OT Security in Indian Manufacturing: Protecting PLI and Make in India Investments
Country Manager, Sweden
AI, DevOps, Security, and Cloud Solutioning. 12+ years leading enterprise cloud transformation across Scandinavia
India's PLI scheme has committed over INR 1.97 lakh crore to building world-class manufacturing capacity - and every rupee of that investment sits on an OT network that needs securing. Smart factories, connected production lines, and Industry 4.0 deployments are the physical infrastructure of Make in India. They are also a growing attack surface that adversaries - from state-sponsored industrial espionage groups to opportunistic ransomware operators - are actively mapping and targeting. The manufacturing sector accounted for 23% of all OT security incidents globally in 2025, second only to energy. (Dragos, 2025)
India's manufacturing cyber risk is amplified by the pace of expansion. New PLI-funded facilities are coming online at a rate that makes security an afterthought in many project timelines. Legacy factories are adding connectivity without removing the vulnerabilities that isolation previously obscured. Supply chain complexity - with components, equipment, and support from dozens of international vendors - multiplies the risk surface. The question is not whether Indian manufacturers face OT security threats; it is whether they will discover those threats before or after a significant incident.
OT security assessment for Indian enterprisesKey Takeaways
- Manufacturing accounts for 23% of global OT security incidents; India's PLI expansion amplifies this exposure (Dragos, 2025).
- Industry 4.0 deployments create IT/OT convergence by design - security architecture must be built in from the start.
- Supply chain risk is acute for Indian manufacturers with global component sourcing and international vendor support relationships.
- Ransomware targeting Indian manufacturing has caused multi-day production halts costing crores in lost output.
- NCIIPC and CERT-In compliance requirements apply to manufacturers in designated critical sectors including defence, pharmaceuticals, and semiconductors.
What Is the Specific OT Security Risk Profile for Indian Manufacturing?
Indian manufacturing presents a unique OT security risk profile shaped by three factors. First, the technology mix: Indian factories commonly combine very old legacy equipment (pre-2000 PLCs with no security capabilities) with new Industry 4.0 systems (cloud-connected sensors, digital twins, AI-driven quality control) in the same production environment. This creates a heterogeneous OT network where modern and legacy devices must coexist, and where the security controls appropriate for each differ dramatically. Second, the workforce: India has a large, skilled engineering workforce, but OT-specific cybersecurity expertise is scarce. NASSCOM data shows fewer than 5,000 professionals in India with certified OT security skills, against a need measured in the tens of thousands. Third, vendor dependency: Indian manufacturers are heavily dependent on foreign OT equipment vendors for SCADA, DCS, and PLC systems, creating supply chain risk and remote support requirements that expand the attack surface. (NASSCOM, 2025)
The combination of these factors - mixed technology generations, skills scarcity, and vendor dependency - means that Indian manufacturers typically have OT security programmes that are significantly less mature than their IT security programmes, even when the organisation overall has strong cybersecurity governance.
[CHART: Indian manufacturing OT security maturity by sector - automotive, pharma, electronics, steel - Source: Opsio analysis]How Is the PLI Scheme Changing OT Security Requirements?
The Production Linked Incentive scheme covers fourteen sectors: mobile and electronic components, pharmaceuticals, medical devices, automobiles and auto components, advanced chemistry cell batteries, textile products, food processing, telecommunications, white goods, speciality steel, solar PV modules, and two new sectors added in 2025. Each of these sectors has distinct OT environments - a pharmaceutical sterile manufacturing facility has fundamentally different control systems from an automotive body welding line. But all share the characteristic that PLI-funded expansions are deploying new smart manufacturing technology at speed, often without adequate security review.
[UNIQUE INSIGHT] A consistent pattern across PLI project implementations is that cybersecurity requirements are included in tender specifications but evaluated primarily on paper compliance rather than technical depth. Vendors tick boxes confirming IEC 62443 alignment without providing evidence of actual implementation. By the time the facility is operational, the OT security architecture may exist in documentation but not in the actual network configurations. Indian manufacturers should require security verification testing - not just documentation review - as a factory acceptance test condition for new OT systems delivered under PLI contracts.
