Towards Institutionalising India’s Critical Infrastructure Protection Programme: Twin Pillars, One Foundation, and One Measurable Framework
This paper examines India’s fragmented Critical Infrastructure Protection (CIP) landscape at a time when asymmetric threats, cyber intrusions and systemic vulnerabilities have elevated CIP from a technical concern to a strategic necessity1 . Current arrangements under the National Critical Information Infrastructure Protection Centre (NCIIPC) remain confined to information assets and leave physical infrastructures, sectoral interdependencies and resilience standards outside effective oversight. To address this gap, the paper advances an integrated statutory and evaluative architecture built on the Critical Infrastructure Protection Act (CIPA), which provides inspection authority, penalties, incident reporting and coordinated response, and the Bharat National Resilience Index (BNRI), which establishes quantifiable resilience thresholds across preparedness, mitigation, response and recovery. The approach moves beyond Western standalone critical-sector templates and incorporates India-specific sectoral clusters previously detailed by the author and published in this journal, capturing the country’s system-of-systems vulnerabilities, federal asymmetry and hybrid threat exposure. Through the combined structure of the Twin Pillars, One Foundation and One Measurable Framework, the model shifts CIP from voluntary aspiration to legal mandate2. By aligning technological, cyber-geopolitical, economic, disaster-management, statutory, governance and national security perspectives within one measurable framework, the paper presents an India-specific criticality lens that offers a coherent blueprint for institutionalising CIP and a normative reference for states across the Global South confronting comparable structural constraints.
Introduction
India’s infrastructure ecosystem is exposed to expanding and intricate risks as hybridised threats exploit cyber-physical interdependencies and generate cascading failures across essential networks. Current governance rests on the mandate of the National Critical Information Infrastructure Protection Centre (NCIIPC) under Section 70A of the IT Act. This mandate remains confined to information assets and does not extend to physical infrastructure, operational linkages or inter-sector dependencies that shape real-world vulnerabilities3. The limits of this arrangement have already appeared. The RedEcho-linked intrusion targeting India’s power infrastructure, publicly examined by Recorded Future and reviewed by Indian authorities, coincided with the 2020 Mumbai outage and illustrated how a digital compromise can align with physical disruption and produce wide economic impact, even though official attribution remains cautious4. The episode affirmed a larger structural issue. Cyber-only frameworks cannot manage systemic risks that travel across sectors, operational environments and federal jurisdictions5.
Comparative experiences clarify the constraints and possibilities for India. The United States relies on voluntarism and private-sector coordination under the National Infrastructure Protection Plan, an approach shaped by its regulatory culture and market structure6. The European Union enforces uniform obligations through the NIS2 Directive and applies common security baselines across member states7. China follows concentrated administrative control. Australia’s SOCI Act incorporates mandatory incident reporting, supply-chain scrutiny and foreign-investment monitoring, an approach enabled by its legislative design8. These models are informative but emerge from institutional and economic environments very different from India’s federal and resource conditions. Prior research therefore calls for an India-specific criticality lens that treats infrastructure as a system of systems where local failures can spill into governance, economic continuity and national security9.
This paper develops a Critical Infrastructure Protection Programme (CIPP) around three linked elements: Twin Pillars, One Foundation and One Measurable Framework. The first pillar, the Critical Infrastructure Protection Act (CIPA), provides statutory authority for inspections, reporting, audits and multi-ministerial coordination and brings legal clarity to responsibilities that currently remain dispersed.
The second pillar, the Bharat National Resilience Index (BNRI), introduces measurable resilience indicators that capture redundancy, recovery timelines and systemic continuity and aligns institutional expectations with quantifiable outcomes. The foundation expands sectoral attention beyond energy, transport and ICT to include logistics, agriculture, water ecosystems, public health, judicial systems and maritime corridors. These domains rarely appear in global frameworks even though they remain central to India’s socio-economic and strategic stability.
The measurable framework assesses resilience across seven analytical dimensions that encompass technology, legal preparedness, economic structures, disaster governance, institutional capacity and national security. This integrated structure reduces fragmented reporting and weakens silo-driven oversight by consolidating assessment within a single evaluative logic.
Taken together, these elements position India’s CIP pathway as distinct from prevailing Western or Chinese templates and more comprehensive than incremental extensions of cyber-centric requirements. They establish a statutory, metrics-based and sector-expanded governance structure in which coordination and evaluation operate within one combined programme. Through this shift, India strengthens its role as a normative contributor within the Global South and shapes resilience approaches suited to federal diversity and resource-constrained operational settings10.
2. The Foundation: Reimagining Sectoral Priorities
The foundation of a Critical Infrastructure Protection Programme (CIPP) for India must begin with a decisive shift in how sectors are prioritised. Conventional templates drawn from advanced economies cannot be transferred without modification. As argued in Towards a Critical Infrastructure Protection Programme for India: Reconceptualising Sectoral Priorities for Strategic Resilience and National Security11, the direct use of frameworks such as the United States National Infrastructure Protection Plan or the European Union’s NIS and NIS2 regimes would be misaligned with India’s developmental stage, socio-economic variation and federal asymmetry. These models function effectively in industrialised contexts that concentrate on capital-intensive infrastructures including energy, ICT, finance and transportation. They leave aside several sectors that remain structurally fragile and essential in India.
India requires an India-specific criticality lens that interprets vulnerability not as isolated sectors but as interlinked dependencies that function as a system of systems12. India’s fragility is rooted in water, agriculture, logistics, health systems and judiciary infrastructure. Disruptions in these domains create ripple effects. Water scarcity in drought-prone states can weaken food security, constrain hydro-electric output and place pressure on urban resilience. Instability in agriculture combined with interruptions in logistics often leads to food inflation, heightened public health risks and political tension. The COVID-19 pandemic demonstrated the interconnected operations of healthcare, transport corridors, ICT networks and pharmaceutical supply chains. Judicial infrastructure, including e-courts and digital registries, supports the continuity of governance. If compromised, it would slow institutional processes and weaken public trust. Global studies of developing economies show similar patterns where shocks disproportionately destabilise food and health systems and reinforce the need for widened sectoral prioritisation 13.
India requires an India-specific criticality lens that interprets vulnerability not as isolated sectors but as interlinked dependencies that function as a system of systems12. India’s fragility is rooted in water, agriculture, logistics, health systems and judiciary infrastructure. Disruptions in these domains create ripple effects. Water scarcity in drought-prone states can weaken food security, constrain hydro-electric output and place pressure on urban resilience. Instability in agriculture combined with interruptions in logistics often leads to food inflation, heightened public health risks and political tension. The COVID-19 pandemic demonstrated the interconnected operations of healthcare, transport corridors, ICT networks and pharmaceutical supply chains. Judicial infrastructure, including e-courts and digital registries, supports the continuity of governance. If compromised, it would slow institutional processes and weaken public trust. Global studies of developing economies show similar patterns where shocks disproportionately destabilise food and health systems and reinforce the need for widened sectoral prioritisation 13.
