as energy, transport, banking, telecom, defence and space.

But, despite the growing threat, India spends a miniscule amount on cyber security. The budgetary allocation towards cyber security (including CERT-In) is Rs 42.2 crore ($7.76 million) for 2012/13, up 19 per cent from Rs 35.45 crore in 2010/11. In comparison, the US plans to spend several billion dollars through the National Security Agency, $658 million through the Department of Homeland Security and $93 million through US-CERT in 2013.

"Indian agencies don't have enough resources. Their budget should be at least 10 times bigger if they have to function properly," says Subimal Bhattacharjee, a cyber security expert and former India head of the USbased information systems giant General Dynamics.

Information Technology Secretary J. Satyanarayana admits that more work needs to be done in areas such as capacity building and research and development. But he says the US cyber security budget cannot be compared with India's. "The US has massive IT infrastructure and needs more money to protect that." Satyanarayana says the department is in an advanced stage of finalising the national cyber security policy. Among other things, the policy proposes to minimise the dependence on foreign IT products and to produce indigenous security solutions.

The government also plans to appoint a National Cyber Security Coordinator in the National Security Council to coordinate with all agencies dealing with cyber security.

India has so far not suffered any major economic or physical damage because of cyber attacks, but that does not mean its defences are strong. In January 2012, for instance, NTRO officials alerted the Airports Authority of India (AAI) to serious vulnerabilities in its cargo management system at Chennai, Coimbatore, Kolkata, Amritsar, Lucknow and Guwahati airports. Weak passwords and outdated operating systems were the main problems. These six airports handled 311,000 metric tonne of international cargo in 2010/11. A single day's disruption would have sent 853 tonne of cargo to the wrong destinations.

"The economic impact would have been immense had the systems been penetrated by unscrupulous elements," says P.K. Kapoor, Executive Director (Information Technology), AAI. NTRO followed up its alert with a fullscale assessment of India's air traffic control (ATC) system and advised, among other things, installing closecircuit TV cameras in ATC rooms.

India's telecom network is equally vulnerable. Dhruv Soi, founder of information security firm Torrid Networks, recalls a recent assignment to test the networks of one of India's largest telecom operators. He says his team got complete control of the company's billing system within a week. It also found that the back-up server containing important data had weak passwords and was protected by flawed software. "We targeted this server and were able to control almost everything," adds Soi.

Weak passwords also allowed hackers to breach the server and deface the website of the Pune-based Indian Railways Institute of Civil Engineering last August. "There are plenty of free tools available online that help hackers crack passwords easily," says Vijay Devnath, General Manager (Infrastructure and Security), Centre for Railway Information Systems.

The damage was limited because the website is not frequently visited. It could have been worse. "Once a server is compromised, it gives easy access to other connected servers," says Rajshekar Murthy, who runs the Gurgaon-based cyber security firm Orchidseven. Had the hackers breached the rail traffic management system, they could have sent trains crashing into one another.

If train accidents sound scary, imagine another Bhopal - or Chernobyl - like industrial disaster. State-run Nuclear Power Corporation of India is a constant target for hackers. "The company faces up to 10 targeted attacks a day but manages to block them all," says Executive Director S.P. Dharne. If even one attack succeeds, the country could face a nuclear emergency.

Government agencies are not the only targets; even companies such as the Kolkata-based ITC have suffered cyber attacks. According to a July 2012 report by Bloomberg, Chinese hackers possibly had access to ITC's network for a year. It also said cyber thieves hacked into the computer of ITC Chairman Y.C. Deveshwar's personal assistant and stole several documents including tax filings. An ITC spokesman told Business Today that the company was "informed of a possible hacking attempt" of an independent computer. "The computer in question did not contain any critical information about the company nor did it have access to any such information," he said. "Our IT security systems are constantly reviewed and updated to protect against such possible attacks." Some threats come from within India. In 2007, the IT team of a Chennai-based drug maker detected heavy traffic on servers connected to its research lab. The company was developing an anti-asthma molecule, and it suspected that a hacker was stealing the research data. Unable to trace the hacker, the company approached Mahindra Special Services Group (MSSG), a security consulting firm, part of the Mahindra & Mahindra group. MSSG experts placed a dummy file containing a virus on the company's R&D folder that appeared to contain research data, says Dinesh Pillai, MSSG's CEO.

