Verify it's really you

Please re-enter your password to continue with this action.

Published on Jul 17, 2026
Daily Editorials Analysis
Editorials/Opinions Analysis For UPSC 17 July 2026
Editorials/Opinions Analysis For UPSC 17 July 2026

Contents01

The Cybersecurity Lesson in E-Rickshaws

Deep Pal & Sukanya Thapliyal, Koan Advisory Group · Connected battery systems, BMS, IoT cybersecurity

GS 3 — Internal Security & TechnologyGS 2 — GovernanceEssay

02

Wealth of Lacunae: Cybersecurity and Transparency at Kudankulam

The Hindu Editorial · Nuclear infrastructure, supply chain cybersecurity, breach disclosure

GS 3 — Internal SecurityGS 2 — GovernanceEssay

Editorial 01 of 02

Article 01

The Cybersecurity Lesson in E-Rickshaws

Deep Pal & Sukanya Thapliyal — Policy Professionals, Koan Advisory Group · The Hindu

Relevance: GS 3 (internal security — cybersecurity, critical infrastructure, IoT vulnerabilities; science & technology — EVs, connected systems, digital supply chains), GS 2 (governance — regulatory gaps, MeitY, CERT-In, NCIIPC) and Essay (technology governance, security by design, trust in digital systems) — using the Delhi e-rickshaw BMS incident as an entry point to examine India’s missing framework for connected battery cybersecurity.

GS 3 — Internal Security & TechnologyGS 2 — Governance & RegulationEssay — Technology & Trust

1 — Issue in Brief

  • E-rickshaws in Delhi began stalling mid-road when pranksters — and increasingly extortionists — used Chinese BMS apps (BAT-BMS, Epoch Li-ion, Lossigy, SMART BMS) to exploit unsecured Bluetooth connections on lithium-ion battery packs, cutting off power with a single tap. The driver could restart only through the same app, prompting imposters to charge ₹200–₹300 to “fix” the vehicle.
  • MeitY Secretary S. Krishnan confirmed removal of the offending apps from Google Play Store and Apple App Store — a reactive, app-takedown response that does not resolve the underlying vulnerability in Battery Management Systems (BMS) accepting connections with weak or default credentials.
  • The editorial’s core argument: the real issue is not Chinese origin of software but that batteries are now software-defined, connected systems — and India has no coherent cybersecurity framework covering connected battery products, from e-rickshaws to grid-scale Battery Energy Storage Systems (BESS).
  • The stakes extend far beyond e-rickshaws: the same BMS vulnerabilities exist in systems that support power grids, telecom towers, warehouses, ports, industrial automation, and defence platforms — making this a critical infrastructure governance problem, not a consumer inconvenience.

2 — Static Background

  • Battery Management System (BMS): A BMS is an electronic system embedded in a battery pack that monitors cell voltage, temperature, and state of charge; balances cells; and protects against overcharge, deep discharge and overheating. Modern BMS units in lithium-ion batteries are software-defined and often Bluetooth-enabled, allowing remote monitoring, diagnostics, and maintenance — but also enabling remote misuse when credentials are weak or default.
  • India’s EV landscape: India has one of the world’s fastest-growing electric vehicle markets; e-rickshaws alone number in the millions, forming the backbone of last-mile urban mobility in cities across north India. Most low-cost e-rickshaws use lithium-ion battery packs with Bluetooth-enabled BMS — many shipped with default or no passwords.
  • CERT-In (Section 70B, IT Act, 2000): India’s national cyber incident response body under MeitY; issues cybersecurity directions (expanded in 2022 to include 6-hour mandatory reporting, log retention, and vulnerability disclosure). Has expanded guidance to include Software Bills of Materials (SBOMs), secure software development frameworks, and OEM security requirements — but guidance is non-binding for connected battery products specifically.
  • NCIIPC (National Critical Information Infrastructure Protection Centre): Functions under the PMO/NTRO; protects sectors designated as Critical Information Infrastructure (CII) including power, transport, telecommunications, banking, and defence under Section 70, IT Act, 2000. Grid-scale Battery Energy Storage Systems (BESS) may fall within its remit when deployed as part of designated CII — but EV and commercial BMS deployments remain outside its jurisdiction.
  • Sectoral regulatory landscape: The Central Electricity Authority (CEA) addresses battery risks through functional safety and organisational cybersecurity lenses; the Department of Telecommunications (DoT) and MeitY have introduced security assurance mechanisms for connected devices — but none of these mandatory regimes specify Bluetooth-enabled BMS and their management apps, leaving a clear regulatory gap.
  • Digital supply chain complexity: Modern battery systems comprise hardware and software sourced globally — cells from one country, BMS firmware from another, mobile management apps from a third. Security therefore depends on the integrity of the entire digital supply chain, not just the final assembled product.