Operational experience reinforces the limitations of narrow classifications. NCIIPC’s mandate under Section 70A of the IT Act remains restricted to information systems. Repeated intrusions such as the RedEcho activity linked to the Mumbai power grid highlight how digital compromise can coincide with physical disruption and wider systemic paralysis, even in the absence of full attribution15.
This confirms that India cannot rely on a cyber-focused framework. A national CIPP must codify a wider sectoral base that includes conventional assets such as energy, ICT, finance and the defence industrial base, socio-economic backbones including water systems, agriculture, healthcare, judiciary and public service delivery chains, strategic frontiers that encompass maritime corridors, nuclear plants, space assets and rare-earth or semiconductor ecosystems, and innovation clusters comprising MSMEs, start-ups, frontier research centres and digital platforms.
This shift reflects statutory necessity rather than conceptual preference. Without legal recognition, these sectors will remain under-protected. As stressed in Hybrid dimension of critical information infrastructure security: Why India needs a CIPA to attain cyber-physical resilience16 and Compulsions of enacting a Critical Infrastructure Protection Act17, hybrid threats routinely exploit the intersections where governance, economic activity and societal reliance converge. Experiences across the Critical Five nations further illustrate this evolution. Australia’s SOCI Act integrates supply-chain resilience and foreign investment scrutiny. The United Kingdom’s Critical National Infrastructure Knowledge Base identifies dependencies beyond classical sectors18. UNDRR similarly notes that resilience frameworks in the Global South must include non-classical infrastructures such as water systems, natural ecosystems and dense urban settlements because they often act as catalysts for cascading disruption19.
By embedding this reimagined taxonomy into law, India must set the foundation of its CIPP. This broadened structure ensures that resilience planning incorporates ecological pressures, federal asymmetry, population density and hybrid warfare risks. Such codification provides the structural depth required to absorb shocks, adapt to shifting threats and sustain functional continuity without systemic collapse.
3. The First Pillar: Critical Infrastructure Protection Act (CIPA)
A major gap within India’s Critical Infrastructure Protection landscape is the absence of statutory authority. The National Critical Information Infrastructure Protection Centre (NCIIPC) under Section 70A of the IT Act governs information infrastructure, yet its jurisdiction does not cover physical systems, sectoral interdependencies or hybrid threat environments that increasingly shape national vulnerability20. This narrow cyber focus has produced a fragmented protection ecosystem that cannot keep pace with environments where cyber intrusions, physical disruption and geopolitical interference interact with growing frequency. As highlighted across multiple policy analyses21, the Critical Infrastructure Protection Act (CIPA) has become essential, not as a procedural refinement but as a statutory instrument required for national security and strategic resilience.
3.1 Geopolitical and Hybrid Threat Drivers
The South Asian and Indo-Pacific regions remain volatile, and state as well as non-state adversaries continue to target critical infrastructure to weaken India’s strategic posture. Pakistan’s support for cross-border attacks against transport systems, energy networks and defence sites remain documented across several assessments22. China’s dual approach, which combines assertiveness along the Line of Actual Control with infrastructure leverage through Belt and Road corridors in Sri Lanka, Nepal and Bangladesh, creates a two-tier vulnerability where sabotage could be paired with pressure in the grey zone. Bangladesh has also experienced extremist strikes against infrastructure, signalling spillover risks along India’s porous borders23. Global precedents reinforce this pattern. The Nord Stream pipeline sabotage demonstrated how critical infrastructure can become an instrument of geopolitical confrontation in contested regions24.
Threats of this nature cannot be managed through voluntary arrangements or isolated departmental mandates. Hybrid conflict blends cyber disruption with narrative manipulation and physical sabotage. Responding to this environment requires statutory inspection authority, enforceable compliance and rapid operational capability. Without CIPA, India remains reactive, capacity-fragmented and institutionally dispersed in the face of adversarial intent25.
3.2 Structural Mandates of CIPA
CIPA should establish the National Critical Infrastructure Protection Authority (NCIA) with jurisdiction that spans sectors and ministries and with the ability to issue emergency directives when national interests require unified action. Its mandates include risk audits and sectoral inspections conducted independently and benchmarked against global models that draw from United States federal directives and mandatory European Union risk assessment requirements26. It should also enforce incident reporting and transparency through compulsory disclosure within twenty-four hours of any cyber or physical disruption, in line with NIS2 expectations and replacing the opaque reporting tendencies currently observed27. CIPA must mandate resilience drills and red teaming through annual sector-level exercises and bi-annual integrated national drills, a practice central to both the United States NIPP approach and the methodologies followed by the Critical Five nations28. Emergency directive powers would authorise shutdowns, activation of continuity mechanisms or issuance of immediate protection orders during national emergencies. This parallels element of the Chinese sovereign approach while being adapted to India’s federal democratic structure29.
CIPA should also establish accountability within public private partnerships through mandatory resilience clauses, penalties for concealment and structured liability for operators who fail to meet compliance obligations30. Sectoral notification and expansion must include non-traditional sectors such as judiciary, logistics, agriculture and maritime infrastructure, aligning with the broadened taxonomy established earlier and ensuring that statutory protection spans all domains that contribute to national continuity31.
3.3 Economic and Strategic Justifications
The economic purpose of CIPA aligns with investor confidence and India’s position within global value chains. The objective of making India a manufacturing and supply-chain hub rests on assured resilience across essential systems. Cyberattacks on banking networks and ransomware incidents that have disrupted healthcare facilities demonstrate how vulnerabilities undermine operational stability and weaken investor trust32. By embedding resilience requirements in law, CIPA positions security as an economic enabler and a prerequisite for predictable growth33. Global investment studies show a clear link between statutory resilience regulation and inward capital flows, particularly in emerging economies where risk perception directly influences investment decisions34.
CIPA also contributes to national strategic autonomy. As examined in Protecting India’s Critical Infrastructure35, failures in infrastructure do not remain confined to operational or financial domains. They can trigger national security shocks that evolve into political or governance crises. Legislating baseline resilience expectations strengthens deterrence against intentional disruption and reinforces India’s credibility within global security frameworks.
3.4 Global Precedents and the Legislative Imperative
Global experience shows why statutory protection of critical infrastructure has become indispensable. The United States adopted the Homeland Security Act after 9/11 to institutionalise integrated protection. The United Kingdom introduced legal resilience standards following the Manchester attack. Australia’s SOCI Act created a Critical Infrastructure Centre with authority over foreign involvement. Israel consolidated cybersecurity oversight under a National Cyber Directorate, while Germany enacted the IT Security Act to enforce resilience obligations across essential operators36. Scholarship concludes that statutory authority is the decisive threshold separating voluntary resilience from enforceable resilience, particularly where interdependent systems are exposed to hybrid threats37. For India, the implication is direct. Without legal codification, responses to hybrid attacks will remain fragmented and reactive, and interdependency governance will continue to suffer from institutional gaps. A national CIPA would close these gaps, establish accountability across operators and embed resilience within the legal framework of national security. It is not a procedural addition. It is a strategic requirement.
