Single Blog
CERT IN & INCIDENT REPORTING
As per the Information Technology Act, 2000 (IT Act, 2000), a cyber-incident is defined as:
“Any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy, resulting in unauthorized access, denial of service, disruption, unauthorized use of a computer resource for processing or storage of information, or changes to data or information without authorization.” In essence, a cyber-incident encompasses any event related to cybersecurity that compromises the confidentiality, integrity, or availability of electronic information, systems, services, or networks.
The Indian Computer Emergency Response Team (CERT-In) is the national incident response center for major computer security incidents in India. Its functions include collecting, analyzing, and disseminating information on cyber incidents, forecasting and alerts, emergency measures, coordination of response activities, and issuing guidelines, advisories, and vulnerability notes. It also tracks security threats, issues security alerts and advisories, conducts security workshops and awareness programs, promotes security best practices, and collaborates with various stakeholders to enhance India’s overall cybersecurity. The Information Technology Act, 2000 (IT Act, 2000) and the Indian Computer Emergency Response Team (CERT-In) together contribute to a safer digital environment.
CII includes systems, networks, and databases vital for a nation’s functioning and whose compromise could lead to severe consequences. The Indian Computer Emergency Response Team (CERT-In) plays a crucial role in incident reporting related to CII.
Once court directions are issued, the police are responsible for reporting cyber incidents to the appropriate authority when an FIR is registered under Section 66F of the Information Technology Act, 2000. They should gather evidence, identify suspects, and pursue legal action. Reporting the incident to CERT-In is mandatory part of the investigative process. Collaboration between the police and CERT-In is essential for enhancing overall cyber security and contributing to a safer digital environment.
Reporting channels include email, helpdesk, and fax. Incident reports should include details such as the time of occurrence, affected system/network information, observed symptoms, and technical details. CERT-In verifies the report’s authenticity and goes through stages like triage, incident response, and recovery. The Research Analysis Wing (RAW) and National Investigation Agency (NIA) collaborate with CERT-In and law enforcement to investigate cyber terrorism incidents.
An FIR (First Information Report) registered under Section 66F of the Information Technology Act (IT Act) requires an investigation officer to follow specific procedures, including mandatory reporting to the Indian Computer Emergency Response Team (CERT-In). CERT-In handles cybersecurity incidents in India and provides support and advice but does not physically deploy members to incident sites. The investigation officer should collaborate with relevant agencies such as the NIA and RAW to investigate cyber terrorism cases and ensure national security. Reporting to CERT-In is crucial for effective incident handling and collaboration with investigation agencies enhances the overall response to cybercrime incidents.
In the event of a complaint or litigation filed against a cyber-attack/breach on critical infrastructure, the first step taken by the relevant authority should indeed be to report the incident to CERT-In. CERT-In plays a crucial role in handling and mitigating cyber security
incidents in India. Whether it’s law enforcement officers (COPs) or Courts, mandatory reporting cyber-attacks on critical infrastructure to CERT-In is indeed a crucial step to ensure the genuineness of the crime or litigation. By involving CERT-In, authorities can access expertise, collaborate with other agencies, and follow established protocols for handling such incidents. Filing an FIR is crucial for law enforcement and evidence collection in cyber-attacks on critical infrastructure. It treats the attack as a criminal offense, allowing necessary action. Reporting to CERT-In, a national organization specializing in cyber security, provides expertise, guidance, and coordination during incident response. Both steps are essential for timely intervention and legal proceedings, with authorities often reporting to both simultaneously.
Belated incident reporting to the Indian Computer Emergency Response Team (CERT-In) can have significant consequences, including legal and regulatory implications, delayed incident response, increased impact on systems and networks, missed threat intelligence sharing, reputational damage, loss of evidence, and impact on national security and economy. Non-compliance with reporting requirements may result in legal penalties or fines, as mandated by the Information Technology Act, 2000. Organizations should prioritize reporting within the stipulated timeframe to mitigate risks and protect the digital ecosystem. Legal analyses and guidelines on CERT-In’s reporting rules can provide further details.