3 — Key Dimensions

  • The regulatory white space: India’s institutional architecture for cybersecurity — CERT-In, NCIIPC, CEA, DoT, MeitY — is robust in principle but fragmented in practice. Connected battery products fall between sectoral mandates: too commercial for NCIIPC, too technical for CEA, and too specific for CERT-In’s general OEM guidance.
  • Reactive vs. proactive governance: The government’s response — removing apps from app stores — is purely reactive. It does not mandate secure-by-design standards for BMS manufacturers, require authentication hardening, or impose firmware integrity verification. New apps exploiting the same BMS vulnerability can surface at any time.
  • The supply chain trust problem: The editorial explicitly argues that the question is not “where the software originated” but whether it is demonstrably trustworthy. A Chinese-developed BMS firmware with rigorous security attestation may be safer than a domestically-developed one with poor practices — the framework must evaluate provenance and integrity, not just origin.
  • Escalating criticality: What is a prank in an e-rickshaw becomes a national security threat in a telecom tower battery system or a grid-scale BESS. The same Bluetooth BMS architecture is deployed in warehouses, ports, industrial automation, and increasingly in defence platforms — meaning the e-rickshaw incident is a proof-of-concept for higher-stakes attacks.
  • Global regulatory contrast: The EU Cyber Resilience Act (CRA) mandates secure-by-design requirements and Software Bills of Materials (SBOMs) for all products with digital elements; full compliance required by December 2027. The EU Digital Battery Passport mandates traceability of battery components and software. The US NIST Secure Software Development Framework and Executive Order 14028 (2021) require SBOM submission for federal software procurement. India has no equivalent binding standards for connected battery products.
  • The SBOM opportunity: A Software Bill of Materials is a machine-readable inventory of every software component — libraries, firmware, dependencies — in a product. Mandating SBOMs for BMS products would enable rapid identification of vulnerabilities across a fleet (e.g., all e-rickshaws using the same firmware) and shift accountability to manufacturers and importers.

4 — Critical Analysis

  • In favour — The incident reveals a systemic gap, not an isolated event: The e-rickshaw BMS vulnerability is an instance of a class of connected-device risks that will multiply as India deploys EVs, smart grids, and industrial IoT at scale. A standards framework addressing this now is far less costly than managing incidents later.
  • In favour — India’s EV ambition demands supply chain security: The PM Electric Drive Revolution in Innovative Vehicle Enhancement (PM E-DRIVE) scheme and Production Linked Incentive (PLI) targets for Advanced Chemistry Cell (ACC) batteries presuppose safe, secure battery systems. Ignoring BMS cybersecurity undermines both the EV transition and national security simultaneously.
  • In favour — SBOM and CERT-In guidance can be made binding through battery standards: Bureau of Indian Standards (BIS) and the Automotive Research Association of India (ARAI) already set safety standards for batteries; incorporating CERT-In’s SBOM and secure-development guidance into these standards would create an actionable, binding pathway without requiring new legislation.
  • In favour — “Trustworthiness” over “origin” is the right policy frame: An origin-based ban (blocking Chinese BMS) creates diplomatic friction, reduces competition, and can be circumvented through re-labelling. A performance-based trustworthiness standard — rigorous testing, verified secure development practices, SBOM disclosure — is more durable and consistent with India’s WTO obligations.
  • Against — Regulatory capacity is limited: India currently lacks the testing infrastructure and regulatory bandwidth to implement rigorous SBOM-based audits across millions of low-cost BMS units in the informal e-rickshaw market. Standards that cannot be enforced create false assurance.
  • Against — Cost burden on low-income operators: Requiring secure-by-design BMS with authenticated Bluetooth, firmware integrity verification, and lifecycle traceability will raise battery costs — passed on to e-rickshaw drivers who are predominantly informal, low-income workers with no buffer for higher equipment costs.
  • Against — App removal may be adequate for the immediate e-rickshaw risk: The BMS vulnerability in e-rickshaws is operationally annoying but not life-threatening (Bluetooth range is short; lead-acid vehicles are unaffected). Critics could argue that the editorial overstates the immediate threat and that the more pressing critical-infrastructure BMS risks already fall under NCIIPC’s mandate.
  • Against — Geopolitical framing risk: The editorial’s explicit pivot away from “where the software originated” is analytically correct but may be politically difficult to operationalise. In the current India–China technology context, origin-agnostic trustworthiness standards may face resistance from security agencies that favour blanket technology restrictions.

