OT Threat Landscape India 2026: What CERT-In Data Reveals
Country Manager, Sweden
AI, DevOps, Security, and Cloud Solutioning. 12+ years leading enterprise cloud transformation across Scandinavia
India's operational technology environments face a threat landscape more active and more sophisticated than at any previous point. CERT-In recorded a 15% year-on-year increase in cyber incidents affecting critical infrastructure in 2024-25, with energy, manufacturing, and transport sectors collectively accounting for over 40% of reported events. These are not opportunistic nuisances - they are targeted campaigns by well-resourced actors who understand that disrupting India's industrial infrastructure carries strategic and economic leverage far beyond the value of any data stolen.
The global context amplifies the Indian risk. Dragos's 2025 Year in Review identified 23 distinct threat groups actively targeting industrial control systems globally, with four having demonstrated specific interest in Indian infrastructure. The OT security market's 16.5% CAGR (MarketsandMarkets, 2025) reflects both the growing attack surface and the growing recognition that OT threats require specialised defences that legacy IT security tools cannot provide.
OT security best practices for Indian enterprisesKey Takeaways
- CERT-In recorded a 15% rise in critical infrastructure cyber incidents in 2024-25; energy and manufacturing lead the affected sectors.
- Four Dragos-tracked OT threat groups have demonstrated specific targeting of Indian industrial infrastructure (Dragos, 2025).
- Ransomware now deliberately targets OT environments to maximise operational disruption and payment pressure.
- Nation-state actors use OT intrusions for pre-positioning - establishing persistent access before geopolitical tensions escalate.
- India's expanding PLI manufacturing base and digital grid modernisation are increasing the OT attack surface faster than defences are being built.
Who Is Targeting Indian OT Infrastructure?
Indian OT infrastructure faces threats from three distinct actor categories, each with different motivations, capabilities, and targets. Nation-state actors conduct long-duration intrusion campaigns aimed at strategic positioning and intelligence gathering in India's energy and defence industrial base. Financially motivated cybercriminal groups deploy ransomware and extortion attacks targeting sectors where operational disruption creates maximum payment pressure. Hacktivists and low-sophistication actors attack visible infrastructure targets for ideological or reputational purposes. CERT-In's advisory history shows all three categories active against Indian targets. (CERT-In, 2025)
The distinction matters for defence. Nation-state actors use sophisticated, low-and-slow techniques designed to avoid detection for months or years. Criminal ransomware operators move fast and noisily once they have initial access. Hacktivists typically focus on disruption rather than persistence. Each requires a different detection and response approach, which is why Indian OT security programmes need both long-term behavioural monitoring and rapid incident response capabilities.
[CHART: Threat actor matrix - type, motivation, primary targets in India 2025-26 - Source: CERT-In / Dragos]What Did the Mumbai Power Incident Reveal About India's OT Threat?
The October 2020 power grid disruption in Mumbai, which investigators from Recorded Future subsequently linked to the Chinese state-sponsored group RedEcho, was a watershed moment for Indian OT security. Analysis found that RedEcho had pre-positioned malware in Indian power sector networks in the months preceding the incident - establishing persistent access that could be activated in response to geopolitical triggers. RedEcho was found to have targeted ten Indian power sector organisations, including NTPC, PowerGrid, and four regional power distribution companies. (Recorded Future, 2021)
The Mumbai incident demonstrated several capabilities that Indian critical infrastructure operators must plan against. First, the ability to pre-position access months or years before activation. Second, specific knowledge of Indian grid architecture sufficient to target load dispatch centres and grid control systems. Third, the use of open-source management infrastructure (AXIOMATICASYMPTOTE, a network intrusion set) that blends with legitimate network traffic. CERT-In issued multiple follow-on advisories specifically about APT groups targeting the Indian power sector.
Pre-Positioning as a Strategic Threat
Pre-positioning is the most strategically dangerous OT threat facing India. An actor who has already established persistent access to ONGC's production control systems, Indian Railways' Operations Control Centres, or NTPC's grid management systems holds a capability that can be activated during a crisis without requiring any new intrusion. The detection challenge is significant: pre-positioned malware in OT networks can remain dormant for years, communicating only occasionally through legitimate channels, and evading monitoring tools that look for active attack patterns rather than quiet persistence.
Dragos's 2025 OT threat intelligence identified pre-positioning behaviour as the most prevalent OT-specific tactic globally, used by nine of the twenty-three tracked threat groups. Indian OT security programmes must include threat hunting capabilities specifically designed to detect dormant implants and persistent access mechanisms.