"When the hacker returned, he went straight for the dummy file and we traced him using the virus," he says. The hacker turned out to be a 29-year-old Chandigarh resident who was hired by a rival drug maker. Experts say India remains highly vulnerable to cyber attacks on its critical infrastructure. "I do not even know the command and control system for dealing with cyber attacks in the country," says Pillai.

M.S. Vijayaraghavan, an adviser to NTRO, says all cyber security agencies are working in isolation. "If there is a synchronised attack on multiple critical infrastructure facilities, they are not in a position to join the dots and respond in a well-coordinated way," he says. But, he adds, the formation of NCIIPC is changing that as the entire critical infrastructure has now come under its purview.

Indeed, NCIIPC is worried about thwarting the next big attack. Business Today asked NCIIPC officials to describe how India would face a Stuxnet-style attack on a nuclear power plant (see Repulsing Attacks). Stuxnet was a virus created in a joint US-Israeli operation against Iran that destroyed over 1,000 nuclear centrifuges, setting Tehran's atomic programme back by at least two years.

"The cyber threat landscape has changed in the past five years. The threat of a Stuxnet-like attack on critical infrastructure will grow in the future," says Unmesh Deshmukh, Director (Security Suites Sales), Asia Pacific and Japan, at IT security solutions provider Symantec. In coming years, private companies will matter greatly in India's critical infrastructure as they control more and more assets in telecom, transport, energy, and banking and finance. In five years, NCIIPC hopes to have 500 cyber experts. But estimates by government and private agencies say the country needs 100 times that number.

Vijayaraghavan believes meeting such a target is possible. "That number may sound large, but remember, there is no college degree in hacking. There are thousands who do it as a hobby and we can connect with them." Sanjay Katkar, co-founder and Chief Technology Officer of security software provider Quick Heal Technologies, says India needs more public-private interaction to secure its cyber space. "We require more collaboration between private companies and educational institutions to develop talent," he says. "We need more cyber warriors and need to be ready for the cyber war." In early July last year, a staffer at the secretive National Technical Research Organisation (NTRO) noticed odd "signals" on his monitoring system. Using complex algorithms that NTRO had been developing since 2010, he categorised these signals as a precursor to a major cyber attack. The agency, run under the Prime Minister's Office, immediately sent a warning up the chain of command. Inexplicably, the warning went unheeded. That mistake would result in the single-largest cyber attack ever carried out against India.

On July 12, several high-level officials reported their emails had been hacked into. This included officials from the Ministry of External Affairs, Ministry of Home Affairs, Defence Research and Development Organisation (DRDO), and the Indo-Tibetan Border Police (ITBP), the paramilitary unit deployed along much of the country's 3,500 km border with China. The hackers even breached the main National Informatics Centre email server, which serves all government departments. An investigation put the total number of hacked accounts at roughly 12,000.

The scale of the breach may suggest that the hackers were trying to steal any information they could lay their hands on, but NTRO officials believe otherwise. "Ministries like Panchayati Raj, Women and Child Development, and Statistics were not touched. The hackers focused on the ones with secrets," says a senior NTRO officer on condition of anonymity. "They stole secret information such as deployment locations of troops and communication between ITBP (commanders) and home ministry officials." Officials say while any number of countries could be after secrets from the foreign and home ministries and DRDO, only one would be interested in ITBP - China, with which India has a long- running boundary dispute that even led to a brief, but bloody, war in 1962.

Cyber security experts believe most cyber attacks on India are from groups based in China. But India is not the only one on these hackers' radar. The United States is also probing hacking incidents by Chinese groups. One example was the hacking of Lockheed Martin's futuristic F-35 stealth fighter programme. It is widely believed that the hackers stole design features which ultimately helped China with its J-20 and J-31 stealth fighter programmes.

China denies such allegations. A spokesperson at the Chinese embassy in New Delhi told Business Today in an email that China opposes hacker attacks and has made laws to ban them. "China is also one of the main victims of hacker attacks... China is ready to continue its cooperation with the international community aimed at ensuring cyber security," the spokesperson said.

