Contents
Introduction
Economic Survey 2025–26 identifies cyber resilience as integral to infrastructure growth, while Budget 2026–27 prioritises secure digital infrastructure. The Kudankulam EPC data leak illustrates that outsourced execution cannot outsource national cybersecurity responsibility.
What makes EPC models vulnerable?
- Engineering, Procurement and Construction (EPC) contracts distribute construction and financial risks across multiple private entities.
- However, they also create an extensive digital ecosystem involving EPC contractors, OEMs, cloud providers, consultants and subcontractors, expanding the cyber-attack surface. Example: Kudankulam BoP leak.
How Third-Party EPC Models Expose Critical Infrastructure
- Data Proliferation Across Vendors: Detailed engineering drawings, layouts and procurement records are shared with multiple contractors. Every additional vendor creates another entry point for attackers. Example: Balance of Plant (BoP) documents.
- Supply-Chain Attack Surface: EPC contractors engage dozens of OEMs, software vendors and cloud service providers. Weakest vendor security determines overall security. Example: SolarWinds principle.
- Asymmetric Cyber Security: Core infrastructure generally remains air-gapped; auxiliary systems rely on commercial IT infrastructure. Attackers exploit support systems for reconnaissance. Example: Ventilation layouts.
- Commercial Cloud Dependency: Contractors often store sensitive project files on third-party servers. Misconfiguration or ransomware can expose strategic assets. Example: Yotta-hosted server.
- Fragmented Governance: Government agencies follow CERT-In, NCIIPC and sectoral cyber protocols. Private vendors exhibit uneven cybersecurity maturity. Example: Compliance gap.
- Extended Vendor Lifecycle: EPC contracts continue for years through construction, maintenance and upgrades. Long-duration access increases insider and credential risks. Example: Vendor credentials.
- Geopolitical Espionage: Nuclear, power, telecom and transport projects attract state-sponsored actors. Auxiliary data enables intelligence preparation even without reactor compromise. Example: DTrack malware (2019).
- Delayed Detection: Vendors often detect ransomware late due to inadequate monitoring. Incident reporting remains inconsistent despite CERT-In directions. Example: World Leaks incident.
Evaluating Vulnerabilities across Public-Private Infrastructure Frameworks
| Investment Dimension | Public Sector Environment (e.g., NPCIL) | Private EPC / Vendor Environment |
| Network Segregation | Air-gapped core systems: Complete isolation from public internet networks. | Cloud-integrated platforms: Interconnected systems using external third-party hosts. |
| Cyber Governance | Under direct oversight of specialized bodies like CERT-In and NCCC. | Fragmented compliance; heavily reliant on basic enterprise-level cybersecurity. |
| Vulnerability Visibility | Clear response mechanisms and high security auditing compliance. | High risk of delayed detection or failure to identify passive reconnaissance attacks. |
Way Forward
- Secure-by-Design Procurement: Mandatory cybersecurity clauses in EPC contracts; ISO 27001, IEC 62443 and NCIIPC compliance. Example: Bid qualification.
- Zero-Trust Supply Chains: Continuous authentication for vendors; least-privilege access architecture. Example: Zero Trust.
- Sovereign Data Hosting: Strategic infrastructure data hosted only on government-approved sovereign clouds. Example: MeghRaj.
- Continuous Third-Party Audits: Mandatory Vulnerability Assessment and Penetration Testing (VAPT) and periodic red-team exercises. Example: CERT-In audits.
- Vendor Cyber Rating: National cyber-security grading of EPC contractors, linked with future procurement. Example: Vendor certification.
- Integrated Public–Private Cyber Coordination: Joint Security Operations Centres (SOC), real-time threat intelligence sharing. Example: NCIIPC-CERT-In.
- Legislative Strengthening: Critical Infrastructure Cyber Security framework with mandatory reporting and penalties. Example: National Cyber Security Strategy.
- Capacity Building: Cybersecurity training for EPC contractors and subcontractors; dedicated cyber clauses in GFR and CVC procurement manuals. Example: Skill development.
Conclusion
Resilient infrastructure underpins national progress. India’s critical assets require secure-by-design procurement, sovereign data governance and trusted public-private cyber partnerships, making cybersecurity a strategic national capability.