5 — Way Forward

  • Incorporate CERT-In’s SBOM and secure-software-development guidance into BIS battery standards and ARAI homologation norms — making software provenance, firmware integrity, and vulnerability disclosure mandatory for any BMS sold or imported in India, shifting from voluntary guidance to binding standards.
  • Extend NCIIPC’s jurisdiction explicitly to cover grid-scale BESS and commercially deployed battery systems in critical sectors (telecom towers, ports, warehouses, defence) — filling the current gap between CII-designated infrastructure and commercial deployments.
  • Mandate authenticated Bluetooth connections (no default or blank passwords) as a minimum standard for all Bluetooth-enabled BMS — a low-cost, high-impact fix that eliminates the specific vulnerability exploited in the Delhi e-rickshaw incident.
  • Establish a coordinated vulnerability disclosure (CVD) mechanism for connected battery products — so researchers who discover BMS vulnerabilities can report them to manufacturers and CERT-In without legal risk, enabling proactive patching rather than reactive app bans.
  • Draw on the EU Cyber Resilience Act (CRA) and Digital Battery Passport frameworks to develop an India-specific Battery Cybersecurity Standard covering lifecycle traceability, software update infrastructure, and supply-chain integrity — moving the conversation from technology origin to demonstrable trustworthiness.

6 — Data & Key Facts

3–4Apps removed: BAT-BMS, Epoch Li-ion, Lossigy, SMART BMS — pulled from Google Play Store & Apple App Store by MeitY

Dec 2027EU Cyber Resilience Act full-compliance deadline; mandates SBOM for all products with digital elements sold in EU

2021US Executive Order 14028 on Improving the Nation’s Cybersecurity; required SBOM for all federal software procurement

₹200–300Amount fraudsters charged e-rickshaw drivers to “fix” a remotely-stalled vehicle using the same app

6 hrsCERT-In mandatory incident reporting window (2022 Directions); non-compliance attracts penalty under Section 70B, IT Act

Sec. 70IT Act, 2000 — designates Critical Information Infrastructure; attacks on CII are a cognisable offence; NCIIPC is nodal body

  • BMS apps exploited: BAT-BMS and Epoch Li-ion (Chinese-developed); Lossigy and SMART BMS (similar architecture). Exploited BMS units accepted Bluetooth connections with weak or default credentials, allowing anyone within range to activate the battery discharge switch and cut power.
  • Only lithium-ion BMS-equipped e-rickshaws affected: Vehicles running on older lead-acid or dry batteries lack Bluetooth connectivity and are therefore not vulnerable — an important Prelims distinction.
  • EU Digital Battery Passport: An EU Battery Regulation requirement mandating a digital record of battery composition, carbon footprint, supply chain, and end-of-life information — extending traceability requirements to software and firmware.