4. The Second Pillar: Bharat National Resilience Index (BNRI)
Resilience cannot be institutionalised without measurement, and a framework cannot influence behaviour unless it is enforceable. India’s current CIP approach lacks quantifiable benchmarks, which leaves resilience framed as policy language rather than legal requirement. Existing tools such as the Resilience Measurement Index38 or lifecycle methodologies developed by Fraunhofer and OECD offer conceptual direction but do not align with India’s governance realities. Federal asymmetry, uneven institutional capacity and development disparities make direct adoption impractical. India therefore requires its own statutory index that calibrates resilience against systemic vulnerabilities and sets mandatory compliance across operators. The Bharat National Resilience Index (BNRI) addresses this dual need. It functions as a regulatory instrument that creates accountability and as a knowledge system that supports continuous learning. Comparative research has already concluded that indices without statutory authority remain voluntary guidelines and cannot deliver enforceable obligations39.
4.1 Conceptual Foundations
BNRI is grounded in the premise that resilience is measurable across preparedness, mitigation, response and recovery. It begins with the recognition that Indian infrastructures operate as interconnected systems rather than isolated sectors and that they reflect system-of-systems vulnerabilities40. The index therefore evaluates both sector-level robustness and the strength of interdependencies across diverse critical sector and sectorial clusters. BNRI formalises resilience as a property of networks and not as a sum of silos. By placing BNRI within the structure of the Critical Infrastructure Protection Act (CIPA), ambiguity in responsibilities is removed. Operators cannot treat resilience as discretionary expenditure, and statutory inspection, measurable thresholds and liability enforcement ensure that compliance becomes compulsory.
4.2 Structure of BNRI Metrics
BNRI applies a tiered structure comprising Tier-A, Tier-B and Tier-C. This avoids a single uniform mandate and ensures proportional compliance across operators with varying capacities. The approach is necessary in India because a common standard would either overwhelm small operators or leave nationally critical assets inadequately protected. Graduated obligation becomes the organising logic. Systems with higher national importance carry a greater statutory burden, while those with limited systemic impact maintain essential baselines.
Tier-A assets, which include nationally indispensable systems such as ports, major reservoirs and power substations, require the highest level of protection. They must conduct mandatory digital-twin simulations to map systemic vulnerabilities and to allow stress testing before real incidents occur. A failure in one major substation, for instance, could reveal cascading impacts across water pumping operations, hospitals or aviation networks. Digital twins expose weaknesses in controlled conditions. Tier-A systems must also adopt AI-driven anomaly detection with predictive analytics41, since advanced tools identify micro deviations that signal hostile intrusion or technical deterioration. Predictive alerting is essential for these assets because reactive approaches cannot contain national-scale risks. Continuous red teaming across cyber and physical environments is also required. Red teams simulate adversarial behaviour and uncover insider risk, physical gaps and digital weaknesses. Finally, Tier-A resilience must include statutory codification of Mean Time to Recovery (MTTR). MTTR determines whether a disruption stays contained or escalates into systemic paralysis. Embedding MTTR in law compels redundancy planning, continuity protocols and rapid restoration capacity.
Tier-B assets, such as regional water systems, airports and regional power grids, hold significant yet geographically bounded importance. These systems must meet compulsory Multi-Factor Authentication and cyber hygiene standards, since regional networks are frequent ransomware targets due to weak authentication. BNRI establishes MFA as the minimum defence baseline. Mandatory incident reporting within twenty-four hours is also required because underreporting increases the likelihood that local failures evolve into broader disruptions. Annual resilience audits must be conducted across cyber, physical and operational dimensions. These audits examine technical controls, staff readiness, fallback procedures and exposure to environmental or hazard risks.
Tier-C assets, which include entities with limited systemic impact such as rural hospitals or regional logistics hubs, follow requirements that focus on patch management, reporting and basic workforce training. These measures establish a national resilience floor and prevent Tier-C entities from becoming entry points for wider compromise. Ransomware incidents targeting unpatched rural health systems have already demonstrated how seemingly small breaches can propagate into national digital platforms.
This calibrated structure avoids excessive regulation of small operators while strengthening resilience in critical systems. Tier-A carries binding statutory obligations. Tier-B applies proportionate requirements, and Tier-C maintains a mandatory minimum baseline. The tiering framework places resilience within a connected continuum rather than a fragmented set of protections.
4.3 Integration with Global Practices
BNRI draws on international experience but avoids direct replication. Many global indices assume uniform institutional capacity, a condition that India does not share. NIST’s Cybersecurity Performance Goals42 and the EU’s NIS2 Directive function within environments that maintain strong enforcement and high compliance culture. The Critical Five models, most notably Australia’s SOCI Act, underline the importance of supply-chain resilience and mandatory audits43. India faces different vulnerabilities. Long-term water scarcity, an agriculture-dependent economic base and uneven digitalisation within judiciary systems require an adaptive model rather than a transferred one. Codifying BNRI allows India to function as a normative designer instead of a passive adopter. Just as NIST evolved into a global reference for cyber maturity, BNRI holds potential to serve as a resilience framework for the Global South. Scholarship already recognises that resilience models for developing states cannot rely on Western sectoral checklists and must reflect contextual realities and operational constraints44.
4.4 Regulatory and Research Dualism
BNRI carries a dual purpose. As a regulatory instrument, it equips NCIA with enforceable tools. Mandatory drills, statutory audits and incident reporting create measurable compliance and legal accountability45. As a knowledge repository, it functions as a living system. Data generated through audits, inspections, red-team exercises and institutional assessments supports continuous research-driven refinement. This design prevents BNRI from becoming a static checklist and ensures that it remains responsive to evolving hybrid threats. At the same time, it positions India within an international landscape shaped by standards such as ISO and IEC 27001:2022 for cyber resilience, the UNDRR Sendai Framework for disaster governance and NATO’s 2022 Strategic Concept where infrastructure resilience entered collective security discussions46. Through this alignment, India strengthens domestic capability while contributing meaningfully to global resilience governance.
4.5 Prescriptive Value
Institutionalising BNRI addresses several structural gaps simultaneously. It introduces enforceability, shifting resilience from voluntary aspiration to legal requirement where non-compliance generates liability. It formalises prioritisation by assigning the highest protection obligations to Tier-A infrastructures due to their cascading risk potential, while Tier-B and Tier-C systems are governed proportionately to establish a national resilience floor. It also brings transparency through measurable benchmarking. India gains the ability to assess resilience capacity with quantifiable indicators and present readiness in international platforms. BNRI therefore becomes more than an administrative mechanism. It establishes a doctrinal base and positions India as a knowledge producer rather than a policy borrower in the global resilience landscape47.
5. The Measurable Framework: Comprehensive Protection Programme
Operationalising the Critical Infrastructure Protection Programme (CIPP) requires measurement. Intent must translate into enforceable standards. Building on the Bharat National Resilience Index (BNRI), this framework introduces a layered evaluation structure across seven analytical perspectives. These include technological, cyber-geopolitical, economic, disaster-management, statutory, governance and national security.
