In May 2025, as India's military conducted Operation Sindoor, a parallel war unfolded in cyberspace. A coordinated wave of cyber activity struck Indian government sites and critical infrastructure simultaneously — with roughly 200,000 probing and attack attempts reported against the power grid, DDoS targeting the President's official website for approximately 19 hours, and attacks aimed at NIC data centres and defence research organisations. The physical front got all the headlines. The digital one barely made the news.
This is the gap at the heart of India's infrastructure story. The country has spent decades building scale — automating power grids, digitising financial systems, wiring up hospitals — but the same connectivity that drives efficiency has quietly multiplied the attack surface.
When a CCTV Camera Becomes a Weapon
The most underappreciated vulnerability in India's critical infrastructure isn't a rogue state actor. It's an unpatched IP camera mounted on a substation wall.
In April 2022, researchers documented a Chinese state-sponsored campaign that had targeted at least seven Indian State Load Despatch Centres responsible for real-time electric grid operations in North India — using compromised, internet-facing third-party DVR and IP camera devices as command-and-control relays for ShadowPad malware infections. The cameras weren't the target. They were the door.
Researchers noted that this campaign pointed to a troubling trend: threat actors targeting older, low-priority vulnerabilities that are likely to remain unpatched, underscoring the continued need to protect critical infrastructure as it increasingly turns to IoT devices.
This is the paradox of modernisation. Every smart meter, connected sensor, or remotely operated valve added to India's infrastructure improves operational efficiency — and adds another potential entry point. NCIIPC has itself acknowledged that even though some systems are isolated, the accelerated development of the IT sector and the advent of IoT will increase the complexity of protecting Critical Information Infrastructure.
The Institutional Architecture Trying to Keep Up
India does have a response architecture — and it is more sophisticated than popular perception suggests. NCIIPC has identified sectors including banking and finance, power and energy, telecom, transport, healthcare, and strategic public enterprises as critical, along with government networks. A dedicated Computer Security Incident Response Team for Power (CSIRT-Power) was established in April 2023, alongside sectoral CERTs covering Thermal, Hydro, Transmission, Distribution, Grid Operations, and Renewable Energy.
Regulators are also tightening screws in specific verticals. India's financial sector faced over 13 lakh cyberattacks between January and October 2023, which prompted SEBI to release a comprehensive Cyber Security and Cyber Resilience Framework for all its regulated entities. And in October 2024, MeitY updated security requirements for all CCTV cameras sold in India, mandating strict standards to prevent vulnerabilities in these IoT devices.
In 2024–25 alone, over 9,700 security audits were carried out by CERT-In across power, transport, and BFSI sectors, while NCIIPC conducted around 90 specialised audits for the most sensitive systems.
The Gaps the Audits Can't Fix
But institutional activity is not the same as institutional coherence. India's cyber administration structure has been criticised for a lack of clarity, leading to confusion in the administration. The 2024 amendment to the Allocation of Business Rules tried to address this — assigning telecom network security to the Department of Telecommunications, while cybersecurity and cybercrime were assigned to MeitY and the Ministry of Home Affairs respectively. Three ministries, one problem.
Meanwhile, the policy foundation is ageing. India's National Cyber Security Policy dates to 2013, and is widely seen as ineffective against modern threats. A replacement strategy exists in draft form, but the National Security Council Secretariat's draft cybersecurity strategy currently has no implementation date.
The deeper structural issue is the gap between IT and operational technology (OT). In the manufacturing sector, a lack of segmentation between IT and OT networks raises systemic risk — a vulnerability that extends equally to power utilities and water systems whose control networks were never designed to be internet-connected, but increasingly are.
From Compliance to Resilience
The honest answer to "how safe is India's critical infrastructure?" is: safer than it was five years ago, but not safe enough for where it's headed. India experienced the third-most cyberattacks in the world in 2023, with around 79 million attacks targeted at the country by actors ranging from profit-seeking cybercriminals to state-sponsored groups. And the threat is evolving faster than the policy.
India's critical infrastructure protection architecture cannot be imported wholesale from global models — it must be re-engineered to align with the country's federal asymmetries and its persistent multi-vector threat matrix. Sector-isolated protection models are insufficient when the actual risk terrain is defined by cyber-physical overlaps and institutional fragmentation.
The cameras on the substation walls aren't going away. Neither are the adversaries watching through them. What India needs isn't just more audits — it's a framework that treats every connected device as part of the national security perimeter, not an afterthought.
Sources
- Top 15 Recent Cyber Attacks in India 2026, Case Studies & Stats
- Cyber Attacks on the Power Grid
- The Top Internet of Things (IoT) Cybersecurity Breaches in 2025 - Asimily
- The NCIIPC and its evolving framework
- Cybersecurity of India in the era of 2025, Strengths, Weaknesses, and the Road Ahead
- CYBERSECURITY OF POWER GRIDS
- Cybersecurity Regulations In India 2025: A Comprehensive Guide to Compliance
- Mapping India’s Cybersecurity Administration in 2025 | Carnegie Endowment for International Peace
- Cybersecurity Profile 2025: India - The Henry M. Jackson School of International Studies
- Cybersecurity 2025 - India | Global Practice Guides | Chambers and Partners
- 25 Major Cyber Attacks in India: Biggest Data Breaches and Lessons
- Towards a Critical Infrastructure Protection Programme for India: Reconceptualising Sectoral Priorities for Strategic Resilience and National Security