Contents
The Cybersecurity Lesson in E-Rickshaws
Deep Pal & Sukanya Thapliyal — Policy Professionals, Koan Advisory Group · The Hindu- E-rickshaws in Delhi began stalling mid-road when pranksters — and increasingly extortionists — used Chinese BMS apps (BAT-BMS, Epoch Li-ion, Lossigy, SMART BMS) to exploit unsecured Bluetooth connections on lithium-ion battery packs, cutting off power with a single tap. The driver could restart only through the same app, prompting imposters to charge ₹200–₹300 to “fix” the vehicle.
- MeitY Secretary S. Krishnan confirmed removal of the offending apps from Google Play Store and Apple App Store — a reactive, app-takedown response that does not resolve the underlying vulnerability in Battery Management Systems (BMS) accepting connections with weak or default credentials.
- The editorial’s core argument: the real issue is not Chinese origin of software but that batteries are now software-defined, connected systems — and India has no coherent cybersecurity framework covering connected battery products, from e-rickshaws to grid-scale Battery Energy Storage Systems (BESS).
- The stakes extend far beyond e-rickshaws: the same BMS vulnerabilities exist in systems that support power grids, telecom towers, warehouses, ports, industrial automation, and defence platforms — making this a critical infrastructure governance problem, not a consumer inconvenience.
- Battery Management System (BMS): A BMS is an electronic system embedded in a battery pack that monitors cell voltage, temperature, and state of charge; balances cells; and protects against overcharge, deep discharge and overheating. Modern BMS units in lithium-ion batteries are software-defined and often Bluetooth-enabled, allowing remote monitoring, diagnostics, and maintenance — but also enabling remote misuse when credentials are weak or default.
- India’s EV landscape: India has one of the world’s fastest-growing electric vehicle markets; e-rickshaws alone number in the millions, forming the backbone of last-mile urban mobility in cities across north India. Most low-cost e-rickshaws use lithium-ion battery packs with Bluetooth-enabled BMS — many shipped with default or no passwords.
- CERT-In (Section 70B, IT Act, 2000): India’s national cyber incident response body under MeitY; issues cybersecurity directions (expanded in 2022 to include 6-hour mandatory reporting, log retention, and vulnerability disclosure). Has expanded guidance to include Software Bills of Materials (SBOMs), secure software development frameworks, and OEM security requirements — but guidance is non-binding for connected battery products specifically.
- NCIIPC (National Critical Information Infrastructure Protection Centre): Functions under the PMO/NTRO; protects sectors designated as Critical Information Infrastructure (CII) including power, transport, telecommunications, banking, and defence under Section 70, IT Act, 2000. Grid-scale Battery Energy Storage Systems (BESS) may fall within its remit when deployed as part of designated CII — but EV and commercial BMS deployments remain outside its jurisdiction.
- Sectoral regulatory landscape: The Central Electricity Authority (CEA) addresses battery risks through functional safety and organisational cybersecurity lenses; the Department of Telecommunications (DoT) and MeitY have introduced security assurance mechanisms for connected devices — but none of these mandatory regimes specify Bluetooth-enabled BMS and their management apps, leaving a clear regulatory gap.
- Digital supply chain complexity: Modern battery systems comprise hardware and software sourced globally — cells from one country, BMS firmware from another, mobile management apps from a third. Security therefore depends on the integrity of the entire digital supply chain, not just the final assembled product.
- The regulatory white space: India’s institutional architecture for cybersecurity — CERT-In, NCIIPC, CEA, DoT, MeitY — is robust in principle but fragmented in practice. Connected battery products fall between sectoral mandates: too commercial for NCIIPC, too technical for CEA, and too specific for CERT-In’s general OEM guidance.
- Reactive vs. proactive governance: The government’s response — removing apps from app stores — is purely reactive. It does not mandate secure-by-design standards for BMS manufacturers, require authentication hardening, or impose firmware integrity verification. New apps exploiting the same BMS vulnerability can surface at any time.
- The supply chain trust problem: The editorial explicitly argues that the question is not “where the software originated” but whether it is demonstrably trustworthy. A Chinese-developed BMS firmware with rigorous security attestation may be safer than a domestically-developed one with poor practices — the framework must evaluate provenance and integrity, not just origin.