Each perspective converts resilience from policy language into statutory obligation, ensuring that compliance becomes a daily operational requirement. These principles, outlined in Critical Infrastructure Protection in a Cyber-Physical World48, are now structured as mandates for regulators, operators and policymakers.
5.1 Technological Priorities
India’s technological exposure arises from legacy OT and SCADA systems that continue to operate without adequate segmentation across power, logistics, healthcare and transport networks49 50. The RedEcho activity affecting Mumbai demonstrated this vulnerability. A digital intrusion moved rapidly because network segmentation was weak and MFA adoption remained inconsistent across operators51 52. Evidence indicates that MFA reduces breach success by more than 90 percent, yet many Tier-B systems still treat it as optional53.
BNRI formalises statutory requirements by mandating OT and SCADA segmentation across Tier-A and Tier-B systems so that a single failure cannot cascade across the network. Zero trust architecture with MFA becomes baseline access control. A national AI-enabled anomaly detection grid, aligned with predictive analytics models, provides early warning as a national capability rather than a localised practice54. A resilience levy supports retrofitting of legacy systems, acknowledging that cost cannot remain a justification for delayed implementation. This structure aligns India with the U.S. CISA OT and ICS performance objectives55, while CIPA embeds enforceability across operators.
5.2 Cyber-Driven World Order
Strategic competition increasingly unfolds in cyberspace, where intrusions combine digital disruption with physical damage, narrative manipulation and proxy escalation. India’s deterrence posture remains largely declaratory, and no statutory escalation scale currently exists to define thresholds for hybrid response56. Threat intelligence sharing among CERT-In, NCIIPC and sectoral regulators also remains uneven. The U.S. ISAC ecosystems and the EU NIS2 collaboration mechanisms demonstrate the operational advantage of real-time collective situational awareness and coordinated threat tracking 57 58.
The measurable framework therefore requires a statutory doctrine of cyber deterrence that defines thresholds for hybrid escalation, mandatory ISAC-style intelligence exchange platforms to ensure adversarial tactics are detected and countered in real time, zero trust enforcement in designated critical sectors to reduce insider threat and lateral movement, and standardised SOC maturity at Tier-3 nationwide with state support for smaller operators. Once formalised in law, resilience enters doctrine and national security incorporates enforceable cyber readiness.
5.3 Economic and Business Technicalities
Economic structures supporting resilience remain underdeveloped. Australia’s SOCI Act integrates resilience audits into cost calculation models and links investment decisions with measurable security requirements59. India does not follow this practice. Costed resilience planning is often missing, PPP contracts rarely enforce liability for non-compliance, and incident disclosure lacks transparency. Blockchain-based validation across logistics corridors has not yet been implemented even though it offers safeguards against tampering and counterfeit movement. These gaps sustain the perception of resilience as a burden rather than a long-term economic safeguard.
BNRI introduces measurable economic obligations that shift this trajectory. Costed resilience planning becomes a statutory requirement within capital expenditure decisions. Liability mandates in PPP frameworks penalise concealment or non-implementation of resilience measures. Public disclosure of critical infrastructure disruptions improves transparency and reinforces investor confidence. Blockchain-driven verification across logistics and customs networks counters counterfeit goods, reduces tampering and protects revenue channels. Such codification aligns with global trends that position resilience investment within core infrastructure planning rather than as an external or optional layer60.
5.4 Disaster Management
India remains vulnerable to recurring cyclones, floods and seismic events, and these hazards amplify systemic fragility when combined with cyber intrusions61. Silos between NDMA, SDMAs, CERT-In and NCIIPC continue to limit integrated hazard intelligence. Multi-hazard playbooks exist but remain early stage, and joint exercises are limited despite established precedents such as the U.S. NIPP 62 and the obligations under the UNDRR Sendai Framework63.
Prescriptive mandates therefore include statutory convergence between NDMA and NCIA to enable integrated disaster and cyber resilience drills, mandatory biennial joint exercises across energy, health, transport and logistics systems, and the integration of meteorological forecasting tools with CI monitoring platforms so predictive hazard data feeds directly into CI risk dashboards. This approach recognises disaster management as intrinsic to CIP rather than an external emergency response function.
5.5 Legal and Statutory Provisions
India’s regulatory architecture still lacks statutory authority over physical and interdependent systems. Section 70A of the IT Act grants NCIIPC jurisdiction only over cyber assets and excludes cross-sector audits and physical infrastructure oversight64. Comparative frameworks highlight the value of legal enforcement. The EU NIS2 Directive imposes penalties for non-compliance. Australia’s SOCI Act mandates resilience audits. U.S. federal directives authorise inspection authority and create enforceable duties for operators 65 66 67.
CIPA addresses this structural gap by establishing NCIA with statutory inspection and enforcement powers, mandating multi-sector audits with compulsory annual reporting and embedding ISO and IEC 27001:2022 requirements directly into law so that they function as enforceable obligations rather than voluntary standards68. This shift converts resilience from recommended practice into legal compliance.
5.6 Socio-Political Governance and Capacity
Governance fragmentation continues to slow CIP maturity. No single ministry holds statutory authority, centre–state coordination remains weak, and capacity pipelines across cyber, engineering and resilience disciplines remain inadequate for national demand69. Comparative frameworks demonstrate the value of coherence. The United Kingdom’s Critical National Infrastructure Knowledge Base institutionalises cross-sector dependency visibility, while OECD guidance highlights the need for inter-ministerial alignment and structured communication channels70 71.
The framework therefore prescribes NCIA as an inter-ministerial statutory authority to centralise resilience governance, centre–state compacts for shared critical sectors including energy, health and water, continuity cells across all Tier-A infrastructures to ensure institutional fallback during disruption and multidisciplinary training pipelines that combine cyber, engineering and disaster risk expertise. These measures shift India from fragmented oversight toward institutionalised resilience capacity.
5.7 Comprehensive National Security
Critical infrastructure resilience must function as a core element of national security doctrine. Resilience and readiness shape the operational foundations of sovereignty and determine how effectively states absorb and respond to hybrid aggression72 73. India currently lacks statutory thresholds defining the severity of hybrid attacks, remains outside structured incident-sharing treaties and has yet to align with UN GGE cyber norms or NIST maturity benchmarks74.
The measurable framework requires codification of hybrid attack thresholds within national security doctrine, legal embedding of CIP obligations within defence and security structures, negotiation of incident-sharing treaties with strategic partners and alignment with NATO’s 2022 Strategic Concept that recognises critical infrastructure resilience as a central determinant of security75. By placing CIP within comprehensive national security, resilience becomes part of deterrence, continuity and sovereign endurance.
