Cybersecurity isn’t just about protecting data anymore — it’s about defending the digital backbone of modern India. Every connection represents an opportunity for increased risk, be it through UPI payments or the power grid. Prior to it being a popular and widely discussed trend in the world, professor Sandeep K Shukla, director of IIIT Hyderabad has been ahead of the curve on all things relating to this concept. Getting candid with CE, he speaks about the next steps in securing India’s critical infrastructure, and utilising AI for protection against cyber threats.
Excerpts
How has cybersecurity shifted from safeguarding data to digital trust?
In 2002–03, it was viewed as a system administrator’s problem. Attacks like Code Red were routine, and research focused on cryptography, which was ineffective once malware exploited software flaws. A global vulnerability market soon emerged, where zero-day, zero-click bugs in major platforms became million-dollar assets traded legally and on the dark web, sustaining a government — criminal exploit ecosystem. Stuxnet in 2010 transformed the field. Using unknown vulnerabilities, it damaged Iran’s Natanz facility and proved cyberattacks could disrupt physical systems worldwide. Its unintended spread highlighted how malware can escape control. Later, returning to IIT Kanpur in 2015, I found India’s research still cryptography-centric. To fill gaps in malware, intrusion detection, and cyber-physical security, I built India’s first cyber-physical testbed — covering power, water, and industrial control—with SERB/ANRF support. We uncovered critical vulnerabilities and expanded into broader security research. In 2020, a `170-crore DST grant led to the creation of the C3I Hub, India’s national Technology Innovation Hub for Cybersecurity.
If you could redesign India’s national cybersecurity roadmap today, what would be your top three priorities for the next decade?
First, we need regulations across sectors. Medical devices like pacemakers or insulin pumps must undergo tests in approved labs before entering the Indian market. Security cannot be 100% guaranteed — absence of bugs cannot be proven — but due diligence must be enforced. Other sectors include power, chemical, oil and gas, and transportation.
Second, we must address the mobile phone ecosystem. About 75% of India’s phones are of Chinese origin, and others also send connections to various IPs and URLs. These connections are encrypted, so we don’t know if personally identifiable information is sent, but behavioural data is extremely valuable for adversaries. Mind hacking is now a serious threat. Even new phones connected to Wi-Fi (without a SIM) start connecting to many IP addresses because of bloatware — bundled software that users cannot uninstall. South Korea has banned bloatware. China mandates that users must be able to uninstall it. India has no such regulation. We’ve been warning about this for 3 to 4 years, but nothing has been done.
Third, India lacks technological and digital sovereignty. Our supply chain depends heavily on foreign software. We do not have sovereign cloud, email, social media, messaging, or OS alternatives. Even if companies are not reading email content, metadata flows out. Metadata is extremely powerful for influencing populations. The government must invest in research, education, and development of sovereign technology.
You aim to build a world-class cybersecurity research center at IIIT Hyderabad. What does that vision look like in tangible terms?
At IIIT Hyderabad, I am focusing on AI cybersecurity.
There are two parts:
1. How AI can be leveraged to improve cybersecurity — better cyber response, more automation in governance, surveillance, and attack response.
2. How to secure AI itself — AI is vulnerable. Someone can exploit your use of AI to attack you. For example, if you use an AI like Gemini, and your system is fed malicious prompts from somewhere else, it can lead to attacks on your machine.
We are also working on cybercrime — social engineering, investment scams, digital arrests, lottery scams. One part is investigation, forensics, tracking mule accounts, cryptocurrency trails. Another part is intervention. We also want to build digital-twin-based cybersecurity research. Instead of buying expensive physical equipment for testbeds, digital twins can simulate disaster scenarios, show attack pathways, and help infrastructure operators understand consequences. It allows experimentation without physical systems.
How do you plan to weave cybersecurity into IIIT Hyderabad’s ecosystem to create an integrated model of digital resilience?
