OT Security in India's Critical Infrastructure: Still the Weakest Link

28 May 2026 · 8 min read

Welcome to the world of Operational Technology (OT). If you haven't heard the term, you are not alone — most people in IT security have never worked with it. But OT runs everything that keeps a modern society functioning: the controllers that balance voltage across a power grid, the systems that open and close water treatment valves, the signalling equipment that routes trains, and the SCADA platforms that monitor oil and gas pipelines from a central control room.

Unlike IT, where a breach means stolen data, an OT compromise can mean a power plant that won't restart, a water treatment facility that discharges untreated chemicals, or a railway junction that stops routing trains. The stakes are physical, not digital.

And the gap between India's IT security posture and its OT security posture is alarmingly wide.

96% of OT environments globally now have direct connections to IT networks, according to Dragos's 2026 OT Cybersecurity Year in Review. The old air gap — the assumption that industrial systems are physically isolated from the internet — is gone. What replaced it is a patchwork of half-firewalled connections, remote-access VPNs running on decade-old firmware, and SCADA systems reachable from the corporate LAN.

Why OT is different — and harder

IT systems prioritise confidentiality — keep the data secret. OT systems prioritise availability and safety — keep the equipment running. An IT server can be rebooted in minutes. A blast furnace control system going offline can take a steel plant out of production for weeks. Many OT devices run Windows XP, proprietary real-time operating systems, or firmware so old the vendor no longer supports it. Patching requires maintenance windows scheduled months in advance.

The protocols that run these systems — Modbus, DNP3, PROFINET — were designed in the 1970s and 1980s for physically isolated plants. They have zero built-in authentication or encryption. When these protocols now traverse enterprise networks or connect to cloud SCADA dashboards, they carry none of the security that IT engineers take for granted.

For India, the scale makes the problem acute. The Production Linked Incentive (PLI) scheme targets over INR 2 lakh crore in manufacturing output, much of it in smart factories with internet-connected equipment. ONGC operates over 200 offshore platforms with SCADA systems controlling critical drilling and safety shutdowns. Indian Railways runs one of the world's largest rail networks on a mix of modern and legacy signalling control systems. NTPC manages 73 GW of generating capacity across networked control rooms. Every connected sensor, controller, and historian expands the attack surface.

The threat landscape in India

India reported a 15% year-on-year increase in cyber incidents affecting critical infrastructure in 2024-25, according to CERT-In's annual report. The energy and manufacturing sectors together accounted for over 40% of reported OT incidents.

Multiple documented cases show this is not hypothetical:

Mumbai Power Outage (October 2020). A large-scale blackout affected millions across Mumbai. Investigations by Recorded Future and reporting by The New York Times linked the intrusion to the RedEcho group, a Chinese state-sponsored threat actor targeting Indian power sector organisations since at least 2020. Malware was found at a State Load Despatch Centre. Source: Recorded Future

RedEcho Campaign (2020-2022). The group targeted over 10 Indian power sector organisations, including four of India's five Regional Load Despatch Centres — the nerve centres that balance electricity supply and demand across the country's grid. MITRE ATT&CK tracks this as campaign C0043. The attackers gained persistent access to OT-adjacent networks, suggesting pre-positioning for disruptive operations. Source: MITRE ATT&CK

Ladakh Grid Probing (December 2021 — April 2022). China-based threat actors conducted multiple confirmed probing attacks on the Ladakh power grid, according to statements by Union Power Minister RK Singh in Parliament. The region, a sensitive border area with significant Indian military presence, saw repeated intrusion attempts targeting the local power distribution network. Source: The Hindu

JNPT Port ICS Breach (July 2025). A third-party contractor at Jawaharlal Nehru Port Trust was compromised via phishing. The attacker pivoted from IT to OT networks through a misconfigured firewall, gaining access to container terminal control systems. Ports are a clear example where OT compromise directly threatens strategic logistics. Source: Business Today

CCL Coal Supply Chain Attack (May 2025). Attackers shifted strategy from targeting power generation itself to upstream supply chains — compromising coal-handling SCADA systems at Central Coalfields Limited facilities to disrupt fuel supply to thermal plants. This represents a maturation of attacker methodology: targeting pinch points further up the value chain. Source: Times of India

During Operation Sindoor (May 2025), over 200,000 cyberattacks targeted Indian critical infrastructure. Power grids faced coordinated attempts from at least 35 hacktivist groups aligned with adversary states. The attacks were repelled — but the volume hints at what a coordinated state-level campaign could achieve. Source: WION

The defence dimension — why OT security is military readiness

This is the piece that most analysis misses. OT security is not just an industrial safety concern. It is a military readiness issue.