6. Synthesis: From Fragmentation to Institutionalisation
India’s Critical Infrastructure Protection (CIP) framework remains fragmented. Coverage under the IT Act is partial, reporting norms remain voluntary and sectoral silos continue to ignore cascading dependencies. As argued in Towards a Critical Infrastructure Protection Programme for India: Reconceptualising Sectoral Priorities for Strategic Resilience and National Security76, imported models such as the U.S. NIPP or the EU NIS2 cannot be adopted wholesale. Their design assumes mature federal coordination, uniform compliance capacity and strong regulatory presence, conditions that do not align with India’s socio-economic landscape. Institutionalisation must therefore arise from an indigenous design grounded in the Twin Pillars, One Foundation and One Measurable Framework. The outcome is layered governance with unified structure.
6.1 The First Pillar: Critical Infrastructure Protection Act (CIPA)
CIPA functions as the legal vehicle that converts resilience from voluntary commitment into enforceable obligation. The challenge lies not in conceptual clarity but in the absence of binding authority, a gap highlighted across multiple analyses77. By establishing the National Critical Infrastructure Protection Authority (NCIA) with inspection powers, penalties and emergency directive capacity, CIPA places systemic resilience on a statutory footing. It mandates audits with penalties for concealment, aligning India with NIS2 and the SOCI Act78. It institutionalises cross-sector resilience drills every twenty-four months, linking cyber preparedness with disaster readiness79. It requires the creation of sector-specific ISACs under statutory supervision so intelligence exchange becomes trusted and enforceable80. It clarifies roles across ministries, private operators and regulators, closing accountability gaps that voluntary systems have been unable to resolve. Through these mandates, CIPA builds legal certainty, operational accountability and institutional authority.
6.2 The Second Pillar: Bharat National Resilience Index (BNRI)
Measurable standards are essential for institutionalising resilience. Responding to earlier calls for resilience indices81, BNRI serves as both compliance mechanism and knowledge system. It assigns baseline requirements to Tier-C operators, including MFA, reporting and audits. Tier-A systems must comply with advanced mandates such as digital twins, AI anomaly detection and red teaming. BNRI introduces comparability across states and sectors, guiding prioritisation based on evidence and reducing structural inequity where capacity remains uneven82. Beyond national application, BNRI positions India as a reference model for the Global South. It mirrors the function NIST performs for cyber maturity, but is calibrated to federal asymmetry and differentiated development.
6.3 The Foundation: Reimagining Sectoral Priorities
The Foundation of India’s CIPP rests on sectoral reprioritisation, as argued in the FINS Journal analysis83. Imported taxonomies prioritise energy, ICT, finance and transport, which is insufficient for India. The expanded statutory taxonomy must include logistics, water systems, agriculture, public health, judiciary, maritime infrastructure and innovation clusters. Each represents a system-of-systems vulnerability whose disruption can fracture governance continuity, economic stability and public legitimacy. Maritime infrastructure underpins Indo-Pacific strategy, judiciary systems uphold constitutional continuity and innovation ecosystems represent sovereign capability. Excluding these sectors leaves structural gaps and exposes India to hybrid disruption. Codification ensures that the protection framework reflects operational reality rather than external templates.
6.4 The One Measurable Framework: Comprehensive Protection Evaluation
BNRI becomes functional only when embedded in the measurable framework. The seven analytical perspectives described in the previous FINS paper Critical Infrastructure Protection in a Cyber-Physical World84 become statutory benchmarks across technological, cyber-geopolitical, economic, disaster-management, statutory, governance and national security dimensions.
They include SCADA segmentation, MFA and AI anomaly detection; deterrence doctrine, ISACs and zero trust; liability clauses, blockchain validation and resilience financing; NDMA–NCIA convergence, biennial drills and hazard fusion; NCIA authority, ISO and IEC 27001 alignment with penalties; inter-ministerial authority, state compacts and continuity cells; and hybrid attack thresholds, treaty alignment and doctrinal embedding. This framework makes resilience auditable, enforceable and continuously adaptive.
6.5 Convergence into Institutionalisation
Institutionalisation emerges through the synthesis of the Twin Pillars, the Foundation and the Measurable Framework. The Foundation determines what is critical. CIPA enforces protection. BNRI measures resilience across preparedness, mitigation, response and recovery. The Measurable Framework integrates these layers into operational evaluation. Through this architecture, India closes domestic protection gaps and positions itself globally. As NATO’s 2022 Strategic Concept elevated infrastructure resilience as a security priority85, India’s statutory model locates resilience within national security while offering a replicable approach for federal, resource-constrained states confronting hybrid threat environments.
7. Implementation Roadmap: Parallelising Statutory, Institutional, and Operational Efforts
Institutionalising India’s Critical Infrastructure Protection Programme (CIPP) cannot unfold as a slow linear sequence. Statutory enactment cannot wait for operational readiness, and capacity-building cannot wait for parliamentary approval. India’s risk environment is immediate, institutional capacity remains uneven and hybrid threats are already active. Implementation must therefore progress in parallel across law, institutions, operators and society so resilience development begins before, during and after legislation.
7.1 Statutory and Policy Layer – Government of India and Legislature
The legal layer provides enforceability. Drafting and passing the Critical Infrastructure Protection Act (CIPA) establishes definitions, sectoral obligations and enforcement authority under the National Critical Infrastructure Protection Authority (NCIA)86. While legislation moves through parliamentary process, executive orders can impose minimum resilience baselines such as Mean Time to Recovery (MTTR), redundancy indices and mandatory cyber-drill intervals. These interim compliance requirements ensure operators do not delay action while awaiting the final statute. CIPA must also align directly with national security doctrine. Once linked, hybrid threat protection shifts from regulatory aspiration to statutory deterrence87. CIP then forms part of sovereignty and defence posture rather than a technical oversight function.
7.2 Institutional and Governance Layer – NCIA, Ministries, and State Cells
Institutions convert statutory intent into operational structure. Once established, NCIA becomes the national coordination node connecting the Ministry of Home Affairs, MeitY, Ministry of Power, Ministry of Defence, Ministry of Finance and Ministry of Health. Sectoral resilience cells must be embedded within each ministry, covering energy, logistics, water, agriculture, judiciary, maritime and innovation systems and reporting to NCIA. At the state level, CIP governance structures must operate under Chief Secretaries so national standards adjust to regional realities. This reduces centre–state fragmentation and ensures authority remains centralised while operations are distributed. The structural gap that has historically hindered both disaster response and cyber incident coordination is addressed through this alignment.
7.3 Measurement and Knowledge Layer – BNRI and Research Ecosystem
BNRI represents the measurement function. As a statutory tool, it evaluates resilience across preparedness, mitigation, response and recovery while operating as a dynamic knowledge system88. Its implementation requires academic–industry consortia. IITs, DRDO laboratories and corporate R and D units must collaborate on digital twin platforms, AI detection grids and blockchain-enabled logistics verification. This ensures measurement evolves with threat sophistication rather than remaining static.
Mandatory reporting becomes integral across tiers. Tier-A systems submit resilience updates every six months, while Tier-B and Tier-C systems report annually. This creates a continuous reporting loop to NCIA, enabling standardisation, benchmarking and compliance auditing.
