On 4th January 2017, CERT IN had issued an order regarding reporting of incidents to CERT IN.
The order has now been re-issued along with detailed instructions on other security measures which will be applicable to all service providers, intermediaries, data centers, body corporate and Government organizations. These directions will be effective from 60 days from the date of issue of this notification (28th April 2022). Refer here
Some of the requirements are as follows.
- Shall connect to the Network Time Protocol (NTP) server of NIC or NPL or with NTP servers traceable to these NTP servers for synchronization of clocks.
- Mandatorily report cyber incidents within 6 hours and follow the instructions provided if any.
- Shall provide a point of contact.
- Enable logs of all their ICT systems and maintain them for a rolling period of 180 days and shall be maintained within the Indian jurisdiction.
- Shall maintain information of subscribers and customers hiring services for a period of 5 years, including IP s allotted to members, E Mail address, time stamp at the time of on boarding.
- Virtual asset service providers shall maintain KYC of its users as per RBI/SEBI norms.
- Accurate transaction records shall be maintained.
The type of incidents that need to be reported has also been expanded to include the following.
i. Targeted scanning/probing of critical networks/systems
ii. Compromise of critical systems/information
iii. Unauthorised access of IT systems/data
iv. Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
v. Malicious code attacks such as spreading of virus/worm/ Trojan/Bots/ Spyware/ Ransomware/ Cryptominers
vi. Attack on servers such as Database, Mail and DNS and network devices such as Routers
vii. Identity Theft, spoofing and phishing attacks
viii. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
ix. Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks
x. Attacks on Application such as E-Governance, E-Commerce etc.
xi. Data Breach
xii. Data Leak
xiii. Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
xiv. Attacks or incident affecting Digital Payment systems
xv. Attacks through Malicious mobile Apps
xvi. Fake mobile Apps
xvii. Unauthorised access to social media accounts
xviii. Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications
xix. Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
xx. Attacks or malicious/ suspicious activities affecting systems/ servers/ software/ applications related to Artificial Intelligence and Machine Learning
The incidents can be reported to CERT-In via email (firstname.lastname@example.org), Phone (1800-11-4949) and Fax (1800-11-6969).
Given the reluctance of the companies to resist any security measures of the Government of India, we can expect a media campaign to oppose the directions.
However, it is good to know that CERT-IN has woken up from its slumber and has considered issuing this order. We have to wait and see how seriously the order would be implemented.
From the compliance point of view the CISOs need to take immediate action as the CERT IN also has quasi judicial powers and can take action including initiating prosecution for criminal punishments if the order is ignored.
It may be noted that the data breaches of Non personal data and personal data are to be reported to CERT IN and also to the Data Protection Authority to be set up under DPA 2021. Hopefully CERT IN will focus on post incident action in respect of security while Data Protection Authority will focus on punitive action on Data Fiduciaries related to personal data. Timely waking up of CERT In is therefore significant. The silence of CERT In for several years had rendered the office as a mere advisory issuing back office. This perception has to change and probably this notification signals to such a welcome change.