7 — Prelims Pointers

BMS (Battery Management System) — electronic system monitoring cell voltage, temperature, state of charge; protects battery; modern units are Bluetooth-enabled and software-defined

CERT-In — under Section 70B, IT Act 2000; national cyber incident response; 2022 Directions: 6-hour reporting, 180-day log retention; expanded guidance includes SBOM, secure software development — but guidance is non-binding for connected battery products

NCIIPC — under PMO/NTRO; Section 70, IT Act; protects CII sectors (power, transport, telecom, banking, defence); grid-scale BESS may fall under remit; EV/consumer BMS currently outside jurisdiction

SBOM (Software Bill of Materials) — machine-readable inventory of all software components (libraries, firmware, dependencies) in a product; mandated by EU CRA and US EO 14028; enables rapid vulnerability identification across product fleets

EU Cyber Resilience Act (CRA) — first EU-wide binding regulation for cybersecurity of products with digital elements; mandates SBOM, secure-by-design, incident reporting; full compliance deadline December 2027

MeitY — Ministry of Electronics and Information Technology; oversees CERT-In, digital policy, and security assurance for connected devices; directed removal of BMS apps from app stores in the Delhi incident

Exam note: Distinguish CERT-In (incident response, under MeitY) from NCIIPC (CII protection, under PMO/NTRO) — a common confusion point. Also note: only lithium-ion BMS-equipped (Bluetooth-enabled) e-rickshaws were affected, not lead-acid vehicles. The editorial’s key policy argument is that trustworthiness (security attestation) — not origin — should be the test for imported technology.

8 — Practice Mains Question

“The misuse of battery management apps to disable e-rickshaws in Delhi reveals a structural gap in India’s cybersecurity governance of connected systems.” Critically examine, with reference to existing regulatory frameworks and global best practices.GS 3 · 15 marks · ~250 words · Internal Security + Science & Technology + Governance

  • Intro: Contextualise the Delhi BMS incident as a proof-of-concept for connected-device cybersecurity failures; distinguish the immediate e-rickshaw disruption from the larger risk to critical infrastructure.
  • Body 1 — The regulatory gap: CERT-In (non-binding guidance), NCIIPC (CII only), CEA/DoT (functional safety, not BMS-specific) — show how connected battery products fall between existing mandates.
  • Body 2 — Global frameworks: EU CRA (SBOM mandate, secure-by-design, Dec 2027), EU Digital Battery Passport, US EO 14028/NIST SSDF — draw contrast with India’s reactive app-removal approach.
  • Body 3 — Way forward: BIS standards incorporating SBOM + CERT-In guidance, mandatory authenticated Bluetooth, NCIIPC jurisdiction extension, CVD mechanism, and a trustworthiness (not origin-based) policy frame.
  • Conclusion: India’s EV ambition and digital infrastructure expansion demand proactive, standards-based cybersecurity governance of connected battery systems — building resilience into the supply chain rather than responding to individual incidents.

9 — Practice MCQ

Consider the following statements regarding India’s cybersecurity institutional framework:

1. The National Critical Information Infrastructure Protection Centre (NCIIPC) functions under the Ministry of Electronics and Information Technology (MeitY).
2. CERT-In is constituted under Section 70B of the Information Technology Act, 2000, and mandates reporting of cybersecurity incidents within six hours of detection.
3. The EU Cyber Resilience Act requires manufacturers to maintain a Software Bill of Materials (SBOM) for products with digital elements, with full compliance mandated by December 2027.

Which of the statements given above are correct?

(a) 1 and 2 only(b) 2 and 3 only(c) 1 and 3 only(d) 1, 2 and 3


Editorial 02 of 02

Article 02

Wealth of Lacunae: Cybersecurity and Transparency Are Non-Negotiable in Vital Installations

Editorial — The Hindu

Relevance: GS 3 (internal security — cybersecurity, critical infrastructure protection, nuclear security, supply chain vulnerabilities), GS 2 (governance — transparency, disclosure frameworks, regulatory accountability) and Essay (security vs transparency, technology governance, state and citizen trust) — using the Kudankulam nuclear plant contractor breach as an entry point to examine India's breach disclosure failures.