7.4 Operational Layer – Sectoral Operators and PPP Ecosystems
Operators constitute the execution core. Critical Incident Response Units (CIRUs) must be installed in Tier-A and Tier-B infrastructures including ports, aviation hubs, hospitals and power grids. These units must maintain direct escalation routes to NCIA to prevent bureaucratic delay during crises. Public-private cooperation must shift from voluntary partnership to compliance-bound engagement. PPP contracts must include enforceable resilience clauses, mandatory incident disclosure and penalty provisions for non-compliance89. This changes operator behaviour from discretion to obligation. Preparedness must be exercised through annual national simulation cycles integrating cyberattacks, disaster hazards and terrorism scenarios. These multi-hazard drills should involve NDMA, NCIIPC, NSG and operators across critical sectors. Only rigorous testing converts cascading risk readiness from theoretical intent into operational capability.
7.5 International and Diplomatic Layer – External Partnerships
Critical infrastructure functions within global networks and transnational supply chains, which makes a diplomatic dimension essential. Agreements must advance through QUAD, BIMSTEC and BRICS focusing on incident-sharing frameworks, cyber-resilience drills and joint protection arrangements90 91. India should align with international standards including ISO and IEC 27001:2022 while mirroring NIS2 compliance benchmarks to ensure interoperability with global resilience governance. These steps enhance credibility and support reciprocal recognition of protection maturity. Infrastructure diplomacy must also evolve. India can project its CIPP architecture as part of Indo-Pacific security and South–South cooperation so CIP becomes not only a domestic strategy but also a foreign policy instrument that strengthens regional influence through resilience leadership.
7.6 Capacity and Societal Layer – Citizens, Workforce, and Civil Society
Resilience requires societal embedding. A National CIP Training Academy under NCIA should build multidisciplinary capacity pipelines that include engineers, forensic analysts, red-team specialists and emergency responders, addressing the persistent skill deficit in resilience governance. Citizen-level inclusion requires integrating digital hygiene, CI awareness and preparedness into education systems, vocational programmes and national outreach initiatives so resilience behaviour becomes a norm. Civil society must also be included. NGOs, self-help groups and community networks should be incorporated into formal outreach, particularly in rural regions where institutional coverage remains limited. This prevents resilience from becoming urban and technocratic, ensuring that the framework is socially inclusive.
7.7 Implementation as a Parallel Ecosystem
India’s roadmap must develop as a parallel ecosystem rather than a sequential rollout. Multiple layers progress together. Statutory codification advances while interim executive orders introduce baseline norms. Institutions including NCIA, state cells and sectoral units begin functioning as BNRI initiates data reporting. Private operators implement PPP-driven compliance while international partnerships provide modelling and benchmarking. Public engagement evolves concurrently, embedding legitimacy and awareness. Through this parallel model, a multi-level protection shield emerges in which statutory, institutional, operational and societal elements evolve simultaneously rather than in delayed sequence.
Conclusion
This paper advances the discourse on India’s Critical Infrastructure Protection (CIP) by moving beyond fragmented cyber-focused approaches toward an integrated statutory and evaluative architecture. The framework rests on the Critical Infrastructure Protection Act (CIPA) and the Bharat National Resilience Index (BNRI), supported by one reimagined foundation of sectoral priorities and reinforced through one comprehensive measurable framework. Together they convert resilience from discretionary practice into statutory obligation across preparedness, mitigation, response and recovery.
CIPA functions as the legal backbone and BNRI operates as the measurement mechanism. This pairing closes the enforcement gap that has limited India’s ability to govern cascading dependencies. The statutory pillar establishes audit authority, penalties and integrated drills, while the measurement pillar embeds quantifiable indices across Tier-A, Tier-B and Tier-C infrastructures. This linkage unites legal enforceability with empirical evaluation so that governance operates coherently across juridical, operational and technical domains92.
The reimagined foundation expands statutory protection beyond energy, ICT, finance and transport. Logistics, agriculture, health, judiciary, maritime routes and innovation ecosystems are included because these systems shape India’s hybrid vulnerability landscape. Their inclusion reflects asymmetric federal capacity, demographic pressures and threat realities rather than assumptions drawn from industrialised states93.
The measurable framework aligns seven analytical perspectives into enforceable requirements spanning technological, cyber-geopolitical, economic, disaster-management, statutory, governance and national security dimensions. Through these standards, resilience becomes doctrine, integrating drills, inspections, liability and deterrence into law, practice and security planning. CIP becomes a continuum rather than a set of disconnected activities.
Taken together, the proposed model offers a prescriptive blueprint for institutionalising resilience. By aligning statutory authority, sectoral reprioritisation and measurable enforcement, CIP evolves into a unified national security architecture. Resilience becomes a sovereign function shaped through an India-specific criticality lens that integrates governance, economy and security into a single system of national protection and strategic endurance.
End Notes
[1] NCIIPC. About NCIIPC...]
[2] Dash, P. (2024). Towards a CIPP for India...]
[3] NCIIPC. About NCIIPC...]
[4] Ghosh, S. (2022). Chinese state-backed actors and India’s power grid...]
[5] Ouyang, M. (2019). Interdependent CI system modelling...]
[6] de Jong-Chen, C., & O’Brien, K. (2017). U.S. NIPP overview...]
[7] EU. (2022). NIS2 Directive...]
[8] Critical 5. (2024). Australia’s SOCI Act...]
[9] Dash, P. (2025). Towards a CIPP for India...]
[10] Simion, C. P. et al. (2013). Threat analysis for CI protection...]
[11] Dash, P. (2025). Towards a CIPP for India...]
[12] Dash, P. (2025). Towards a CIPP for India...]
[13] World Bank. (2013). Building resilience report...]
[14] Dash, P. (2021). Protecting India’s CI...]
[15] Dash, P. (2024). Hybrid dimension of CI security...]
[16] Ibid...]
[17] Dash, P. (2024). Compulsions of enacting CIPA...]
[18] Critical 5. (2024). SOCI Act summary...]
[19] UNDRR. (2019). Global assessment report...]
[20] NCIIPC. About NCIIPC...]
[21] Dash, P. (2021–2024). Series on CI security and CIPA...]
[22] Dash, P. (2024). Compulsions of enacting CIPA...]
[23] Dash, P. (2024). Safeguarding India’s future...]
[24] CSIS; NATO. (2022). Nord Stream sabotage analysis...]
[25] Dash, P. (2024). Why CIPA is warranted...]
[26] Petit, F. et al. (2013); EU (2022). NIS2 provisions...]
[27] Dash, P. (2024). Safeguarding India’s future...]
[28] USDHS. (2009). NIPP; Critical 5 (2024). SOCI Act...]
[29] Dash, P. (2024). Hybrid dimension of CI security...]
[30] Dash, P. (2024). Why CIPA is warranted...]
[31] Dash, P. (2025). Towards a CIPP for India...]
