OT Security in Indian Energy: Protecting NTPC, PowerGrid, and ONGC Infrastructure
Country Manager, Sweden
AI, DevOps, Security, and Cloud Solutioning. 12+ years leading enterprise cloud transformation across Scandinavia
India's energy sector is the highest-priority target for OT cyber attacks - and also the sector where an incident carries the gravest national consequences. NTPC's 73 GW generation portfolio, PowerGrid's 1,73,000 circuit kilometre transmission network, and ONGC's 200-plus offshore platforms all run on operational technology that controls physical processes with life-safety and national security implications. India's Ministry of Power has documented a 300% increase in cyber attack attempts against the power sector between 2020 and 2024, a trajectory that CERT-In advisories confirm has continued into 2025. (Ministry of Power, 2024)
The Mumbai power disruption of October 2020, linked by Recorded Future to the RedEcho APT group, established that Indian energy infrastructure is not just theoretically at risk - it has been actively compromised by nation-state actors willing to pre-position capabilities for use during geopolitical crises. The ten Indian power sector organisations found to have RedEcho malware in their networks operated across generation, transmission, and distribution, demonstrating the breadth of targeting. (Recorded Future, 2021)
OT threat landscape India 2026 - CERT-In dataKey Takeaways
- India's power sector saw a 300% increase in cyber attack attempts between 2020 and 2024 (Ministry of Power, 2024).
- NTPC, PowerGrid, and ONGC operate some of India's most complex and highest-consequence OT environments.
- The 2020 Mumbai power disruption confirmed nation-state pre-positioning in Indian energy infrastructure.
- POSOCO and CERC have issued specific cybersecurity requirements for power sector OT systems.
- Oil and gas OT security must address both IT/OT convergence and physical safety consequences of control system compromise.
What Makes Indian Power Sector OT Security Uniquely Complex?
India's power sector OT environment is characterised by scale, geographic distribution, and technology diversity that create security challenges not seen in smaller grid systems. The national grid spans from Kashmir to Kanyakumari and from Mizoram to Gujarat, with generation assets ranging from Himalayan hydroelectric stations to coastal thermal plants and Rajasthan solar farms. Each of these facilities uses OT equipment from different eras and different vendors, connected through a communications infrastructure that has grown organically over 40 years. POSOCO's Regional Load Despatch Centres and the National Load Despatch Centre manage this system through SCADA systems that must integrate data from thousands of substations and generating units. (POSOCO, 2025)
Distribution is the most vulnerable layer. India's 28 state-owned distribution companies (DISCOMs) operate SCADA systems and Advanced Metering Infrastructure (AMI) networks with widely varying security maturity. Some DISCOMs have deployed modern OT security controls; others run legacy SCADA systems with no authentication on critical interfaces. The Revamped Distribution Sector Scheme (RDSS) is funding SCADA and smart metering upgrades that will modernise distribution OT, but the security requirements built into these procurements determine whether the investment increases or decreases the risk exposure.
[CHART: Indian power sector OT attack surface - generation, transmission, distribution layers - Source: Opsio]How Are NTPC and PowerGrid Approaching OT Security?
NTPC Limited has established a dedicated cyber security centre that covers both IT and OT environments. NTPC's generation plants use DCS and SCADA systems from multiple vendors - Siemens, ABB, GE, and Bharat Heavy Electricals Limited (BHEL) for domestically manufactured units - creating a heterogeneous OT landscape that requires vendor-neutral security monitoring. NTPC has implemented passive OT monitoring at key facilities and is working toward IEC 62443 alignment for new plant procurements. NTPC's cybersecurity function reports to the Board Risk Committee, reflecting the recognition that OT security is a board-level issue for a company managing national critical infrastructure.
PowerGrid Corporation operates 264 substations and the associated transmission network. PowerGrid's OT environment is dominated by substation automation systems, protection relays, and the Wide Area Monitoring System (WAMS) that uses phasor measurement units (PMUs) across the national grid. PowerGrid has invested in network segmentation between operational technology and the corporate IT network, and has implemented CERT-In compliant log collection and incident reporting procedures. PowerGrid's experience is particularly relevant for the security of India's HVDC links and the inter-regional transmission corridors that balance power across India's five regional grids.
What Security Controls Are CERC and MOP Requiring?