GS 3 — Internal SecurityGS 2 — Governance & TransparencyEssay — Security vs Openness

1 — Issue in Brief

  • Ransomware group World Leaks published nearly 19,000 files (14.3 GB) linked to India's largest nuclear plant — Kudankulam Nuclear Power Plant (KKNPP), Tamil Nadu — after compromising systems of Reliance Infrastructure, an engineering contractor for Units 3 and 4, with data hosted on Yotta Data Services.
  • Files include engineering drawings, ventilation and cooling system layouts, floor plans, internal minutes of meetings between Indian and Russian (Rosatom) engineers, vendor/supplier lists, and insurance documents — spanning 2016 to mid-2025.
  • NPCIL insists files pertain only to common service facilities outside the nuclear island and do not relate to nuclear safety or security systems — but the editorial argues that even non-operational data enables adversarial "intelligence preparation."
  • The deeper editorial argument: India's breach disclosure regime is inconsistent and opaque. Yotta detected suspicious activity on 29 May; data appeared publicly on 11 June; NPCIL issued a formal clarification only on 15 July — a 35-day lag — and only after widespread media reports. Basic cyber-hygiene and proactive communication are, the editorial concludes, non-negotiable.

2 — Static Background

  • Kudankulam Nuclear Power Plant (KKNPP): Located in Tamil Nadu; India's largest nuclear power station and one of seven nuclear plants in India; built in collaboration with Russia's Rosatom. Reliance Infrastructure won a contract in 2018 to design and build infrastructure for Units 3 and 4 (still under construction; targeted commissioning 2027; combined capacity 2,000 MW).
  • 2019 precedent: Malware was detected on KKNPP's administrative network in 2019; NPCIL maintained the operational reactor network was unaffected — establishing a pattern of security incidents paired with opaque public communication at the same facility.
  • World Leaks: A well-known ransomware-as-a-service group that has previously targeted Nike and Tata Group. In June 2026 the group reportedly demanded USD 1.5 million to keep Tata Group files (containing Apple and Tesla proprietary designs) private; when ignored, it published. Its modus operandi: steal → demand ransom → publish on dark web if refused.
  • CERT-In (Section 70B, IT Act, 2000): India's national cyber incident response body under MeitY; 2022 Directions introduced a mandatory 6-hour incident reporting window; non-compliance attracts penalties under Section 70B. CERT-In is currently investigating the Kudankulam breach.
  • Critical Information Infrastructure (CII): Designated under Section 70, IT Act, 2000; any attack on CII is a cognisable offence; NCIIPC (National Critical Information Infrastructure Protection Centre) under PMO/NTRO is the nodal protection body.
  • India's cyber threat landscape: Cybersecurity incidents rose from 10.29 lakh (2022) to 22.68 lakh (2024); cybercrime losses projected at ₹20,000 crore across sectors in 2025. Notable prior attacks: AIIMS Delhi ransomware (23 November 2022) — servers down 10+ days, ~3 million patient records at risk; airlines; State government portals.
  • Atomic Energy Act, 1962: Governs nuclear security in India; nuclear energy is a Union subject. NPCIL (operator, under Department of Atomic Energy) is distinct from AERB (Atomic Energy Regulatory Board — independent nuclear safety regulator).

3 — Key Dimensions

  • Supply chain as the weakest link: The breach did not penetrate the nuclear island — it exploited a secondary contractor (Reliance Infrastructure) and its third-party data host (Yotta), effectively bypassing the national security perimeter. The incident is a landmark example of supply chain attack on critical infrastructure: security is only as strong as its weakest contractor.
  • The three-tier disclosure failure: Yotta detected suspicious activity (29 May) → data appeared on World Leaks website (11 June) → NPCIL formally communicated (15 July) — a 35-day gap between public exposure and official acknowledgement, exemplifying the opacity the editorial critiques.
  • "Intelligence preparation" risk: Vendor lists, joint inspection records, and layout information for ventilation and cooling systems — even if outside the nuclear island — constitute meaningful inputs for adversarial targeting, sabotage planning, and social engineering of supply chain actors.
  • Organisational culture of concealment: Affected organisations delay disclosure fearing damage to public confidence, share prices, contracts, and regulatory scrutiny. Many also lack mature incident response capabilities — treating cybersecurity as compliance rather than necessity — making early-stage damage assessment technically impossible.
  • India as a high-value target: India is described in the editorial as the third-most breached country; KKNPP is the centrepiece of India's nuclear power expansion ambitions under PM Modi — making it a high-profile target for state-sponsored actors as well as criminal ransomware groups.