- Escalating criticality: What is a prank in an e-rickshaw becomes a national security threat in a telecom tower battery system or a grid-scale BESS. The same Bluetooth BMS architecture is deployed in warehouses, ports, industrial automation, and increasingly in defence platforms — meaning the e-rickshaw incident is a proof-of-concept for higher-stakes attacks.
- Global regulatory contrast: The EU Cyber Resilience Act (CRA) mandates secure-by-design requirements and Software Bills of Materials (SBOMs) for all products with digital elements; full compliance required by December 2027. The EU Digital Battery Passport mandates traceability of battery components and software. The US NIST Secure Software Development Framework and Executive Order 14028 (2021) require SBOM submission for federal software procurement. India has no equivalent binding standards for connected battery products.
- The SBOM opportunity: A Software Bill of Materials is a machine-readable inventory of every software component — libraries, firmware, dependencies — in a product. Mandating SBOMs for BMS products would enable rapid identification of vulnerabilities across a fleet (e.g., all e-rickshaws using the same firmware) and shift accountability to manufacturers and importers.
- In favour — The incident reveals a systemic gap, not an isolated event: The e-rickshaw BMS vulnerability is an instance of a class of connected-device risks that will multiply as India deploys EVs, smart grids, and industrial IoT at scale. A standards framework addressing this now is far less costly than managing incidents later.
- In favour — India’s EV ambition demands supply chain security: The PM Electric Drive Revolution in Innovative Vehicle Enhancement (PM E-DRIVE) scheme and Production Linked Incentive (PLI) targets for Advanced Chemistry Cell (ACC) batteries presuppose safe, secure battery systems. Ignoring BMS cybersecurity undermines both the EV transition and national security simultaneously.
- In favour — SBOM and CERT-In guidance can be made binding through battery standards: Bureau of Indian Standards (BIS) and the Automotive Research Association of India (ARAI) already set safety standards for batteries; incorporating CERT-In’s SBOM and secure-development guidance into these standards would create an actionable, binding pathway without requiring new legislation.
- In favour — “Trustworthiness” over “origin” is the right policy frame: An origin-based ban (blocking Chinese BMS) creates diplomatic friction, reduces competition, and can be circumvented through re-labelling. A performance-based trustworthiness standard — rigorous testing, verified secure development practices, SBOM disclosure — is more durable and consistent with India’s WTO obligations.
- Against — Regulatory capacity is limited: India currently lacks the testing infrastructure and regulatory bandwidth to implement rigorous SBOM-based audits across millions of low-cost BMS units in the informal e-rickshaw market. Standards that cannot be enforced create false assurance.
- Against — Cost burden on low-income operators: Requiring secure-by-design BMS with authenticated Bluetooth, firmware integrity verification, and lifecycle traceability will raise battery costs — passed on to e-rickshaw drivers who are predominantly informal, low-income workers with no buffer for higher equipment costs.
- Against — App removal may be adequate for the immediate e-rickshaw risk: The BMS vulnerability in e-rickshaws is operationally annoying but not life-threatening (Bluetooth range is short; lead-acid vehicles are unaffected). Critics could argue that the editorial overstates the immediate threat and that the more pressing critical-infrastructure BMS risks already fall under NCIIPC’s mandate.
- Against — Geopolitical framing risk: The editorial’s explicit pivot away from “where the software originated” is analytically correct but may be politically difficult to operationalise. In the current India–China technology context, origin-agnostic trustworthiness standards may face resistance from security agencies that favour blanket technology restrictions.
- Incorporate CERT-In’s SBOM and secure-software-development guidance into BIS battery standards and ARAI homologation norms — making software provenance, firmware integrity, and vulnerability disclosure mandatory for any BMS sold or imported in India, shifting from voluntary guidance to binding standards.
- Extend NCIIPC’s jurisdiction explicitly to cover grid-scale BESS and commercially deployed battery systems in critical sectors (telecom towers, ports, warehouses, defence) — filling the current gap between CII-designated infrastructure and commercial deployments.
- Mandate authenticated Bluetooth connections (no default or blank passwords) as a minimum standard for all Bluetooth-enabled BMS — a low-cost, high-impact fix that eliminates the specific vulnerability exploited in the Delhi e-rickshaw incident.
- Establish a coordinated vulnerability disclosure (CVD) mechanism for connected battery products — so researchers who discover BMS vulnerabilities can report them to manufacturers and CERT-In without legal risk, enabling proactive patching rather than reactive app bans.