IIIT Hyderabad is well known for AI. It has the Centre for Computer Vision (CVIT), the Robotics Research Center (RRC), and centers for data science, machine learning, and language technology. Cybersecurity has existed mostly as an academic effort. Now we want to integrate AI deeply into cybersecurity work, and ensure AI systems themselves cannot be exploited. Many interventions in cybercrime will require AI and ML. Digital twin research will require massive data analytics, AI, ML, deep learning, and language models. AI and cybersecurity fit very well together, and IIIT Hyderabad’s strengths will help build better research, innovation, and impact.
How close are we to building systems that are not just secure but also self-healing?
I don’t think we are close. Small lab demonstrations are possible — for example, multiple agents where one detects a denial-of-service attack, another agent automatically changes firewall settings to block the IP, and the system continues functioning. You could call that self-healing. But expecting a system that is completely autonomous, detects and responds to attacks without human intervention, and logs everything while remaining glitch-free is unlikely. Cyberattacks are extremely varied. Many are persistent attacks that remain hidden for months before manifesting. Fully self-healing systems that eliminate the need for human involvement may not even be possible. I’m not very optimistic about that.
India’s digital economy is booming. Are we as a nation digitally mature enough to protect what we’ve built?
India’s banking and financial sector has been highly proactive on cybersecurity. SEBI issued guidelines in 2015, followed by RBI in 2016, mandating strong security measures, qualified CISOs, six-monthly audits, and regular submissions. RBI also conducts its own C-Site audits, and SEBI now carries out surprise checks. NPCI, which runs UPI, also maintains strong cybersecurity, making the payments ecosystem relatively robust. While not 100% secure, enforcement and monitoring are serious, and regulated entities show high awareness and due diligence. Beyond BFSI, however, the situation is weaker. Hospitals and power utilities, except leaders like Tata Power and CESC, lag behind, as do most manufacturing firms aside from large players such as Reliance. Regulators in these sectors do not treat cybersecurity as a key requirement, creating major gaps. Most payment-related frauds stem from social engineering, not technical flaws in UPI or NPCI. Other sectors are improving, but still have far to go.
You co-directed the National Centre for Cyber Defence of Critical Infrastructure. What lessons from that experience shape your view of India’s next-generation cybersecurity strategy?
One of the major lessons was that many devices used in critical infrastructure environments contain serious vulnerabilities. In our cybersecurity centre, we had real testbeds with equipment used in power generation and distribution substations. We found many high-severity vulnerabilities in devices widely sold in the Indian market by companies. This means organisations are buying equipment, not testing it properly, and deploying it directly in operational control systems for power and manufacturing. This points to the need for regulations requiring mandatory cybersecurity testing before deployment. Companies must perform risk assessments, configure proper controls, and invest in securing their infrastructure. Regulators across manufacturing, power, nuclear, and other sectors must create stringent cybersecurity requirements.
The second lesson is the need for workforce development in Operational Technology security. In India, people receive training in IT security and cryptography, but OT security — which is crucial for manufacturing plants and power systems — still lacks adequate education and training programs. The government must invest far more in cybersecurity education, research, and creating an innovation ecosystem.
The third lesson concerns supply chain dependence. Most tools, technologies, and equipment we use are foreign. We must build more of this technology in India, from compute stacks to applications. Supply chain security is a strategic requirement, and our future cyber strategy must address it.
You’ve often argued that cybersecurity is interdisciplinary. How do you plan to embed that thinking into IIIT Hyderabad’s learning culture?
Many people may wonder what this has to do with engineering or cybersecurity. But understanding digital economy acceptance, trust, and behavioural responses to cybercrime is essential. My student from IIT Kanpur developed a survey instrument with economists, and conducted field surveys across North, West, and East India, and used econometric models to extract insights that would not be possible without interdisciplinary work. IIIT Hyderabad already has a strong humanities group including economists, sociologists, philosophers, political scientists, historians. Not all will work directly on cybersecurity, but many will help us bring realism, societal understanding, behavioural insight, and economic scale considerations to our research. Interdisciplinary thinking will be essential to what we build.