The Goods and Services Tax (GST) system is not exposed directly to the Internet and has a dedicated round-the-clock security operations command centre in its network against cyberthreats, the government has told the Rajya Sabha.
To a question, the government said on Friday that any interaction with the system was only through APIs (application programming interfaces). It had a multi-layered security architecture and had operational segregation through use of a virtual local area network.
Access privileges
There was segregation of duties, least privilege access principles, Internet Protocol (IP) filtering and blocking of rogue IPs, resiliency at each layer, secure coding practices ensuring security of GST software development throughout Software Development Lifecycle, and at-rest and in-transit data encryption, the government said.
The data sharing mechanism ensures that any data transfer from the GST system is in encrypted format. The system banks on thorough security testing and full-system vulnerability assessment and penetration testing of IT infrastructure, besides the apps used licensed tools and customised scripts, said the government.
Security incidents
According to the Indian Computer Emergency Response Team (CERT-In), a total of 44,679, 49,455, 50,362 and 27,482 cybersecurity incidents were observed during 2014, 2015, 2016 and 2017 (till June), respectively, the government said in response to another query.
The types of cybersecurity incidents include phishing, scanning/probing, website intrusions and defacements, virus/malicious code, targeted attacks, ATM malware, ransomware and denial of service attacks among other threats.
The government had taken a series of measures to strengthen the cybersecurity infrastructure. All financial institutions had been advised by CERT-In, through the Reserve Bank of India (RBI) to conduct an audit by empanelled auditors on a priority basis and take immediate steps accordingly.
Crisis plan
All organisations providing digital payment services have been mandated to report cyber security incidents to CERT-In expeditiously. The government has also formulated a Cyber Crisis Management Plan for countering cyber attacks for implementation by all ministries and departments.