OT incident response playbook for IndiaNeed expert help with ot threat landscape india 2026: what cert-in data reveals?
Our cloud architects can help you with ot threat landscape india 2026: what cert-in data reveals — from strategy to implementation. Book a free 30-minute advisory call with no obligation.
How Is Ransomware Evolving to Target Indian OT?
Ransomware operators have increasingly sophisticatedly targeted OT environments because operational disruption creates far more powerful payment leverage than data encryption alone. When a manufacturing line stops, every hour costs money. When a utility's SCADA system is compromised, the regulatory and public consequences create enormous pressure to restore operations quickly - and paying ransom is sometimes perceived as faster than rebuilding. Dragos found that 32% of ransomware incidents in 2024 had a confirmed or suspected OT impact, up from 13% in 2022. (Dragos, 2025)
Indian organisations have experienced significant ransomware incidents with OT dimensions. The AIIMS Delhi incident of November 2022, while primarily affecting patient management systems, illustrated the interconnected nature of healthcare IT and medical devices. Ransomware attacks on Indian pharmaceutical manufacturers in 2023-24 caused production halts measured in days. The automotive sector has seen supplier-side ransomware incidents cascade into OT disruptions at Tier 1 suppliers serving major Indian OEMs.
Ransomware Tactics Specific to OT Environments
Modern ransomware groups targeting OT environments have developed OT-specific capabilities. Some deploy malware that reads OT network topology before encryption, ensuring operators cannot restore functionality from backups without also rebuilding control systems. Others target historian servers and engineering workstations - systems that are connected to both IT and OT networks - to maximise lateral movement. Some groups maintain separate OT access after deploying ransomware on IT systems, threatening to activate the OT access if ransom is not paid.
Indian organisations in manufacturing, pharmaceuticals, and utilities should assume that ransomware operators targeting their sector will have OT-specific playbooks. This means OT systems need independent backup and recovery capabilities, not just reliance on enterprise IT backup systems that the same ransomware may have compromised.
[CHART: Ransomware impact on OT - % of incidents with OT involvement 2022-2025 - Source: Dragos]What Are the Sector-Specific Threats in India?
Different Indian industrial sectors face distinct threat profiles based on their strategic value, interconnectedness, and security maturity. The energy sector - power generation, transmission, and distribution - is the highest-profile target because of its societal dependency and the demonstrated interest of nation-state actors. POSOCO's grid management systems and the state distribution companies' SCADA deployments are high-value targets. CERT-In has issued sector-specific advisories for power sector organisations covering specific malware families and attack techniques observed against Indian grid assets. (CERT-In, 2025)
The oil and gas sector faces targeted intrusions against SCADA systems controlling production, pipelines, and refinery processes. ONGC's offshore platforms and onshore installations, Reliance Industries' Jamnagar complex, and the GAIL pipeline network all represent high-value OT targets. A successful attack on a refinery control system can cause physical damage through process manipulation, not just data disruption. The 2021 Oldsmar water treatment incident in Florida - where an attacker remotely attempted to poison the water supply through a SCADA system - demonstrated the potential for life-safety consequences from OT attacks.
Manufacturing and PLI Sector Threats
India's PLI scheme is driving rapid expansion of smart manufacturing capabilities across semiconductors, electronics, pharmaceuticals, and automotive sectors. This expansion is increasing the OT attack surface faster than security controls are being built. New facilities are deploying Industry 4.0 architectures with cloud-connected SCADA, digital twins, and remote monitoring - creating OT/IT convergence by design but often without adequate security architecture. Supply chain espionage targeting Indian semiconductor and defence manufacturing has been documented by multiple intelligence agencies.
[UNIQUE INSIGHT] A pattern we observe consistently across Indian PLI-funded manufacturing projects is that OT security requirements are specified in procurement documents but rarely enforced in delivery. Equipment vendors propose connectivity features that business teams accept without understanding the security implications. The result is smart factories that connect to vendor cloud platforms through configurations that were never reviewed by security teams. This is an industry-wide gap that NCIIPC guidelines are beginning to address through sector-specific OT security requirements for new facility approvals.
How Are Threats Entering Indian OT Networks?
CERT-In's analysis of OT-related incidents consistently identifies five primary initial access vectors in Indian environments. Spear-phishing targeting engineers, operators, and management who have or can access OT systems accounts for the largest share. Remote access exploitation - attacking VPN gateways, remote desktop services, and vendor support connections to OT networks - is the second most common. Supply chain compromise through vendor software updates or contractor devices is third. Physical access through USB drives or unauthorised devices brought onto plant floors remains significant. Internet-exposed OT devices, where configuration errors have left SCADA interfaces accessible from the public internet, constitute a smaller but extremely high-risk category. (CERT-In, 2025)
Shodan scans routinely find Indian SCADA systems and industrial devices accessible from the internet without authentication. CERT-In issues periodic advisories about internet-exposed industrial control systems in India. Despite these warnings, the number of exposed devices persists because organisations do not have adequate visibility into their OT network perimeters and do not conduct regular external attack surface assessments.
