India’s infrastructure is rapidly digitalising. This shift comes with a hefty price – targeted disruptions, data theft and system sabotage are becoming more real and widespread than ever.
In the transportation sector, for example, defence has not been keeping pace. Legacy control systems such as supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs), used in railways, bridges and ports, are vulnerable to cyberattacks. These vulnerabilities are widening with every new internet of things (IoT) device, such as traffic cameras, tolling sensors and vehicle tracking units. In the railways, while e-ticketing, smart sensors and automated signalling are routine, the backend remains fragile. A breach in the IRCTC insurance portal in 2024, which allowed unauthorised users to access and alter passenger data without OTP verification, exposed the ease with which the security layer could be infiltrated.
The highways are no safer. Tolling systems such as FASTag, and automatic number plate recognition-based traffic monitoring rely on connected software, making them vulnerable to attacks. For example, investigations in early 2025 revealed that code had been manipulated at over 200 toll plazas across 14 states, rerouting National Highways Authority of India’s (NHAI) revenue to private accounts.
Meanwhile, in the logistics sector, several warehousing and fleet aggregating companies have migrated to cloud tools for speed and scalability. But many have skipped the basics. In 2025, Agarwal Packers and Movers Limited reported a serious data breach wherein customer information, including addresses and phone numbers, was stolen from its database.
Airports, with their air-gapped air traffic control (ATC) systems, have traditionally been safer. But they are not immune. As biometric boarding, integrated airline databases, automatic vendors and logistics system management push the sector towards increasing digitalisation, new vulnerabilities are emerging. As per an industry report, 66 per cent of airlines and 73 per cent of airports have placed cybersecurity among their top three priorities. Cochin International Airport is setting the benchmark. It now runs a dedicated Cyber Defense Operations Centre, offering 24×7 monitoring and incident response integration.
For public infrastructure, the smart city push adds another layer of complexity. Over 100 cities under the Smart Cities Mission now run real-time digital monitoring systems for traffic, water, air and surveillance. But when the Indian Computer Emergency Response Team (CERT-In) and Kaspersky reviewed 20 of them, they found a worrying pattern of default admin credentials, outdated firmware and misconfigured Simple Network Management Protocol settings. Subsequently, in March 2025, CERT-In released guidelines on smart city architecture, mandating the use of IoT hardware, network segmentation and incident response planning.
Water infrastructure is another weak link. Cities are now using SCADA-based telemetry to manage plants and reservoirs. However, malware could tweak chemical dosing levels. Tampered telemetry could misreport dam levels or trigger false alarms. In 2025, CloudSEK, an AI-based cybersecurity firm, uncovered a major breach in Bangalore Water Supply and Sewerage Board’s (BWSSB) systems. A hacker was found selling root access to BWSSB’s database for just $500, exposing the personal data of over 0.29 million residents.
Telecom, meanwhile, is one of the most targeted sectors. In mid-2024, Bharat Sanchar Nigam Limited suffered a major breach when a hacker leaked 278 GB of data from its history, including SIM credentials, Home Location Register logs and International Mobile Subscriber Identity numbers. Now telecom service providers are finally stepping up. Bharti Airtel, for instance, launched a cyberthreat simulation lab with Cisco in 2025. As of mid-2025, it has rolled out AI-powered threat detection across its packet core, focusing on real-time anomaly spotting and lateral movement. The new Telecom Act, 2023 has also sharpened the regulatory teeth. It defines critical telecom infrastructure and makes vulnerability disclosures, attack surface mapping and country-of-origin tagging of equipment mandatory. Parallelly, CERT-In has ramped up drills across sectors. As of mid-2025, it has conducted 109 cybersecurity mock exercises covering over 1,400 organisations, stress-testing their resilience to simulated attacks.
However, these are still defensive moves. India’s infrastructure cybersecurity strategy, while evolving, is mostly reactive and scattered across sectors. What is missing is systemic cohesion – a unified framework that ties together transport, utilities, smart cities and telecom under a common security standard.
Looking ahead, the threat landscape is only getting more complex. As per an industry report, if left unaddressed, India could be facing close to a trillion cyberattacks a year by 2033. By the time it marks its centenary in 2047, that number could climb to 17 trillion. As per another industry report, India’s security software market is projected to grow at a CAGR of 18.5 per cent between 2022 and 2027, driven by rising investments in data protection; endpoint security; identity and access management; governance, risk and compliance tools; and security analytics. This surge reflects how cybersecurity is shifting from being a reactive patchwork to more integrated, software-driven strategies. But more spending does not automatically translate to resilience. The real test lies in securing legacy systems without stalling innovation, enforcing compliance across state-run and private entities and building cyber-response mechanisms that work in real time, not post-mortem.
Harshita Kalra