The damage cyber attacks can cause was spelt out by US President Barack Obama in an article in The Wall Street Journal in July last year. "In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home," he wrote, arguing for stringent cyber security legislation. "Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency the loss of electricity can bring businesses, cities and entire regions to a standstill." Indeed, such attacks have already been carried out. On April 27, 2007, Estonia ground to a halt when its parliament, ministries, banks and media suffered a wave of cyber attacks. Russia was the main suspect, considering the attacks took place around the same time Estonia decided to relocate a Soviet-era war memorial. Again, in August 2008, Georgia's government and media websites were knocked offline and phone lines jammed at just the time it went to war with Russia over South Ossetia.

Some of the world's biggest companies have also been victims of cyber attacks. In August 2012, Saudi Aramco, the Gulf kingdom's national oil producer, reported an attack that damaged 30,000 computers on its network.

Though the attackers did not reach their intended target - the company's production network - it is not difficult to imagine the global consequences of a disruption in supply from the world's largest oil exporter. Can India thwart such attacks on its critical infrastructure such as transport and communications networks, oil refineries and nuclear power plants Is the government even taking this threat seriously In December, Cabinet Secretary Ajit Seth told a conference of Chief Information Security Officers of important ministries that "the government is fully conscious of the threat to our cyber space". Privately, cyber security experts called this lip service. They point to the mass email hacking of last year, which used a technique called a "Zero Day" (see The Zero Day Nightmare on the next page). Zero Day attacks are unstoppable, but what worsened matters, say investigators, is that most systems did not have updated security software.

Until recently, the responsibility for shielding the country from cyber attacks devolved on the Indian Computer Emergency Response Team (CERT-In), set up under the Department of Information Technology in 2004. Since then, the number of reported cyber security incidents - phishing, defaced websites, network breaches, virus attacks - has grown from 23 to 13,301 in 2011 (see Worrying Trend). Experts say the actual number may be 10 times higher as most victims either do not know or do not admit their systems were hacked into.

In July last year, the government split CERT-In's responsibilities so that serious threats were not lost in the deluge of minor issues. CERT-In now protects cyber assets in non-critical areas while a new body called the National Critical Information Infrastructure Protection Centre (NCIIPC) protects assets in sensitive sectors such as energy, transport, banking, telecom, defence and space.

But, despite the growing threat, India spends a miniscule amount on cyber security. The budgetary allocation towards cyber security (including CERT-In) is Rs 42.2 crore ($7.76 million) for 2012/13, up 19 per cent from Rs 35.45 crore in 2010/11. In comparison, the US plans to spend several billion dollars through the National Security Agency, $658 million through the Department of Homeland Security and $93 million through US-CERT in 2013.

"Indian agencies don't have enough resources. Their budget should be at least 10 times bigger if they have to function properly," says Subimal Bhattacharjee, a cyber security expert and former India head of the USbased information systems giant General Dynamics.

Information Technology Secretary J. Satyanarayana admits that more work needs to be done in areas such as capacity building and research and development. But he says the US cyber security budget cannot be compared with India's. "The US has massive IT infrastructure and needs more money to protect that." Satyanarayana says the department is in an advanced stage of finalising the national cyber security policy. Among other things, the policy proposes to minimise the dependence on foreign IT products and to produce indigenous security solutions.

The government also plans to appoint a National Cyber Security Coordinator in the National Security Council to coordinate with all agencies dealing with cyber security.

India has so far not suffered any major economic or physical damage because of cyber attacks, but that does not mean its defences are strong. In January 2012, for instance, NTRO officials alerted the Airports Authority of India (AAI) to serious vulnerabilities in its cargo management system at Chennai, Coimbatore, Kolkata, Amritsar, Lucknow and Guwahati airports. Weak passwords and outdated operating systems were the main problems. These six airports handled 311,000 metric tonne of international cargo in 2010/11. A single day's disruption would have sent 853 tonne of cargo to the wrong destinations.

"The economic impact would have been immense had the systems been penetrated by unscrupulous elements," says P.K. Kapoor, Executive Director (Information Technology), AAI. NTRO followed up its alert with a fullscale assessment of India's air traffic control (ATC) system and advised, among other things, installing closecircuit TV cameras in ATC rooms.