National security is put at risk when important incidents are kept secret. A catastrophic event might jeopardize defense systems, interrupt vital services, or put populations in danger. Inadequate reporting could result in fatalities and tangible harm to vital infrastructure. A cyberattack on transportation or electrical grids, for instance, might have disastrous effects. A major national disaster has an impact on the economy. Events that go unreported could cause protracted disruptions that impact trade, enterprises, and the stability of the financial system. Public confidence in institutions and the
government is damaged by secrecy. Sustaining the public’s trust requires openness and prompt reporting. Incidents that are kept under wraps could result in accountability, questions, and legal investigations. Political figures and groups could come under investigation for carelessness. International relations are impacted by hidden calamities. Transparency and cooperation are expected during times of crisis by neighboring countries and global partners. Better readiness and preventive measures are made possible by timely reporting. CERT-In can improve overall cyber resilience, coordinate responses, and send out notifications.
AN INDEFENSIBLE CATASTROPHIC LAPSE OF INCIDENT REPORTING
The revelation that vulnerability assessment and penetration testing (VAPT) details containing attack vectors to Load Dispatch centres through the substation LDMS related to the R APDRP-SCADA/ DMS were compromised a year prior to the Mumbai power attack and other load dispatch center cyber-attacks is indeed concerning. The fact that an FIR was filed under 66F of the IT Act by the Kerala Police underscores the gravity of the situation. However, the question of why the authorities chose to conceal or manipulate this information remains mysterious and a matter of speculation. Under Section 70B (6) of the Information Technology Act, 2000, the specific reporting requirements for cyber incidents to CERT-In are clearly specified. It’s still unclear why the authorities chose not to disclose or manipulate this information, despite the court’s direction, but it’s possible that the Mumbai power attack and other load dispatch center cyber-attacks could have been prevented if the situation had been thoroughly looked into. Here are some potential scenarios:
1. Early Detection and Mitigation: Had the compromised VAPT details been promptly detected and acted upon, the vulnerabilities in the R APDRP SCADA/DMS systems might have been patched or remediated. Timely intervention could have prevented the attackers from exploiting these weaknesses during the power
outage.
2. Enhanced Security Measures: An investigation could have led to strengthened/implemented security protocols NERC CIP without compromise. Authorities might have implemented additional layers of protection, such as intrusion detection systems, access controls, end point security, network architectural flaws, ESP, and network segmentation. These measures could have thwarted any attempts to infiltrate the critical infrastructure.
3. Increased Vigilance: Knowledge of the compromised VAPT details would have put the MSEB and other SEBs on high alert. Regular monitoring and proactive threat hunting could have been initiated.
Suspicious activities or anomalies might have been detected earlier, allowing for timely action.
4. Collaboration and Information Sharing: An investigation would likely involve collaboration with cybersecurity experts, government agencies, and international bodies. Sharing insights and threat intelligence could have led to a more comprehensive understanding of the threat landscape.
5. Public Awareness and Preparedness: Transparency about the breach could have raised awareness among other critical infrastructure operators. Preparedness drills, scenario-based training, and crisis management protocols might have been put in place.
6. Attribution and Deterrence: Investigating the attack could have led to attribution—identifying the perpetrators. Knowing the source of the attack could serve as a deterrent and enable legal action against the responsible parties.
Deliberate hiding of cyber breaches by the cops raises serious legal concerns. Reporting cyber incidents promptly is crucial for preventing further harm and ensuring accountability. In India, there is a mandatory reporting requirement for certain cyber incidents, such as the National Cyber Crime Reporting Portal and CERT In. Failure to report promptly can have legal implications. Deliberate hiding and misdirecting of incidents especially by the law enforcement could constitute obstruction of justice or misconduct, specifically if it impacts critical infrastructure like the power grid. Legal consequences include obstruction of justice, negligence, conspiracy, and exacerbated situation. Authorities must ensure transparency, accountability, and timely reporting to prevent further harm and protect society.
In essence, the failure to promptly report the incident, particularly by law enforcement, resulted in significant and catastrophic incidents. Obviously none other than this negligence directly contributed to the attacks on the load dispatch centre. Intentionally concealing a cyber-breach incident, especially when it leads to severe consequences, is unacceptable and could potentially be considered a criminal act. Authorities must prioritize transparency, accountability, and timely reporting to prevent further harm and safeguard society. Clearly, this incident reporting failure is inexcusable and necessitates proactive measures to prevent similar incidents in the future.