- Draw on the EU Cyber Resilience Act (CRA) and Digital Battery Passport frameworks to develop an India-specific Battery Cybersecurity Standard covering lifecycle traceability, software update infrastructure, and supply-chain integrity — moving the conversation from technology origin to demonstrable trustworthiness.
- BMS apps exploited: BAT-BMS and Epoch Li-ion (Chinese-developed); Lossigy and SMART BMS (similar architecture). Exploited BMS units accepted Bluetooth connections with weak or default credentials, allowing anyone within range to activate the battery discharge switch and cut power.
- Only lithium-ion BMS-equipped e-rickshaws affected: Vehicles running on older lead-acid or dry batteries lack Bluetooth connectivity and are therefore not vulnerable — an important Prelims distinction.
- EU Digital Battery Passport: An EU Battery Regulation requirement mandating a digital record of battery composition, carbon footprint, supply chain, and end-of-life information — extending traceability requirements to software and firmware.
- Intro: Contextualise the Delhi BMS incident as a proof-of-concept for connected-device cybersecurity failures; distinguish the immediate e-rickshaw disruption from the larger risk to critical infrastructure.
- Body 1 — The regulatory gap: CERT-In (non-binding guidance), NCIIPC (CII only), CEA/DoT (functional safety, not BMS-specific) — show how connected battery products fall between existing mandates.
- Body 2 — Global frameworks: EU CRA (SBOM mandate, secure-by-design, Dec 2027), EU Digital Battery Passport, US EO 14028/NIST SSDF — draw contrast with India’s reactive app-removal approach.
- Body 3 — Way forward: BIS standards incorporating SBOM + CERT-In guidance, mandatory authenticated Bluetooth, NCIIPC jurisdiction extension, CVD mechanism, and a trustworthiness (not origin-based) policy frame.
- Conclusion: India’s EV ambition and digital infrastructure expansion demand proactive, standards-based cybersecurity governance of connected battery systems — building resilience into the supply chain rather than responding to individual incidents.
Consider the following statements regarding India’s cybersecurity institutional framework:
1. The National Critical Information Infrastructure Protection Centre (NCIIPC) functions under the Ministry of Electronics and Information Technology (MeitY).
2. CERT-In is constituted under Section 70B of the Information Technology Act, 2000, and mandates reporting of cybersecurity incidents within six hours of detection.
3. The EU Cyber Resilience Act requires manufacturers to maintain a Software Bill of Materials (SBOM) for products with digital elements, with full compliance mandated by December 2027.
Which of the statements given above are correct?
Statement 1 — Incorrect. NCIIPC functions under the Prime Minister’s Office (PMO) as a unit of the National Technical Research Organisation (NTRO) — not under MeitY. CERT-In is under MeitY; NCIIPC is under PMO/NTRO.
Statement 2 — Correct. CERT-In is constituted under Section 70B, IT Act, 2000, and the 2022 CERT-In Directions mandate reporting within six hours of detection or knowledge of a cybersecurity incident.
Statement 3 — Correct. The EU Cyber Resilience Act (CRA) mandates that manufacturers maintain a machine-readable SBOM for products with digital elements and make it available to market surveillance authorities; full compliance is required by December 2027.
Wealth of Lacunae: Cybersecurity and Transparency Are Non-Negotiable in Vital Installations
Editorial — The Hindu- Ransomware group World Leaks published nearly 19,000 files (14.3 GB) linked to India's largest nuclear plant — Kudankulam Nuclear Power Plant (KKNPP), Tamil Nadu — after compromising systems of Reliance Infrastructure, an engineering contractor for Units 3 and 4, with data hosted on Yotta Data Services.
- Files include engineering drawings, ventilation and cooling system layouts, floor plans, internal minutes of meetings between Indian and Russian (Rosatom) engineers, vendor/supplier lists, and insurance documents — spanning 2016 to mid-2025.
- NPCIL insists files pertain only to common service facilities outside the nuclear island and do not relate to nuclear safety or security systems — but the editorial argues that even non-operational data enables adversarial "intelligence preparation."
- The deeper editorial argument: India's breach disclosure regime is inconsistent and opaque. Yotta detected suspicious activity on 29 May; data appeared publicly on 11 June; NPCIL issued a formal clarification only on 15 July — a 35-day lag — and only after widespread media reports. Basic cyber-hygiene and proactive communication are, the editorial concludes, non-negotiable.
