Serious National Threat—Part-I
Time that Indian Railways implements policy of only bringing ‘Trusted Officers’ in higher echelons
So long as postings are decided by bosses on consideration of #cash, #kind and #ego, there is no hope of improvement
We reported on a case where the State Bank of India’s interpretation #software, which decrypts payments instructions received from Indian Railways, randomly added two zeroes (00) to #payment to be made. This resulted in a payment of Rupees one lakh being transferred by the bank as Rupees one crore. A report suggests a Rupees 55 crore payment was made as Rupees 5,500 crore. (Read the thread on X).
This significant #security incident at the State Bank of India (#SBI) has captured the attention of government leadership and industry leaders nationwide. The breach compromised critical software that processes financial transactions for #account holders across the banking system. Notably, the State Bank of India maintains a reputation as one of the nation’s most trusted institutions, setting the highest standards for security and reliability.
Several officers and watchers have characterised the incident as a deliberate #cyberattack. The breach shares concerning similarities with previous major incidents, including the #SolarWinds attack and attacks on the #Ukrainian power grid. In these cases, adversaries maintained access to compromised systems for extended periods before revealing their presence. The SolarWinds incident, which affected US Government’s sensitive computing infrastructure, demonstrates the scale of such breaches—American authorities have not yet determined full extent of damage even after several years.
What If…???
If a system can randomly add two zeroes to a payment, it can also perform many other actions. For example, it could randomly change bank account numbers by flipping a few digits in the #IFSC code or the account number itself. If this is possible at SBI, no other banking institution is safe.
Look at #CRIS—the ever in crisis IT wing of Indian Railways—or see #RailTel. With no internal core competence, competence lies in outside contractors, with no system of #Safety certification. It was for this reason, that Department of Telecommunication came with concept of trusted #vendor and trusted #source.
“The Department of Telecommunications (#DoT), Government of India, has implemented a Trusted Telecom Portal (trustedtelecom.gov.in) to mandate that telecom service providers (#TSP) procure and install only “trusted products” from “trusted vendors” to ensure national security. This directive, part of the National Security Directive on Telecommunication Sector (#NSDTS), came into force on June 15, 2021.”
“Inspection of compliance related to trusted products and MTCTE-DGT-HQ”
Does #IndianRailways have something on this? It is joked that seriousness is not on #telecom side also, so why to expect from Indian Railways?
Trusted Source & Trusted Vendor
In view of the SBI fiasco, now this #Policy needs to be incorporated by banks and all critical IT infrastructure in true spirit.
Case of Indian Railways
When we consulted senior serving and retired officers, we realised that CRIS and RailTel remains a serious vulnerability. There is only cursory compliance of ‘trust’ policy. Reason? Competence of the officers who handle the issue. Today #HRMS, #IREPS, #FOIS, #SCADA, #PRS are major IT solutions which IR uses daily. Except for SCADA rest are made and maintained by CRIS where serious issues of conflict of interest, competence and administrative probity have been raised and reported by #Railwhispers.
SCADA is no different. The kind of #vendors which #RDSO has been approving show total lack of basic appreciation of bringing only trusted source in to the system. Issue has been left to officers and supervisors who lack understanding of ramification of #cyber security and handle the subject in a clerical manner. Indian Railways’ IT security is seen by Commercial Department which lacks professional competence in IT and cyber security.
So long as postings are decided by bosses on consideration of #cash, #kind and #ego, there is no hope of improvement. Who can be complained to? Our consistent coverage has revealed incontrovertibly that senior most levels of #RailBhawan remain compromised—they remain vulnerable to external influences and one would not be surprised if they are the ones who facilitated long term damage. These officers have been sitting in #CRB cell and #Minister’s cell.
Sadly those who get sold for a VIP treatment for wife or a foreign trip, cannot be trusted. Time that Indian Railways implements policy of only bringing ‘Trusted Officers’ in higher echelons.
#Continued: Part-II of the article will discuss how a significant single point vulnerability has been created in the #signalling and #rollingstock networks by penalising and neglecting in-house competence, failing to #rotate and auctioning key postings of the RDSO, Railway Board and Zonal HQs.