The Central Electricity Regulatory Commission (CERC) and the Ministry of Power (MOP) have progressively strengthened cybersecurity requirements for the power sector. The Indian Electricity Grid Code and CERC's cybersecurity guidelines reference IEC 62351 for protection of power system communication protocols, require network segmentation between operational and non-operational systems, and mandate incident reporting to CERT-In for significant cyber events. Power sector organisations must maintain cybersecurity plans approved by their respective Load Despatch Centres, creating a regulatory mechanism that covers both IT and OT security requirements. (CERC, 2025)
NCIIPC guidelines and OT security complianceNeed expert help with ot security in indian energy?
Our cloud architects can help you with ot security in indian energy — from strategy to implementation. Book a free 30-minute advisory call with no obligation.
What Are the OT Security Challenges for ONGC and Indian Oil and Gas?
Oil and gas OT security in India presents different challenges from the power sector. Where power grid OT is primarily about preventing disruption, oil and gas OT must also prevent physical damage and safety incidents. A compromised safety instrumented system (SIS) at a refinery can disable the final layer of protection against a process exceedance that causes a fire or explosion. The 2017 TRITON/TRISIS attack against a Middle Eastern petrochemical facility's SIS - the first known malware designed specifically to target safety systems - demonstrated that adversaries are willing and able to target the systems designed to prevent industrial disasters. CERT-In has specifically warned Indian oil and gas operators about SIS-targeting malware families. (CERT-In, 2025)
ONGC's operational technology environment spans offshore platforms in the Mumbai High, Bassein, and Heera fields, onshore processing terminals, and pipeline networks connecting production to refineries. Each environment has distinct OT security requirements. Offshore platforms use satellite and microwave communications for connectivity, creating different network security challenges from the fibre-connected onshore facilities. The physical remoteness of offshore platforms makes incident response complex: if an OT security incident occurs on an offshore platform, the response team cannot quickly travel to site for hands-on remediation.
Reliance Industries and Private Sector Energy OT
Reliance Industries' Jamnagar refinery complex - the world's largest integrated refinery - operates one of India's most complex OT environments. With 1.4 million barrels per day of refining capacity, multiple refinery units, petrochemical plants, and a deep-water port, Jamnagar's OT environment encompasses thousands of PLCs, DCS nodes, and safety systems. Reliance has invested significantly in OT security, including dedicated OT security operations capabilities and IEC 62443-aligned security architecture for new projects. Reliance's scale and international business relationships have driven OT security investment ahead of many Indian peers.
India's pipeline network, operated by GAIL, IOCL, and HPCL, presents linear OT infrastructure challenges: thousands of kilometres of pipeline controlled by RTUs at distributed compression and metering stations, connected over a mix of communication technologies including satellite, GSM, and dedicated fibre. Securing this linear OT infrastructure requires a different approach from facility-based OT security - remote RTU hardening, communication channel security, and anomaly detection across geographically distributed assets.
[CHART: Indian oil and gas OT security zones - offshore, onshore, pipeline - Source: Opsio]What Are the Operational Constraints on Energy Sector OT Security?
Energy sector OT security implementation faces operational constraints that IT security professionals find frustrating but operations engineers understand as non-negotiable. Power generation equipment cannot be taken offline for security maintenance during peak demand periods - NTPC's plants run at high availability factors because the grid cannot afford unplanned outages. Refinery process units run continuously for two to five years between planned turnarounds - the only windows when OT systems can be taken offline for significant maintenance including security remediation.
These constraints require a different approach to OT security programme management. Security improvements must be planned within operational calendars, not against IT security timelines. Compensating controls - network segmentation, monitoring, access controls - must carry the security load during long intervals between maintenance windows. Vendor coordination is essential: patching an ONGC offshore platform's DCS requires Honeywell or Yokogawa engineers to be present, which requires advance planning measured in months, not weeks.
[PERSONAL EXPERIENCE] Working with Indian energy sector clients, we find that the most effective OT security programmes in this sector are those that have secured operations leadership buy-in from the beginning. When the plant manager understands that the security controls being proposed will improve operational visibility - not just reduce cyber risk - the security programme finds allies rather than obstacles. Passive OT monitoring, for example, provides operators with better asset inventory and communications visibility than most energy sector OT teams had before security monitoring was deployed. The security value and the operational value are the same tool.
How Should Indian Energy Companies Structure Their OT Security Programme?