- Kudankulam Nuclear Power Plant (KKNPP): Located in Tamil Nadu; India's largest nuclear power station and one of seven nuclear plants in India; built in collaboration with Russia's Rosatom. Reliance Infrastructure won a contract in 2018 to design and build infrastructure for Units 3 and 4 (still under construction; targeted commissioning 2027; combined capacity 2,000 MW).
- 2019 precedent: Malware was detected on KKNPP's administrative network in 2019; NPCIL maintained the operational reactor network was unaffected — establishing a pattern of security incidents paired with opaque public communication at the same facility.
- World Leaks: A well-known ransomware-as-a-service group that has previously targeted Nike and Tata Group. In June 2026 the group reportedly demanded USD 1.5 million to keep Tata Group files (containing Apple and Tesla proprietary designs) private; when ignored, it published. Its modus operandi: steal → demand ransom → publish on dark web if refused.
- CERT-In (Section 70B, IT Act, 2000): India's national cyber incident response body under MeitY; 2022 Directions introduced a mandatory 6-hour incident reporting window; non-compliance attracts penalties under Section 70B. CERT-In is currently investigating the Kudankulam breach.
- Critical Information Infrastructure (CII): Designated under Section 70, IT Act, 2000; any attack on CII is a cognisable offence; NCIIPC (National Critical Information Infrastructure Protection Centre) under PMO/NTRO is the nodal protection body.
- India's cyber threat landscape: Cybersecurity incidents rose from 10.29 lakh (2022) to 22.68 lakh (2024); cybercrime losses projected at ₹20,000 crore across sectors in 2025. Notable prior attacks: AIIMS Delhi ransomware (23 November 2022) — servers down 10+ days, ~3 million patient records at risk; airlines; State government portals.
- Atomic Energy Act, 1962: Governs nuclear security in India; nuclear energy is a Union subject. NPCIL (operator, under Department of Atomic Energy) is distinct from AERB (Atomic Energy Regulatory Board — independent nuclear safety regulator).
- Supply chain as the weakest link: The breach did not penetrate the nuclear island — it exploited a secondary contractor (Reliance Infrastructure) and its third-party data host (Yotta), effectively bypassing the national security perimeter. The incident is a landmark example of supply chain attack on critical infrastructure: security is only as strong as its weakest contractor.
- The three-tier disclosure failure: Yotta detected suspicious activity (29 May) → data appeared on World Leaks website (11 June) → NPCIL formally communicated (15 July) — a 35-day gap between public exposure and official acknowledgement, exemplifying the opacity the editorial critiques.
- "Intelligence preparation" risk: Vendor lists, joint inspection records, and layout information for ventilation and cooling systems — even if outside the nuclear island — constitute meaningful inputs for adversarial targeting, sabotage planning, and social engineering of supply chain actors.
- Organisational culture of concealment: Affected organisations delay disclosure fearing damage to public confidence, share prices, contracts, and regulatory scrutiny. Many also lack mature incident response capabilities — treating cybersecurity as compliance rather than necessity — making early-stage damage assessment technically impossible.
- India as a high-value target: India is described in the editorial as the third-most breached country; KKNPP is the centrepiece of India's nuclear power expansion ambitions under PM Modi — making it a high-profile target for state-sponsored actors as well as criminal ransomware groups.
- In favour — Supply chain regulation gap is real and urgent: India's CII framework (Section 70, IT Act) protects primary operators but imposes no equivalent cybersecurity obligations on Tier-2 and Tier-3 contractors — a structural gap this incident vividly illustrates. CERT-In's 6-hour mandatory reporting rule was demonstrably not followed.
- In favour — Transparency has a constitutional and democratic basis: Article 19(1)(a) and the RTI Act, 2005 create a normative expectation of disclosure; when critical public infrastructure is compromised, Parliament and citizens have a legitimate interest in knowing the extent and nature of the breach.
- In favour — Nuclear credibility and diplomatic stakes are high: Opacity damages public trust, deters private investment in nuclear expansion, and creates friction with partner nations — especially Rosatom, whose engineers' joint inspection records are among the leaked files.
- In favour — CERT-In's audit mandate needs teeth: CERT-In conducted nearly 10,000 audits across critical sectors in FY 2024–25, but contractor-level audit obligations remain weak. Extending CII cybersecurity requirements down the supply chain is administratively feasible and legally grounded in Section 70.