[32] Dash, P. (2024). Hybrid dimension of CI security...]
[33] Dash, P. (2024). Why CIPA is warranted...]
[34] OECD. (2021). Regulatory frameworks and investment...]
[35] Dash, P. (2021). Protecting India’s CI...]
[36] Dash, P. (2024). CIPA analyses...]
[37] Kuipers, S. (2019). Disaster collaboration studies...]
[38] Petit, F. et al. (2013). Resilience Measurement Index...]
[39] Linkov, I. et al. (2018). Resilience approaches...]
[40] Dash, P. (2025). Towards a CIPP for India...]
[41] Sun, Y. et al. (2022). AI anomaly detection...]
[42] CISA. (2023). Cybersecurity performance goals...]
[43] Critical 5. (2024). SOCI Act...]
[44] Chatterjee, A. et al. (2024). Risk-informed investments...]
[45] Dash, P. (2024). Compulsions of enacting CIPA...]
[46] ISO (2022); UNDRR (2015); NATO (2022)...]
[47] Dash, P. (2025). Towards a CIPP for India...]
[48] Ibid...]
[49] Kelic, A. et al. (2008). SCADA vulnerabilities...]
[50] Ouyang, M. (2019). Interdependency modelling...]
[51] Ghosh, S. (2022). Intrusions into India’s power grid...]
[52] NCIIPC. About NCIIPC...]
[53] Proofpoint. (2022). MFA breach reduction...]
[54] Sun, H. et al. (2022). AI detection for resilience...]
[55] CISA. (2023). CPGs for CI...]
[56] Dash, P. (2024). Compulsions of enacting CIPA...]
[57] CTU. (2018). ISAC best practices...]
[58] EU. (2022). NIS2 Directive...]
[59] Critical 5. (2024). SOCI Act...]
[60] IISD. (2019). World Bank resilient infrastructure...]
[61] Singh, A. et al. (2014). Disaster and CI risk in India...]
[62] USDHS. (2009). NIPP...]
[63] UNDRR. (2015). Sendai Framework...]
[64] NCIIPC. About NCIIPC...]
[65] de Jong-Chen, C., & O’Brien, K. (2017). NIPP guidance...]
[66] EU. (2022). NIS2 Directive...]
[67] Critical 5. (2024). SOCI Act...]
[68] ISO. (2022). ISO/IEC 27001:2022...]
[69] Dash, P. (2024). Safeguarding India’s future...]
[70] Critical 5. (2024). CNI Knowledge Base...]
[71] OECD. (2019). CI resilience governance...]
[72] Popovski, V. (2023). Resilience and sovereignty...]
[73] Vinson, J., & Brawley, M. (2024). Readiness studies...]
[74] Dash, P. (2024). Hybrid dimension of CI security...]
[75] NATO. (2022). Strategic Concept...]
[76] Dash, P. (2025). Towards a CIPP for India...]
[77] Dash, P. (2021–2024). CIPA necessity series...]
[78] EU (2022). NIS2; Critical 5 (2024). SOCI Act...]
[79] USDHS (2009). NIPP; UNDRR (2015). Sendai...]
[80] CTU. (2018). ISAC best practices...]
[81] Dash, P. (2025); Petit et al. (2013). Resilience Index...]
[82] Singh, A. et al. (2014); Sarkar, S. (2022). CI resilience equity...]
[83] Dash, P. (2025). Towards a CIPP for India...]
[84] Dash, P. (2025). CI protection analysis...]
[85] NATO. (2022). Strategic Concept...]
[86] Dash, P. (2024). CIPA legislative studies...]
[87] Dash, P. (2024). Hybrid dimension of CI security...]
[88] Dash, P. (2025). Towards a CIPP for India...]
[89] Dash, P. (2024). Why CIPA is warranted...]
[90] NATO. (2022). Strategic Concept...]
[91] EU. (2022). NIS2 Directive...]
[92] Dash, P. (2025); Dash, P. (2024). CI resilience analyses...]
[93] Dash, P. (2021). Protecting India’s CI...]
References
1. Capitol Technology University (CTU). (2018, November 14). The 16 sectors of critical infrastructure. https://www.captechu.edu/blog/cybersecurity-of-16-sectors-of-critical-infrastructure
2. Center for Strategic & International Studies (CSIS). (2022, September 29). Security implications of Nord Stream sabotage. https://www.csis.org/analysis/security-implications-nord-stream-sabotage
3. Chatterjee, A., Wadhawan, S., Carluccio, S., Gupta, N., Gurung, D. R., Dharani, S., & Naidoo, S. (2024, September). Accelerating risk-informed investments in climate-resilient urban infrastructure: A framework-based approach (T20 Policy Brief). Council on Energy, Environment and Water. https://www.ceew.in/publications/accelerating-risk-informed-investments-climate-resilient-urban-infrastructure-framework
4. CISA. (2023). Cross-Sector Cybersecurity Performance Goals for OT/ICS. Cybersecurity & Infrastructure Security Agency. https://www.cisa.gov/resources-tools/resources/cross-sector-cybersecurity-performance-goals
5. Critical 5. (2024). Critical Five Vision 2030: Protecting interdependent critical infrastructure systems. https://www.criticalfive.org/p>
6. Dash, P. (2021, August 30). Protecting India’s critical infrastructure. Orissa Post. https://www.orissapost.com/protecting-indias-critical-infrastructure/
7. Dash, P. (2024, August 17). Why the Critical Infrastructure Protection Act is seriously warranted. India News Diary. https://indianewsdiary.com/why-the-critical-infrastructure-protection-act-is-seriously-warranted/#google_vignette
8. Dash, P. (2024, August 20). Safeguarding India’s future: The urgent need for a critical infrastructure protection act. The Daily Pioneer. https://www.dailypioneer.com/2024/columnists/safeguarding-india-s-future--the-urgent-need-for-a-critical-infrastructure-protection-act.html
9. Dash, P. (2024, February 8). Protecting critical infrastructure. Odisha Post. https://odishapostepaper.com/edition/4805/orissapost/page/6
10. Dash, P. (2024, November 18). Hybrid dimension of critical information infrastructure security: Why India needs a Critical Infrastructure Protection Act to attain cyber-physical resilience. Uday India. https://www.udayindia.in/news/hybrid-dimension-of-critical-information-infrastructure-security-why-india-needs-a-critical-infrastructure-protection-act-to-attain-cyber-physical-resilience
11. Dash, P. (2024, September 11). Compulsions of enacting: A “Critical Infrastructure Protection Act”. Uday India. https://www.udayindia.in/news/compulsions-of-enacting-a-critical-infrastructure-protection-act
12. Dash, P. (2025, April–June). Towards a critical infrastructure protection programme for India: Reconceptualising sectoral priorities for strategic resilience and national security. FINS Journal of Diplomacy & Strategy, 8(2). https://finsindia.org/April-June-2025-issue-2-vol-8.html
13. Dash, P. (2025, July 1). Towards a Critical Infrastructure Protection Programme for India: Reconceptualising sectoral priorities for strategic resilience and national security. FINS Journal of Diplomacy & Strategy. https://finsindia.org/towards-a-critical-infrastructure-protection-programme-for-india-dr-padmalochan-dash.html
14. de Jong-Chen, C., & O’Brien, K. (2017). The cybersecurity dilemma: U.S., EU and China approaches. Microsoft Policy Papers. https://www.microsoft.com/en-us/cybersecurity
