Our everyday life depends on critical services that we often take for granted: water, electricity, cooking gas, petrol and diesel, groceries, banking, communications, transport, internet, healthcare, governance, law and order, courts and defence. Behind each of these lies a vast network of infrastructure: power plants, refineries, distribution systems, fuel transportation networks, railway stations, airports, hospitals, public utility systems and industrial installations. Any disruption can affect public safety, economic stability and national security.
Over the last few decades, these services have been scaled up through digital transformation. The internet, automation, the Internet of Things (IoT), and artificial intelligence (AI) have improved monitoring, prediction, control and service delivery. However, the same connectivity that improves efficiency also expands the risk horizon. Systems that were earlier isolated or locally controlled are now linked to digital networks, creating opportunities for remote disruption.
Complexities of the digital landscape
We are familiar with cyber risks in the digital world: server breaches, data theft, denial-of-service attacks, ransomware and online fraud. Governments have responded with cyber-security laws, certifications, protective systems and agencies such as CERT-In (Indian Computer Emergency Response Team). These measures have improved security, but they do not make critical infrastructure completely safe.
The larger emerging concern is that the internet is no longer only a network of people, computers and servers. It has expanded to accommodate billions of connected devices. Cameras, GPS devices, temperature and pressure sensors, wind monitors, water-level sensors and industrial controllers are constantly collecting data and communicating with central systems. In refineries, power plants, chemical plants, manufacturing units and transport networks, such devices enable high levels of automation.
Earlier, many of these systems were local process control systems managed through SCADA (Supervisory Control and Data Acquisition system). Today, they are increasingly connected to the internet for centralised monitoring, optimisation and predictive maintenance.
This creates the important triad of IT, OT and IoT. IT operates in the digital space, processing data and enabling computing. OT, or operational technology, operates in the physical world of plants, machinery, transport, industrial automation and critical assets. IoT connects the two by sensing physical conditions, sending real-time data to digital systems and, in many cases, executing commands through controllers and actuators. This connection is powerful, but it can also become the weak link. If the IoT layer is compromised, the data collected from the physical world can be manipulated, or control over physical processes can be misused.
Critical infrastructure security
Therefore, critical infrastructure security must go beyond conventional cyber security. Physical installations may have heavy security and restricted access, but the devices connecting them to digital systems may still expose them to invisible risks. The real question is whether these devices can be trusted. They must not contain hidden vulnerabilities, unauthorised data-sharing mechanisms, malicious control pathways or embedded Trojans that can be exploited later.
This issue becomes serious when imported devices are deployed in sensitive installations without rigorous scrutiny. India speaks strongly about Atmanirbhar Bharat and Made in India, but this intent has not always translated into procurement practices at lower levels of government departments and public sector undertakings (PSUs). Tender conditions often do not insist on trusted Indian-made products or deep security evaluation. Eligibility is frequently assessed through template-based compliance checks rather than careful examination of design origin, manufacturing authenticity and operational vulnerability. Existing IT guidelines and IoT policies are also not enforced with the seriousness required for national-level infrastructure.
Fuel transportation is a practical example. Earlier, tankers carrying fuel from oil terminals to retail outlets were protected with ordinary seals, locks and keys, leaving room for pilferage. Over time, the system moved to IoT-based keyless and OTP-based e-locking, supported by GPS tracking and digital monitoring. These solutions improve accountability and security, but they also become critical control points in the fuel supply chain. If vehicle tracking systems or e-locks are imported or unverified or dubiously certified, the oil supply chain can become vulnerable to remote disruption. There are increasing instances of electronic locks with GPS and communication capabilities that are manufactured in China getting certifications in India as an Indian product.
Need for strengthening certification
The recent certification of cameras, by STQC tests devices ensures that they do not perform unintended control or data-sharing functions. However, the certification process is onerous and lengthy. More importantly, similar mechanisms are not yet available or strongly enforced for many other IoT devices used in critical infrastructure.
High level of awareness is needed for economic security. Future attacks may target the industrial base, supply chains, utilities and automated infrastructure that support national growth. A recent attack on systems that monitor U.S. gas stations’ fuel storage, reported by CNN is a case in point.
As India moves toward becoming a major global economy and digitally empowered nation, the safety of critical infrastructure cannot be treated merely as a technical issue. It is a matter of sovereignty, resilience and economic security. India must embrace IoT, AI and automation, but it must do so with trust, transparency and strong safeguards. The need of the hour is stricter policy enforcement, rigorous certification, preference for trusted indigenous technologies and continuous vigilance across government and industry. The question is not whether we should adopt connected technologies, but whether we are deploying them securely enough to protect the nation’s future.
(L.N. Rajaram is the National Division Chairman, IoT application in Government, Public, and Private Organisations, IoT Society of India. He is also Co-Founder , Kritilabs Technologies Pvt. Ltd.,Chennai)
Published – May 27, 2026 08:30 am IST