4 — Critical Analysis

  • In favour — Supply chain regulation gap is real and urgent: India's CII framework (Section 70, IT Act) protects primary operators but imposes no equivalent cybersecurity obligations on Tier-2 and Tier-3 contractors — a structural gap this incident vividly illustrates. CERT-In's 6-hour mandatory reporting rule was demonstrably not followed.
  • In favour — Transparency has a constitutional and democratic basis: Article 19(1)(a) and the RTI Act, 2005 create a normative expectation of disclosure; when critical public infrastructure is compromised, Parliament and citizens have a legitimate interest in knowing the extent and nature of the breach.
  • In favour — Nuclear credibility and diplomatic stakes are high: Opacity damages public trust, deters private investment in nuclear expansion, and creates friction with partner nations — especially Rosatom, whose engineers' joint inspection records are among the leaked files.
  • In favour — CERT-In's audit mandate needs teeth: CERT-In conducted nearly 10,000 audits across critical sectors in FY 2024–25, but contractor-level audit obligations remain weak. Extending CII cybersecurity requirements down the supply chain is administratively feasible and legally grounded in Section 70.
  • Against — Over-disclosure risks adversarial advantage: In nuclear security contexts, excessive public communication about leaked material may assist adversaries in confirming authenticity or identifying gaps — a legitimate reason for calibrated, rather than radical, transparency.
  • Against — Operational reactor networks are air-gapped: The direct threat to nuclear safety is low; reactor operational networks are physically separated from contractor-managed administrative systems. There is a risk that public alarm is disproportionate to actual danger.
  • Against — Attribution and file authenticity are unverified: Reuters and independent researchers reviewed the files but could not independently verify their authenticity. The government's account of what was and was not compromised has not been independently audited.
  • Against — App-layer and contractor-level fixes may suffice: The specific breach required no penetration of NPCIL's own systems; mandatory contractual cybersecurity clauses, regular third-party audits, and credential hygiene for contractors may address the vulnerability without legislative overhaul.

5 — Way Forward

  • Extend CII cybersecurity obligations down the supply chain: amend CERT-In directions or issue binding guidance requiring Tier-2 and Tier-3 contractors of CII projects to undergo mandatory annual cybersecurity audits, air-gapping of sensitive project data, and 6-hour incident reporting — closing the contractor gap the Kudankulam breach exposed.
  • Create a Nuclear Cyber Security Unit within NPCIL and AERB for dedicated red-team exercises, contractor security audits, and supply chain penetration tests — modelled on the US Nuclear Regulatory Commission's (NRC) cybersecurity framework.
  • Develop a graduated public disclosure protocol: not all breaches merit the same level of communication; CERT-In should serve as the authority for managing disclosure timelines, balancing national security with the citizen's legitimate right to know.
  • Investigate the 35-day disclosure gap: CERT-In and NPCIL must clarify whether the mandatory 6-hour reporting norm was complied with; if not, accountability must be fixed under Section 70B.
  • Mandate contractor cybersecurity clauses in all nuclear and CII project contracts — requiring vendors to disclose breaches immediately, maintain secure development practices, and accept third-party audits as conditions of contract.

