Part 13.2

Critical Information Infrastructure (CII)

"Protecting National Digital Assets"

IT Act Section 70, NCIIPC Role, CII Identification Process, Protected Systems Declaration, Sector-Specific Requirements for Power, Banking, Telecom, Transport, and Government.

2.1

CII - Definition and Legal Framework

IT Act Section 70(1)

Protected System

"The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system."

Critical Information Infrastructure - Definition

IT Act Section 70(1) Explanation:

"Critical Information Infrastructure" means the computer resource, the incapacitation or destruction of which, shall have debilitating impact on:

1. National Security

2. Economy

3. Public Health

4. Safety

Key Characteristic: Debilitating impact if compromised or destroyed

2.2

NCIIPC - Role and Functions

National Critical Information Infrastructure Protection Centre

Aspect	Details
Full Form	National Critical Information Infrastructure Protection Centre
Establishment	2014 (under NTRO)
Parent	National Technical Research Organisation (NTRO), PMO
Legal Basis	IT Act Section 70A
Headquarters	New Delhi
Function	Protection of CII in India

NCIIPC Functions under Section 70A

1. Take all measures to protect CII

2. Identify CII across sectors

3. Issue guidelines for CII protection

4. Coordinate with sector regulators

5. Develop and maintain national CII protection strategy

6. Respond to CII security incidents

7. Share threat intelligence with CII operators

2.3

CII Sectors and Maharashtra Examples

Sector	CII Examples	Maharashtra Specific
Power	Power generation plants, transmission grid, distribution systems	MSEDCL, Tata Power Mumbai, BEST
Banking/Finance	Core banking systems, payment gateways, ATM networks	RBI Mumbai, NSE, BSE, NPCI
Telecom	Network operations centers, switching systems, submarine cables	Major telco operations in Mumbai
Transport	Air traffic control, railway signaling, port management	Mumbai Airport, Konkan Railway, JNPT
Government	E-governance portals, citizen databases, defense systems	MahaOnline, Aaple Sarkar, MH State Data Centre
Healthcare	Hospital management systems, health databases	Major hospital chains, CoWIN infrastructure
Emergency Services	112 emergency response, disaster management systems	Maharashtra Emergency Response System

2.4

Protected System Declaration and Compliance

Protected System - Compliance Requirements

Under IT Act Section 70:

1. Access Control: Only authorized persons can access

2. Audit Trails: Complete logging of all access

3. Security Measures: Enhanced security controls

4. Incident Reporting: Immediate reporting to NCIIPC/CERT-In

5. Background Verification: Personnel handling CII

IT Act Section 70(2) and (3)

Penalties for CII Violations

"Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine."

Violation	Section	Punishment
Unauthorized access to protected system	70(2)	Up to 10 years + fine
Attempt to access protected system	70(2)	Up to 10 years + fine
Misuse of CII information	72A	Up to 3 years + Rs. 5 lakh fine
Cyber terrorism (CII attack)	66F	Life imprisonment

2.5

Sector-Specific Regulations

Banking Sector - RBI Guidelines

RBI Cybersecurity Framework (2016, updated):

1. Board-approved IT/Cyber Security Policy

2. Dedicated CISO appointment

3. Security Operations Centre (SOC)

4. Vulnerability Assessment and Penetration Testing (VAPT)

5. Incident reporting to RBI within 2-6 hours

6. Customer data protection measures

Power Sector - CEA Guidelines

Central Electricity Authority Cyber Security Guidelines:

1. SCADA/ICS security measures

2. Air-gapped networks for critical systems

3. OT/IT segmentation

4. Incident response plan

5. Regular security audits

6. Personnel training

Key Points - Part 13.2

CII - Computer resources whose compromise affects national security, economy, public health, or safety
Section 70 - Empowers government to declare protected systems; violation attracts 10 years imprisonment
NCIIPC - National agency under NTRO for CII protection; established 2014 under Section 70A
CII Sectors - Power, Banking, Telecom, Transport, Government, Healthcare, Emergency Services
Maharashtra CII - MSEDCL, NSE/BSE, Mumbai Airport, JNPT, State Data Centre
Protected System - Enhanced access controls, audit trails, background verification required
Section 66F - Cyber terrorism against CII attracts life imprisonment
RBI Framework - Banks must have CISO, SOC, VAPT; report incidents within 2-6 hours
Power Sector - CEA guidelines mandate SCADA security, OT/IT segmentation
Dual Reporting - CII incidents reported to both NCIIPC and CERT-In