Connected devices may face mandatory security checks before you can use them

The proposed recommendations will require all connected devices in critical sectors—from medical scanners and smart meters to transport control systems and industrial equipment—to undergo verification of where they are sourced from, as well as rigorous security testing before deployment, these officials said on condition of anonymity.

The framework is being developed by the National Security Council Secretariat (NSCS), under the Prime Minister’s Office, according to the officials.

The move follows a government assessment that found glaring gaps in cybersecurity certification, exposing imported products and critical infrastructure to risks of malware and tampered components.

“There are lots of devices that are deployed in the power sector, health sector, and railways, for example. They all should be secured,” the first official said.

The official added that the initial timeline of 1 January 2027 to develop and implement a secure devices ecosystem policy—across pharmaceuticals, hospitals, ports and shipping, energy and power, and space industries — is expected to be pushed back, with the Centre mulling “three to four years” for industries to build capability to implement the policy.

The second official said that there is a need for every sector to enhance their facilities to include cybersecurity—as well as part of testing and certification—to have secured devices in the country. This official added that the proposed framework would be implemented through sectoral regulators.

A third official highlighted the secured device policy may face challenges from industry stakeholders, who have said that adhering to technical norms that vary across sectors may be difficult for technology vendors.

“A BIS (Bureau of Indian Standards)-like certification standard that works uniformly across sectors is what India needs—which is where the secure devices ecosystem policy must head toward,” the third official added.

Queries emailed to the PMO and NSCS did not elicit any response till press time.

Taking after telecom

“While this is mandated as a licensing policy for telecom components, the idea behind it is to have a complete secure ecosystem inclusive of devices,” said Lt Gen (retd) M.U. Nair, who served as India’s national cybersecurity coordinator for two years until May this year.

“Every sector regulator needs to decide what the maturity level of devices are in the sector—without impacting on functional practical aspects on the ground,” Nair said.

According to Nair, the frameworks for secured devices should be laid down based on the criticality of each sector—from level zero to five. In strategic sectors like atomic energy and space, level five cybersecurity norms must be followed. In less strategic ones, the mandate can be lower, he explained.

“A national cyber reference framework had been created for giving a standard for one such model. Such recommendations need to be used as guidelines first, and based on implementation patterns, in another three to four years, these can become mandatory depending on sectoral maturity so that such standards become a practice. These are steps which are essential to keep our large Digital Public Infrastructure protected from ever-increasing cyber threats,” Nair further added.

The IoT threat

Cybersecurity for connected devices becomes critical in the light of proliferation of the internet of things (IoT), which connects everything from household appliances and hospital equipment to factory machines, cars, and power grids into vast, sensitive, interlinked digital networks that are vulnerable to intrusion and cyberattacks.

The reference telecom sourcing framework mentioned above states that equipment sourced requires mandatory testing and certification before being imported, sold or used in India, according to security regulations. With effect from 15 June 2021, telecom operators are permitted to connect only trusted products in their networks—as notified by the National Cyber Security Coordinator on the Trusted Telecom Portal.

Further, industry experts warned that since many of these devices are imported, they carry a higher risk of hidden vulnerabilities or embedded malware.

“It is important to make sure that the critical infrastructure is securely connected and checking the IoT devices for cybersecurity remains crucial as every device has memory, central processing unit (CPU), and can run software. All of them are susceptible to malware,” said Dhiraj Gupta, co-founder of mFilterIt, a fraud detection and prevention company.

Gupta explained that testing of these devices for cybersecurity can help detect basic weaknesses that can be misused for cyber attacks. As an example, he pointed to the case of the pager attack by Israel in Lebanon, where the explosion of those pagers were triggered by a normal alert or message sent to the pagers.

According to India Cyber Threat Report 2025 by the Data Security Council of India (DSCI), set up by Nasscom, supply chain complexities in hardware will continue to pose challenges with tampered devices and IoT infrastructure.

“The proliferation of IoT devices will provide new opportunities for cybercriminals to create large-scale botnets. Poorly secured IoT and edge devices will be exploited to launch distributed denial-of-service (DDoS) attacks, disrupting critical services in sectors like manufacturing and healthcare that rely on edge computing,” the report said.

A DDoS attack occurs when compromised connected devices are turned into bots that collectively overwhelm a website, server, or online service—such as, say, a bank’s server—with massive traffic.

Cyber incidents on the rise

According to a government release dated 8 October, cybersecurity incidents in India rose from 1.02 million in 2022 to 2.27 million in 2024.

Besides, between October 2023 and September 2024, India recorded over 369 million malware detections, as per India Cyber Threat Report 2025, which said healthcare was the most targeted industry followed by hospitality and BFSI (banking, financial services, and insurance).

“India’s digital ecosystem is entering a decisive phase, where every connected device from ATMs in banking to smart meters in energy grids, telecom base stations, and medical monitoring systems are now part of our critical infrastructure,” said Sundareshwar Krishnamurthy, partner and India Cyber Leader at PwC. “Securing these devices is no longer optional; it is central to building trust, resilience, and operational continuity.”

According to Krishnamurthy, securing devices across India’s digital infrastructure requires a layered approach—one that combines secure-by-design engineering, continuous monitoring, authenticated access, and proactive malware defence.

Tackling cyber threats

In September 2024, the government amended the Allocation of Business (AoB) Rules, 1961, to clearly define India’s cybersecurity governance framework and assign specific responsibilities to different ministries and agencies.

Under the revised structure, the department of telecommunications (DoT) is responsible for securing telecom networks, the ministry of electronics and information technology (MeitY) oversees broader cybersecurity matters, and the ministry of home affairs (MHA) handles issues related to cybercrime.

The National Security Council Secretariat (NSCS) has been designated as the nodal agency, tasked with providing overall coordination and strategic direction for cybersecurity across the government.