15. European Union. (2022). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive). EUR-Lex. https://eur-lex.europa.eu/eli/dir/2022/2555/oj
16. Ghosh, S. (2022, March 1). Chinese hackers linked to Mumbai power outage. The Indian Express. https://indianexpress.com/article/technology/chinese-hackers-mumbai-power-outage-7783483/
17. International Institute for Sustainable Development (IISD). (2019, July 11). World Bank report illustrates benefits of resilient infrastructure. SDG Knowledge Hub. https://sdg.iisd.org/news/world-bank-report-illustrates-benefits-of-resilient-infrastructure-
18. ISO. (2022). ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection. International Organization for Standardization. https://www.iso.org/standard/82875.html
19. Kelic, A., Warren, D. E., & Phillips, L. R. (2008, September). Cyber and physical infrastructure interdependencies (SAND2008-6192, Unlimited Release). Sandia National Laboratories. https://www.osti.gov/servlets/purl/945905
20. Kuipers, S. (2019, March 11). Disaster consequences and collaboration. Risk, Hazards & Crisis in Public Policy, 10(2), 138–142. https://doi.org/10.1002/rhc3.12163
21. Linkov, I., Trump, B. D., & Fox-Lent, C. (2018, September). Resilience: Approaches to risk analysis and governance: An introduction to the IRGC resource guide on resilience. International Risk Governance Center (IRGC). https://irgc.org/wp-content/uploads/2018/09/Linkov-Trump-Fox-Lent-Resilience-Approaches-to-Risk-Analysis-and-Governance.pdf
22. NATO. (2022). Strategic Concept 2022. North Atlantic Treaty Organization. https://www.nato.int/strategic-concept
23. NCIIPC. (n.d.). National Critical Information Infrastructure Protection Centre – Mandate and responsibilities. Government of India. https://nciipc.gov.in
24. North Atlantic Council. (2022, September 29). Statement by the North Atlantic Council on the damage to the Nord Stream 1 and Nord Stream 2 pipelines [Press Release No. 129]. NATO. https://www.nato.int/cps/en/natohq/official_texts_207733.htm
25. OECD. (2021). OECD Recommendation on the Governance of Critical Risks. Organisation for Economic Co-operation and Development. https://www.oecd.org/gov/risk/recommendation-governance-critical-risks.htm
26. Organisation for Economic Co-operation and Development (OECD). (2019, April 17). Good governance for critical infrastructure resilience. OECD Publishing. https://www.oecd.org/en/publications/good-governance-for-critical-infrastructure-resilience_02f0e5a0-en.html
27. Ouyang, M. (1) (2019). Cyber-physical-social interdependencies and organizational resilience: A review of water, transportation, and cyber infrastructure systems and processes. National Science Foundation Public Access Repository. https://par.nsf.gov/servlets/purl/10167203
28. Ouyang, M. (2) (2019). Review on modeling and simulation of interdependent critical infrastructure systems. Reliability Engineering & System Safety, 121, 43–60. https://doi.org/10.1016/j.ress.2013.06.040
29. Petit, F., Bassett, G., Black, R., Buehring, W., Collins, M., Dickinson, D., Fisher, R., Haffenden, R., Huttenga, A., Klett, M., et al. (2013). Resilience Measurement Index: An Indicator of Critical Infrastructure Resilience. Argonne National Laboratory, Chicago, IL, USA.
30. Popovski, V. (2023, July 20). Critical infrastructure must be resilient… it’s critical. UNDP Eurasia. https://www.undp.org/eurasia/blog/critical-infrastructure-must-be-resilientits-critical
31. Proofpoint. (n.d.). Critical infrastructure protection. https://www.proofpoint.com/uk/threat-reference/critical-infrastructure-protection-cip
32. Sarkar, D. (2022, August 18). Indian infrastructure: Leveraging past experiences for future growth. Observer Research Foundation. https://www.orfonline.org/expert-speak/indian-infrastructure
33. Simion, C. P., Bucovetchi, O., & Popescu, C. A. (2013, May). Critical infrastructures protection through threat analysis framework. Annals of the Oradea University: Fascicle of Management and Technological Engineering, XXII(1). https://www.researchgate.net/publication/307720857_CRITICAL_INFRASTRUCTURES_PROTECTION_THROUGH_THREAT_ANALYSIS_FRAMEWORK
34. Singh, A. N., Gupta, M. P., & Ojha, A. (2014). Identifying critical infrastructure sectors and their dependencies: An Indian scenario. International Journal of Critical Infrastructure Protection, 7(2), 71–85. https://doi.org/10.1016/j.ijcip.2014.04.003
35. Sun, W., Bocchini, P., & Davison, B. D. (2022). Overview of interdependency models of critical infrastructure for resilience assessment. Natural Hazards Review, 23(1), 04021058. https://www.cse.lehigh.edu/~brian/pubs/2022/naturalhazardsreview/ASCE_ReviewInterdependencyModel_V2.pdf
36. UNDRR. (2015). Sendai Framework for Disaster Risk Reduction 2015–2030. United Nations Office for Disaster Risk Reduction. https://www.undrr.org/implementing-sendai-framework/what-sendai-framework
37. United Nations Office for Disaster Risk Reduction (UNDRR). (2019, October 10). Global assessment report on disaster risk reduction 2019. UNDRR. https://gar.undrr.org
38. United States Department of Homeland Security (USDHS). (2009). Critical Infrastructure Resilience: Final Report and Recommendations. National Infrastructure Advisory Council, Washington, DC, USA. https://www.dhs.gov/xlibrary/assets/niac/niac_critical_infrastructure_resilience.pdf
39. Vinson, N., & Brawley, S. (2024, December 6). Critical infrastructure: Readiness, resilience, and security. UK Parliament POST. https://post.parliament.uk/critical-infrastructure-readiness-resilience-and-security/
40. World Bank. (2013, November). Building resilience: Integrating climate and disaster risk into development. https://www.worldbank.org/content/dam/Worldbank/document/SDN/Full_Report_Building_Resilience_Integrating_Climate_Disaster_Risk_Development.pdf
41. World Bank. (2023). Lifelines: The resilient infrastructure opportunity – Updated insights. World Bank. https://documents.worldbank.org/en/publication/documents-reports/documentdetail/775891600098079887/lifelines-the-resilient-infrastructure-opportunity
[This work has been funded by the Indian Council of Social Science Research (ICSSR), Ministry of Education, New Delhi, under the ―ICSSR Post-Doctoral Programme‖ 2019-20 on “Critical Infrastructure Protection Programme for India”.]