Indian energy sector OT security programmes should be structured around three pillars: visibility, protection, and response. Visibility means knowing what OT assets are connected, what they communicate, and what vulnerabilities they carry - achieved through passive monitoring and formal asset management. Protection means implementing the network segmentation, access controls, and configuration hardening that reduce the attack surface - implemented within operational constraints and validated through regular audits. Response means having tested plans for OT-specific incidents, pre-established CERT-In reporting procedures, and relationships with OT security specialists who can provide technical assistance during an incident.
The energy sector also needs an intelligence layer: understanding what threat actors are targeting Indian energy infrastructure, what techniques they use, and what indicators of compromise to look for. CERT-In's energy sector advisories, NCIIPC's CII protection guidance, and commercial OT threat intelligence from Dragos and Claroty provide this intelligence. Energy sector CISOs should ensure that OT threat intelligence is integrated into their monitoring and response programmes, not just filed as advisory documents.
Frequently Asked Questions
What happened in the 2020 Mumbai power incident?
In October 2020, Mumbai experienced a significant power outage. Subsequent investigation by Recorded Future, a US threat intelligence company, found evidence that the Chinese state-sponsored group RedEcho had pre-positioned malware across ten Indian power sector organisations in the months preceding the outage. The malware included ShadowPad, a sophisticated remote access tool. While causal attribution is complex, the incident demonstrated active targeting of Indian power sector OT infrastructure by nation-state actors. CERT-In subsequently issued multiple advisories about APT targeting of the Indian power sector. (Recorded Future, 2021)
What OT security standards apply to Indian power sector companies?
Indian power sector OT security is governed by NCIIPC's critical information infrastructure protection guidelines, CERC's cybersecurity guidelines, the Indian Electricity Grid Code cybersecurity provisions, and Central Electricity Authority (CEA) technical standards. IEC 62443 is the referenced technical standard for new system procurement. IEC 62351 applies specifically to security of power system communication protocols. CERT-In's April 2022 cybersecurity directions apply to incident reporting. POSOCO issues operational cybersecurity requirements for grid-connected entities. (CERC, 2025)
How does ONGC manage OT security for offshore platforms?
ONGC manages offshore platform OT security through a combination of network isolation (satellite communications with controlled access), site-specific security controls including physical access restrictions, and periodic security assessments. Remote vendor access to offshore OT systems is managed through onshore proxy systems rather than direct connections. ONGC has implemented CERT-In-compliant incident reporting procedures and works with NCIIPC through the critical infrastructure protection framework. Specific operational security details are not publicly disclosed for obvious reasons. (ONGC, 2025)
What is the impact of a successful OT attack on an Indian power station?
A successful OT attack on a major Indian power station could range from temporary disruption (forcing a controlled shutdown and restarting) to extended outage (if control system integrity is compromised and systems must be rebuilt) to physical damage (if attackers manipulate process parameters to damage equipment). The cascading economic impact of an extended outage at a major generation facility includes lost power sales, grid balancing costs for alternative dispatch, and economic impact on the industrial and commercial consumers who depend on that power. State-level outages cause economic losses measured in hundreds of crores per day. (Ministry of Power, 2024)
Are India's renewable energy plants as vulnerable as thermal and hydro plants?
Renewable energy OT environments - solar farms, wind farms, and their associated SCADA systems - are increasingly connected and present significant OT security vulnerabilities. Many renewable energy SCADA systems are deployed with default vendor credentials and minimal security configuration. Inverter management systems from major vendors have had documented vulnerabilities. The aggregated capacity of Indian renewable energy - targeted to 500 GW by 2030 - makes the renewable OT attack surface significant. Renewable energy OT is generally less mature in security terms than the established thermal and hydro sectors. (MNRE, 2025)
Protecting India's Energy Future
India's energy security and OT cyber security are inseparable. The investments being made in generation capacity, grid modernisation, and renewable energy integration are only as valuable as the security of the control systems that operate them. A nation that cannot protect its energy infrastructure from cyber attack is strategically vulnerable in ways that go beyond the direct cost of any individual incident.
The good news is that Indian energy sector organisations - NTPC, PowerGrid, ONGC, and the better-resourced DISCOMs - are investing in OT security at a rate that is beginning to match the sophistication of the threats they face. The challenge is ensuring that the entire sector - including smaller state utilities and the growing renewable energy operators - reaches a minimum security baseline before the threats find the weakest links.
For energy sector OT security advisory and implementation, visit our ot security services for Indian businesses.
About the Author
Country Manager, Sweden at Opsio
AI, DevOps, Security, and Cloud Solutioning. 12+ years leading enterprise cloud transformation across Scandinavia
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.