Sector-Specific OT Risks in PLI Industries
Pharmaceutical manufacturing under PLI presents specific OT risks around process integrity. A compromised batch management system or process historian could enable product tampering without physical access. Regulatory data integrity requirements under Schedule M (Indian GMP) and FDA 21 CFR Part 11 create compliance obligations that overlap with OT security. The consequences of a successful OT attack in pharmaceutical manufacturing include not just production loss but potential product recalls and regulatory action.
Semiconductor manufacturing - a newer PLI sector following India's Semiconductor Mission - presents OT risks around intellectual property theft. Semiconductor fabrication processes are closely guarded trade secrets. Advanced persistent threat groups targeting technology transfer have shown willingness to compromise manufacturing execution systems to extract process parameters and equipment configurations. Indian semiconductor fabrication facilities under construction in Gujarat and Odisha need OT security architectures designed with IP protection as an explicit requirement alongside safety and availability.
OT threat landscape India 2026Need expert help with ot security in indian manufacturing?
Our cloud architects can help you with ot security in indian manufacturing — from strategy to implementation. Book a free 30-minute advisory call with no obligation.
What Makes Automotive OT Security Distinctive in India?
India's automotive sector is one of the world's largest, with a manufacturing ecosystem spanning OEMs including Tata Motors, Mahindra, Maruti Suzuki (Suzuki), and Hyundai, along with thousands of Tier 1 and Tier 2 suppliers. The automotive OT environment is characterised by high-speed automated production lines, robot welding and painting systems, and assembly tracking systems where a line stoppage directly impacts daily production targets measured in thousands of vehicles. Ransomware attacks that halt an automotive production line for even one day can cost an Indian OEM INR 10-50 crore in lost production.
Automotive supply chain connectivity introduces additional OT security risk. Just-in-time production models require real-time data exchange between OEMs and suppliers, creating network connections that span organisational boundaries. A ransomware incident at a Tier 1 brake supplier can propagate through these supply chain connections to affect the OEM's production systems. Indian automotive OEMs and their suppliers need OT security programmes that address both their internal environments and the supply chain connections that link them.
How Should Indian Manufacturers Implement OT Security for Industry 4.0?
Industry 4.0 deployments - IoT sensors, cloud SCADA, AI analytics, digital twins, and autonomous mobile robots - create IT/OT convergence as a design feature, not an accident. Securing these environments requires a security architecture that is built into the system design from the beginning, not added after deployment. Security by design in Indian Industry 4.0 implementations means specifying OT security requirements in system architecture documents, evaluating vendors on security capabilities not just functionality, implementing network segmentation that accounts for new connectivity patterns, and including OT security monitoring as a standard operational tool.
Cloud connectivity for Industry 4.0 requires specific security controls. Data from factory floor sensors sent to cloud analytics platforms must transit through secure, authenticated, encrypted channels. The cloud platform itself must be segmented from other cloud services and protected with OT-appropriate access controls. Remote access by vendors and internal engineers to cloud-connected OT systems must use PAM tools with session recording. CERT-In's incident reporting requirements apply to cloud-connected OT environments, so log collection and retention must be configured to meet the 180-day retention mandate.
Securing Robotics and Automated Production Systems
Industrial robots and automated guided vehicles (AGVs) represent a growing OT security challenge in Indian manufacturing. These systems are networked, programmable, and in some cases internet-connected for vendor support. A compromised robot welding system can produce out-of-specification welds that pass visual inspection but fail in service - a quality and safety risk that is harder to detect than a system outage. Robot system security requires network segmentation, access controls on programming interfaces, and integrity monitoring that detects unauthorised changes to control programs.
[CHART: OT security architecture for Indian smart factory - zones, conduits, and cloud connectivity - Source: Opsio]What Is the Regulatory Landscape for Indian Manufacturing OT Security?
Manufacturing OT security regulation in India comes from multiple sources. NCIIPC oversight applies to manufacturers in sectors designated as critical: defence, certain pharmaceuticals, and key electronics. CERT-In's incident reporting requirements apply universally. Sector-specific regulations add additional requirements: the Drugs and Cosmetics Act for pharmaceuticals, the Explosives Act for mining and pyrotechnics, and export control regulations for defence manufacturers. For Indian manufacturers exporting to the US, EU, or Japan, customer and regulatory requirements from those markets add further OT security obligations.