India's telecom network is equally vulnerable. Dhruv Soi, founder of information security firm Torrid Networks, recalls a recent assignment to test the networks of one of India's largest telecom operators. He says his team got complete control of the company's billing system within a week. It also found that the back-up server containing important data had weak passwords and was protected by flawed software. "We targeted this server and were able to control almost everything," adds Soi.

Weak passwords also allowed hackers to breach the server and deface the website of the Pune-based Indian Railways Institute of Civil Engineering last August. "There are plenty of free tools available online that help hackers crack passwords easily," says Vijay Devnath, General Manager (Infrastructure and Security), Centre for Railway Information Systems.

The damage was limited because the website is not frequently visited. It could have been worse. "Once a server is compromised, it gives easy access to other connected servers," says Rajshekar Murthy, who runs the Gurgaon-based cyber security firm Orchidseven. Had the hackers breached the rail traffic management system, they could have sent trains crashing into one another.

If train accidents sound scary, imagine another Bhopal - or Chernobyl - like industrial disaster. State-run Nuclear Power Corporation of India is a constant target for hackers. "The company faces up to 10 targeted attacks a day but manages to block them all," says Executive Director S.P. Dharne. If even one attack succeeds, the country could face a nuclear emergency.

Government agencies are not the only targets; even companies such as the Kolkata-based ITC have suffered cyber attacks. According to a July 2012 report by Bloomberg, Chinese hackers possibly had access to ITC's network for a year. It also said cyber thieves hacked into the computer of ITC Chairman Y.C. Deveshwar's personal assistant and stole several documents including tax filings. An ITC spokesman told Business Today that the company was "informed of a possible hacking attempt" of an independent computer. "The computer in question did not contain any critical information about the company nor did it have access to any such information," he said. "Our IT security systems are constantly reviewed and updated to protect against such possible attacks." Some threats come from within India. In 2007, the IT team of a Chennai-based drug maker detected heavy traffic on servers connected to its research lab. The company was developing an anti-asthma molecule, and it suspected that a hacker was stealing the research data. Unable to trace the hacker, the company approached Mahindra Special Services Group (MSSG), a security consulting firm, part of the Mahindra & Mahindra group. MSSG experts placed a dummy file containing a virus on the company's R&D folder that appeared to contain research data, says Dinesh Pillai, MSSG's CEO.

"When the hacker returned, he went straight for the dummy file and we traced him using the virus," he says. The hacker turned out to be a 29-year-old Chandigarh resident who was hired by a rival drug maker. Experts say India remains highly vulnerable to cyber attacks on its critical infrastructure. "I do not even know the command and control system for dealing with cyber attacks in the country," says Pillai.

M.S. Vijayaraghavan, an adviser to NTRO, says all cyber security agencies are working in isolation. "If there is a synchronised attack on multiple critical infrastructure facilities, they are not in a position to join the dots and respond in a well-coordinated way," he says. But, he adds, the formation of NCIIPC is changing that as the entire critical infrastructure has now come under its purview.

Indeed, NCIIPC is worried about thwarting the next big attack. Business Today asked NCIIPC officials to describe how India would face a Stuxnet-style attack on a nuclear power plant (see Repulsing Attacks). Stuxnet was a virus created in a joint US-Israeli operation against Iran that destroyed over 1,000 nuclear centrifuges, setting Tehran's atomic programme back by at least two years.

"The cyber threat landscape has changed in the past five years. The threat of a Stuxnet-like attack on critical infrastructure will grow in the future," says Unmesh Deshmukh, Director (Security Suites Sales), Asia Pacific and Japan, at IT security solutions provider Symantec. In coming years, private companies will matter greatly in India's critical infrastructure as they control more and more assets in telecom, transport, energy, and banking and finance. In five years, NCIIPC hopes to have 500 cyber experts. But estimates by government and private agencies say the country needs 100 times that number.

Vijayaraghavan believes meeting such a target is possible. "That number may sound large, but remember, there is no college degree in hacking. There are thousands who do it as a hobby and we can connect with them." Sanjay Katkar, co-founder and Chief Technology Officer of security software provider Quick Heal Technologies, says India needs more public-private interaction to secure its cyber space. "We require more collaboration between private companies and educational institutions to develop talent," he says. "We need more cyber warriors and need to be ready for the cyber war." (c) 2013 ProQuest Information and Learning Company; All Rights Reserved.

[ Back To TMCnet.com's Homepage ]