Securing Critical Infrastructure: Understanding Sabotage Reporting in Cybersecurity

In this edition of Cybersecurity 101, we explore Article 12: Sabotage Reporting, a key element of the Central Electricity Authority (CEA) guidelines. Sabotage, whether physical or digital, can severely disrupt critical operations, posing risks to national security and public safety. This article delves into the procedural and technical mandates of Article 12 and provides actionable insights for effective implementation.

This article is divided into two sections:

1. Verbatim reproduction of Article 12 clauses for reference.
2. Analysis of each clause with objectives, challenges, and actionable suggestions to enhance implementation.

Section 1: Verbatim Clauses of Article 12 – Sabotage Reporting

a) The Responsible Entity shall incorporate procedures for identifying and reporting sabotage in their Cyber Security Policy within 30 days from the issue of the guidelines or grant of license under the appropriate legal provisions to the Responsible Entity.

b) The CISO shall be held liable for non-reporting of identified sabotage(s) as per procedures laid for identifying and reporting sabotage in the Cyber Security Policy of the Responsible Entity.

c) The CISO shall prepare a detailed report on disturbances or unusual occurrences, identified, suspected, or determined to be caused by sabotage in the Critical System of the Responsible Entity, and shall submit the report to the Sectoral CERT as well as to CERT-In within 24 hours of its occurrence.

d) The CISO shall submit to NCIIPC within 24 hours of occurrence the report on every sabotage classified as cyber incidents on "Protected Systems."

e) The CISO, upon the occurrence of every sabotage, shall take custody of all log records as well as digital forensic records of affected Cyber Assets, Intrusion Detection System, Intrusion Protection System, and SIEM and shall preserve them for at least 90 days, making them available for investigation by concerned agencies.

Note: Sabotage includes disturbances or unusual occurrences suspected or determined to be caused by forced intrusion in unmanned/manned facilities, taking control of operations of Critical Systems through a communicating device.

Section 2: Analysis of Article 12 – Objectives, Challenges, and Suggestions

Clause (a): Incorporating Sabotage Reporting in Cyber Security Policy

Objective:

• Establish clear procedures for identifying and reporting sabotage within a strict timeline.

Challenges:

• Difficulty in drafting comprehensive procedures within the stipulated 30-day timeframe.
• Resistance to updating existing policies, especially in entities with rigid structures.

Suggestions:

• Use existing CEA guidelines as a blueprint to fast-track policy development.
• Engage cybersecurity experts to draft and implement procedures within the given timeframe.
• Conduct workshops to ensure alignment across departments.

Clause (b): Accountability of the CISO

Objective:

• Ensure clear accountability for sabotage reporting by designating the CISO as the responsible authority.

Challenges:

• Overburdening of CISOs with multiple cybersecurity responsibilities.
• Ambiguity in team-wide accountability and delegation mechanisms.

Suggestions:

• Establish a well-defined escalation hierarchy to distribute responsibilities effectively.
• Leverage automated reporting tools to support the CISO in fulfilling reporting obligations.
• Periodically review CISO responsibilities to balance workloads.

Clause (c): Reporting Sabotage to Sectoral CERT and CERT-In

Objective:

• Facilitate prompt reporting of sabotage incidents to CERT-In and Sectoral CERT to enable a coordinated response.

Challenges:

• Meeting the strict 24-hour reporting deadline during complex incidents.
• Lack of clarity on the format and details required for reporting.

Suggestions:

• Develop pre-approved reporting templates to streamline the process.
• Conduct simulation exercises to practice reporting within 24-hour timelines.
• Establish direct communication channels with CERT-In for clarification on reporting formats.

Clause (d): Reporting to NCIIPC for Protected Systems

Objective:

• Ensure incidents involving Protected Systems are reported to NCIIPC for detailed analysis and action.

Challenges:

• Identifying "Protected Systems" within complex IT/OT infrastructures.
• Ensuring accuracy and completeness in reporting.

Suggestions:

• Create a regularly updated inventory of Protected Systems.
• Automate notifications for incidents affecting Protected Systems to reduce manual errors.
• Engage with NCIIPC to define and understand reporting requirements better.

Clause (e): Preservation of Log and Digital Forensic Records

Objective:

• Maintain secure custody of logs and forensic records for post-incident investigations.

Challenges:

• Managing the large volume of logs and forensic data effectively.
• Ensuring the integrity of preserved data for up to 90 days.

Suggestions:

• Use secure cloud-based storage solutions for scalable and tamper-proof record management.
• Implement encryption and hashing mechanisms to ensure data integrity during storage and retrieval.
• Conduct periodic audits to confirm compliance with data preservation requirements.

Conclusion

Article 12: Sabotage Reporting is a cornerstone of the CEA guidelines, emphasizing proactive measures to identify, report, and address sabotage incidents effectively. While implementation poses challenges such as tight timelines, technical complexities, and resource constraints, adopting modern tools, standardized processes, and interdepartmental collaboration can significantly enhance organizational readiness. With the power sector being a critical infrastructure, strict adherence to these guidelines will play a pivotal role in safeguarding national interests and ensuring operational resilience.

#CyberSecurity #SabotageReporting #CEA #PowerSector #Sabotage