6 — Data & Key Facts

19,000Files (14.3 GB) leaked; most sensitive subset of 8,58,000 total Reliance files on World Leaks

35 daysGap between data appearing publicly (11 June) and NPCIL's formal clarification (15 July 2026)

2,000 MWCombined capacity of KKNPP Units 3 & 4 (under construction; target commissioning 2027)

USD 1.5 MnRansom World Leaks demanded from Tata Group (June 2026); same group behind Kudankulam breach

22.68 lakhCybersecurity incidents in India in 2024 (up from 10.29 lakh in 2022)

6 hoursCERT-In mandatory incident reporting window (2022 Directions); non-compliance = penalty under Section 70B, IT Act

  • Documents leaked (2016–2025): engineering drawings, ventilation/cooling system blueprints, floor plans of a common control room, Indian–Russian joint inspection records, vendor/supplier lists, insurance documents. Reuters reviewed but could not verify every file's authenticity.
  • AIIMS Delhi ransomware (23 Nov 2022): Servers down 10+ days; ~3 million patient records at risk; ~1.3 TB of data on 5 servers encrypted — India's most cited prior attack on critical health infrastructure.

7 — Prelims Pointers

KKNPP — India's largest nuclear plant; Tamil Nadu; Rosatom collaboration; Units 1 & 2 operational; Units 3 & 4 under construction (target 2027, combined 2,000 MW); Reliance Infrastructure is contractor for Units 3 & 4

CERT-In — Section 70B, IT Act 2000; under MeitY; 6-hour mandatory incident reporting (2022 Directions); 180-day log retention; ~10,000 CII audits in FY 2024–25

NCIIPC — under PMO/NTRO; Section 70, IT Act; protects designated CII sectors (power, transport, telecom, banking, defence); distinct from CERT-In (MeitY)

NPCIL vs AERB — NPCIL: operator/commercial entity under Department of Atomic Energy. AERB: independent nuclear safety regulator under Atomic Energy Act, 1962. Nuclear energy = Union subject

World Leaks — ransomware-as-a-service group; targets include Nike, Tata Group, KKNPP contractor; modus operandi: steal → ransom demand → publish on dark web if refused

Section 70, IT Act — designates Critical Information Infrastructure; attacks on CII are cognisable offences; Section 70B establishes CERT-In; Section 70A establishes NCIIPC

Exam note: Do not confuse CERT-In (incident response, under MeitY) with NCIIPC (CII protection, under PMO/NTRO) — a very common error. Also: nuclear energy is a Union subject under the Atomic Energy Act, 1962, not on the Concurrent List. NPCIL (operator) and AERB (regulator) are separate bodies.

8 — Practice Mains Question

"Cybersecurity breaches at India's critical infrastructure increasingly exploit the supply chain rather than the primary facility. Critically examine the challenges this poses and suggest a framework for stronger protection."GS 3 — Internal Security + Science & Technology · 15 marks · ~250 words

  • Intro: Define CII and the supply-chain attack vector; cite KKNPP–Reliance–Yotta incident as the live context alongside AIIMS 2022 to establish a pattern.
  • Body 1 — The supply-chain gap: Section 70 protects primary operators but not Tier-2/3 contractors; CERT-In's 6-hour rule demonstrably not followed; contractor-level audit obligations remain weak despite 10,000 CII audits in FY25.
  • Body 2 — Disclosure opacity: 35-day lag at Kudankulam; organisational incentive to conceal; the DPDP Act 2023 vs CERT-In dual-obligation framework; tension between security and transparency.
  • Conclusion: Extend CII obligations down the supply chain; create a Nuclear Cyber Security Unit; develop a graduated disclosure protocol; mandate cybersecurity clauses in all CII project contracts.

9 — Practice MCQ

Consider the following statements regarding India's cybersecurity framework for critical infrastructure:

1. The National Critical Information Infrastructure Protection Centre (NCIIPC) functions under the Prime Minister's Office and is constituted under Section 70A of the IT Act, 2000.
2. CERT-In's 2022 Directions require organisations to report cybersecurity incidents within 24 hours of detection.
3. Under the Atomic Energy Act, 1962, nuclear energy is a Union subject, and NPCIL (operator) and AERB (regulator) are separate bodies.

Which of the statements given above are correct?

(a) 1 and 2 only(b) 2 and 3 only(c) 1 and 3 only(d) 1, 2 and 3