- Against — Over-disclosure risks adversarial advantage: In nuclear security contexts, excessive public communication about leaked material may assist adversaries in confirming authenticity or identifying gaps — a legitimate reason for calibrated, rather than radical, transparency.
- Against — Operational reactor networks are air-gapped: The direct threat to nuclear safety is low; reactor operational networks are physically separated from contractor-managed administrative systems. There is a risk that public alarm is disproportionate to actual danger.
- Against — Attribution and file authenticity are unverified: Reuters and independent researchers reviewed the files but could not independently verify their authenticity. The government's account of what was and was not compromised has not been independently audited.
- Against — App-layer and contractor-level fixes may suffice: The specific breach required no penetration of NPCIL's own systems; mandatory contractual cybersecurity clauses, regular third-party audits, and credential hygiene for contractors may address the vulnerability without legislative overhaul.
- Extend CII cybersecurity obligations down the supply chain: amend CERT-In directions or issue binding guidance requiring Tier-2 and Tier-3 contractors of CII projects to undergo mandatory annual cybersecurity audits, air-gapping of sensitive project data, and 6-hour incident reporting — closing the contractor gap the Kudankulam breach exposed.
- Create a Nuclear Cyber Security Unit within NPCIL and AERB for dedicated red-team exercises, contractor security audits, and supply chain penetration tests — modelled on the US Nuclear Regulatory Commission's (NRC) cybersecurity framework.
- Develop a graduated public disclosure protocol: not all breaches merit the same level of communication; CERT-In should serve as the authority for managing disclosure timelines, balancing national security with the citizen's legitimate right to know.
- Investigate the 35-day disclosure gap: CERT-In and NPCIL must clarify whether the mandatory 6-hour reporting norm was complied with; if not, accountability must be fixed under Section 70B.
- Mandate contractor cybersecurity clauses in all nuclear and CII project contracts — requiring vendors to disclose breaches immediately, maintain secure development practices, and accept third-party audits as conditions of contract.
- Documents leaked (2016–2025): engineering drawings, ventilation/cooling system blueprints, floor plans of a common control room, Indian–Russian joint inspection records, vendor/supplier lists, insurance documents. Reuters reviewed but could not verify every file's authenticity.
- AIIMS Delhi ransomware (23 Nov 2022): Servers down 10+ days; ~3 million patient records at risk; ~1.3 TB of data on 5 servers encrypted — India's most cited prior attack on critical health infrastructure.
- Intro: Define CII and the supply-chain attack vector; cite KKNPP–Reliance–Yotta incident as the live context alongside AIIMS 2022 to establish a pattern.
- Body 1 — The supply-chain gap: Section 70 protects primary operators but not Tier-2/3 contractors; CERT-In's 6-hour rule demonstrably not followed; contractor-level audit obligations remain weak despite 10,000 CII audits in FY25.
- Body 2 — Disclosure opacity: 35-day lag at Kudankulam; organisational incentive to conceal; the DPDP Act 2023 vs CERT-In dual-obligation framework; tension between security and transparency.
- Conclusion: Extend CII obligations down the supply chain; create a Nuclear Cyber Security Unit; develop a graduated disclosure protocol; mandate cybersecurity clauses in all CII project contracts.
Consider the following statements regarding India's cybersecurity framework for critical infrastructure:
1. The National Critical Information Infrastructure Protection Centre (NCIIPC) functions under the Prime Minister's Office and is constituted under Section 70A of the IT Act, 2000.
2. CERT-In's 2022 Directions require organisations to report cybersecurity incidents within 24 hours of detection.
3. Under the Atomic Energy Act, 1962, nuclear energy is a Union subject, and NPCIL (operator) and AERB (regulator) are separate bodies.
Which of the statements given above are correct?
Statement 1 — Correct. NCIIPC functions under the Prime Minister's Office (PMO) as a unit of NTRO and is established under Section 70A, IT Act, 2000.
Statement 2 — Incorrect. CERT-In's 2022 Directions mandate reporting within six hours of detection — not 24 hours. This is one of the shortest mandatory reporting timelines globally.
Statement 3 — Correct. Nuclear energy is a Union subject under the Atomic Energy Act, 1962. NPCIL (Nuclear Power Corporation of India Limited, under DAE) is the commercial operator, while AERB (Atomic Energy Regulatory Board) is the independent safety regulator — they are distinct bodies.