A modern military deployment depends on the civilian power grid. Tanks are fuelled at depots that run on grid electricity. Troops are moved by rail, which depends on signalling SCADA systems. Ammunition is manufactured in factories running industrial control systems. Communication nodes, radar installations, and logistics hubs all draw power from the same substations that serve municipal customers.

If an adversary compromises the OT layer of India's power grid, they do not need to shoot at a single soldier. They can black out the rail corridor used to move a division to the border, halt production at a defence manufacturing facility, or disrupt the power supply to a forward airbase.

Ukraine has already demonstrated this. Since 2015, Russian cyber operations have repeatedly targeted OT infrastructure — power substations, railway control systems, and fuel depots — in coordination with kinetic strikes. The Sandworm group's attacks on Ukrainian power grids in 2015 and 2016 proved that OT intrusions can be sequenced with military operations. The UK's CSC 2.0 report on military mobility explicitly identifies OT security as a factor in force deployment timelines. Source: Dragos — Sandworm analysis

For India, the implications are direct and geographic. The Ladakh grid probing attempts happened precisely because of the region's military significance. A compromised power distribution SCADA in the North-east could slow troop movement through the Siliguri Corridor — India's narrowest strategic land bridge, a 22-kilometre-wide passage that connects the mainland to the North-eastern states. A railway SCADA intrusion could paralyse logistics for an entire theatre command.

The DRDO has faced repeated cyber intrusions, including the SideCopy APT group's spear-phishing campaigns targeting defence scientists. While these were primarily IT attacks aimed at data exfiltration, the trajectory points toward OT as the next target. Defence manufacturing facilities — ordnance factories, shipyards, aerospace plants — run on the same industrial control systems as civilian factories. Source: CERT-In advisories on SideCopy

The regulatory gap

India's NCIIPC (National Critical Information Infrastructure Protection Centre) classifies energy, transport, and water as critical sectors requiring mandatory protection. CERT-In's cybersecurity directions of April 2022 (amended 2023) require organisations to report cyber incidents within six hours and maintain logs for 180 days. The IEC 62443 standard for industrial cybersecurity is the framework most commonly referenced.

But classification and implementation are different things. Many state electricity boards and railway zones lack basic OT segmentation — their SCADA networks are reachable from the same LAN that runs payroll and email. The CERT-In directions do not mandate IT-OT network separation. And IEC 62443 compliance in an Indian context means adapting the zone-and-conduit model to organisations that have grown organically, with legacy systems that predate modern networking.

What needs to change

Mandatory OT segmentation. Every critical infrastructure operator should be required to maintain a firewalled demilitarised zone between corporate IT and plant-floor OT, with no direct routing between the two. This is basic, relatively cheap, and effective — and most operators have not done it.

Passive OT asset discovery. A typical Indian power distribution company with 50,000 connected field devices has accurate visibility into fewer than 20% of those assets before a formal OT assessment. Passive monitoring tools that map OT devices without sending packets that could disrupt industrial processes should be the first step for every operator.

OT-specific incident response. Most Indian cyber incident response plans are written by IT teams for IT environments. They assume you can isolate, patch, reboot, and restore from backup. In an OT environment, you cannot patch a live PLC without a scheduled outage. You cannot reboot a substation RTU without potentially triggering a blackout. Response plans must account for operational constraints.

Defence-OT integration. The Ministry of Defence and NCIIPC should run joint OT security exercises that simulate adversary compromise of power and rail SCADA systems feeding into military operating areas. Defence logistics depend on civilian infrastructure — that dependency needs to be war-gamed, not assumed.

The bottom line

The global OT security market is valued at USD 25 billion in 2026, growing at over 16% CAGR. India's share is rising, driven by grid expansion, smart cities, and industrial automation. But market size is not security posture. The adversary capabilities are maturing faster than defences are scaling.

India's critical infrastructure is held together by trust — trust that the air gap holds, trust that a contractor's laptop is clean, trust that nobody is watching the Modbus traffic. Every one of those assumptions has already been violated somewhere in the world. It is only a matter of time before they are tested here at scale.

And when they are, the cost will not be measured in compromised records. It will be measured in darkened cities, halted supply chains, and stalled military responses.

Sources: Dragos 2026 OT Cybersecurity Year in Review, CERT-In Annual Report 2024-25, Recorded Future — RedEcho, MITRE ATT&CK C0043, The Hindu — Ladakh grid, Business Today — JNPT, WION — Operation Sindoor, MarketsandMarkets — OT Security Market, NCIIPC, CERT-In