The Insider Threat in Indian OT
Insider threats in Indian OT environments take two forms: malicious insiders who deliberately cause harm, and negligent insiders whose actions inadvertently create vulnerabilities. Negligent insiders are far more common - the engineer who connects a personal laptop to the control network for convenience, the operator who shares passwords to avoid delay during shift changes, or the contractor who installs remote access software on an OT workstation to make their job easier. These behaviours create vulnerabilities that external actors can exploit, and they are the result of inadequate security culture and policy enforcement rather than malicious intent.
Frequently Asked Questions
Which Indian sectors face the highest OT security risk in 2026?
The energy sector - power generation, transmission, and distribution - faces the highest documented threat activity, with multiple nation-state groups demonstrated to have targeted Indian grid infrastructure. Oil and gas is the second highest-risk sector based on strategic value and documented intrusion history. Manufacturing facilities under the PLI scheme face growing espionage-motivated intrusions as India's semiconductor and defence manufacturing capabilities expand. Water utilities face lower sophistication threats but have minimal security maturity. (CERT-In, 2025)
Has India experienced confirmed OT cyber attacks?
Yes. The 2020 Mumbai power disruption was linked by Recorded Future to the Chinese state-sponsored RedEcho group, which had pre-positioned malware in Indian power sector networks. Multiple ransomware incidents at Indian manufacturers and healthcare organisations have had OT dimensions. CERT-In has documented numerous intrusion campaigns targeting Indian critical infrastructure OT systems, though full details are not publicly disclosed for operational security reasons. (Recorded Future, 2021)
What OT malware families specifically target Indian infrastructure?
CERT-In advisories have specifically warned about INCONTROLLER (PIPEDREAM), TRITON/TRISIS (targeting safety instrumented systems), and various commodity malware families adapted for OT environments. Dragos has tracked the ERYTHRITE and KAMACITE groups using malware specifically designed to operate in OT environments. Nation-state toolkits targeting industrial control systems continue to evolve, with new capabilities documented annually. (CERT-In, 2025)
How quickly do OT attackers move from initial access to impact?
This varies significantly by threat actor type. Nation-state actors conducting pre-positioning campaigns may maintain access for months or years before any disruptive action. Ransomware operators typically move from initial IT access to OT impact within days to weeks once they have mapped the target network. The fastest OT attacks documented have moved from phishing email to SCADA access within 24 hours when networks lacked adequate segmentation. This speed underscores the importance of network segmentation as a containment control. (Dragos, 2025)
Where can Indian organisations get OT threat intelligence?
CERT-In publishes advisories specifically about threats to Indian critical infrastructure, including OT-relevant threats. NCIIPC shares threat intelligence with designated Critical Information Infrastructure operators through formal channels. Commercial OT threat intelligence from Dragos, Claroty, and Mandiant provides global context with Indian-specific coverage. ISAC (Information Sharing and Analysis Centre) forums for the power and financial sectors provide peer information sharing. ICS-CERT (US) advisories on industrial system vulnerabilities are publicly available and globally relevant. (CERT-In, 2025)
India's OT Threat Landscape: What Comes Next
The OT threat landscape in India will intensify in 2026 and beyond. India's industrial expansion under the National Infrastructure Pipeline, smart cities build-out, and PLI manufacturing growth are all increasing the connected OT attack surface. Geopolitical tensions in India's neighbourhood maintain the motivation of state-sponsored actors to pre-position access in critical infrastructure. Ransomware economics continue to make industrial targets attractive for financially motivated groups.
The defensive response must match this trajectory. Indian organisations need threat intelligence to understand what is coming, detection capabilities to find threats already present in their networks, and response capabilities to contain and recover from incidents that CERT-In's data makes clear are not hypothetical. The organisations that build these capabilities now, before an incident, will be far better positioned than those that react after the fact.
Understanding your specific threat exposure starts with an OT security assessment. Explore our ot security services India to begin that process.
For hands-on delivery in India, see managed risk mitigation management.
About the Author
Country Manager, Sweden at Opsio
AI, DevOps, Security, and Cloud Solutioning. 12+ years leading enterprise cloud transformation across Scandinavia
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.