The Digital Personal Data Protection Act 2023 (DPDPA) creates data protection obligations that intersect with OT systems where employee or process data is collected, stored, or transmitted. Manufacturing execution systems (MES) that track individual workers' production output, and quality management systems that store customer-linked data, may be subject to DPDPA requirements for data protection and breach notification. Indian manufacturers should review their OT data flows against DPDPA requirements as part of their broader OT security programme.
Frequently Asked Questions
What is the biggest OT security risk for Indian manufacturers?
Ransomware is the most immediately impactful threat, with Indian manufacturing facilities having experienced multi-day production halts due to ransomware attacks crossing from IT into OT networks. The underlying vulnerability is inadequate network segmentation between IT and OT environments, which allows ransomware that enters through corporate IT (typically via phishing) to reach production control systems. Industrial espionage targeting PLI-funded technology investments is the second most significant long-term threat. (Dragos, 2025)
How does PLI scheme compliance relate to OT security?
The PLI scheme does not currently include explicit OT cybersecurity requirements as eligibility conditions. However, manufacturers in designated critical sectors must comply with NCIIPC guidelines, which include OT security requirements. PLI investments in defence manufacturing must meet Ministry of Defence cybersecurity requirements. International customer requirements for PLI-beneficiary exporters increasingly include OT security certification. Industry bodies are advocating for PLI scheme guidelines to include baseline OT security requirements in future rounds. (Ministry of Commerce, 2025)
How do we secure OT networks in factories with very old equipment?
Compensating controls are the key for legacy OT equipment that cannot be patched or upgraded. Network segmentation isolates legacy devices, limiting the attack paths that can reach them. Application whitelisting on connected workstations prevents unauthorised code from executing. Passive monitoring detects anomalous behaviour that might indicate compromise. Vendor support access should be tightly controlled through jump servers with session recording. Equipment replacement should be planned as part of capital expenditure cycles, prioritising the highest-risk legacy systems first. (IEC 62443, 2025)
Does CERT-In's six-hour reporting apply to manufacturing OT incidents?
Yes. CERT-In's April 2022 cybersecurity directions apply to all organisations and incidents affecting critical information infrastructure, which includes manufacturers in designated critical sectors. More broadly, the directions apply to any data breach or security incident meeting the defined criteria. Manufacturing OT incidents - particularly those affecting production control systems - typically meet those criteria. Manufacturers should ensure their OT incident response plans include CERT-In reporting procedures and that responsible personnel are identified and trained. (CERT-In, 2022)
What OT security budget should Indian manufacturers plan for?
OT security investment for Indian manufacturers typically runs 1-2% of annual production asset value for a foundational programme. For a facility with INR 500 crore in production equipment, this means INR 5-10 crore for initial programme establishment (assessment, segmentation, monitoring). Ongoing operational costs for monitoring and incident response are typically INR 1-3 crore annually for a mid-sized facility. These figures should be compared against the cost of an OT incident: a single ransomware event causing five days of downtime at a major Indian manufacturer would typically cost INR 25-100 crore in lost production alone. (Ponemon Institute, 2024)
Building OT Security into India's Manufacturing Future
India's manufacturing ambition - PLI, Make in India, Atmanirbhar Bharat - is being built on digital foundations. The smart factories, automated production lines, and connected supply chains that will make Indian manufacturing globally competitive are the same systems that need OT security investment to remain trustworthy and resilient. Security is not in tension with this ambition - it is the prerequisite for sustaining it.
The Indian manufacturers that will lead global competition in their sectors over the next decade are those building security into their OT infrastructure now, not retrofitting it after an incident. OT security is infrastructure investment with returns measured in avoided disruption, protected IP, maintained customer trust, and regulatory compliance. The cost of getting it right is far lower than the cost of getting it wrong.
To discuss OT security for your manufacturing operations, visit our ot security services India.
For hands-on delivery in India, see managed ai security compliance.
For hands-on delivery in India, see Opsio's pharma packaging-line engineering.
About the Author
Country Manager, Sweden at Opsio
AI, DevOps, Security, and Cloud Solutioning. 12+ years leading enterprise cloud transformation across Scandinavia
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.