OT Security Risks in India: A Reference Guide for 2026

India's operational technology environments face a defined set of security risks that CERT-In data, industry research, and security assessments have consistently documented - and that every Indian industrial organisation should understand before designing a security programme. The global OT security market growing at 16.5% CAGR to USD 25 billion in 2026 reflects the scale of investment required to address these risks across industrial sectors worldwide. (MarketsandMarkets, 2025). India's share of this risk is proportionate to its industrial scale and growing rapidly as critical infrastructure expansion and Industry 4.0 adoption increase the OT attack surface faster than security controls are being deployed.

Key Takeaways

• 60% of OT organisations globally reported a security incident in 2025; India's rate is consistent with this global figure (Dragos, 2025).
• The seven primary OT risk categories are: threat actors, legacy technology, IT/OT convergence, remote access, supply chain, insider threats, and regulatory non-compliance.
• India-specific risks include nation-state targeting of energy infrastructure and the security gaps created by rapid PLI sector expansion.
• CERT-In advisories provide India-specific intelligence on active OT threats that should be integrated into every Indian OT security programme.
• Risk prioritisation must account for India-specific context: CERT-In's reporting requirements, NCIIPC's CII designations, and India's industrial threat landscape.

OT threat landscape India 2026 - CERT-In data

What Are the Seven Primary OT Security Risk Categories for India?

Seven risk categories account for the vast majority of OT security incidents affecting Indian organisations, based on CERT-In's advisory and incident data. Understanding each category helps organisations prioritise their security investment and design controls that address actual risks rather than theoretical threats.

Risk 1: Sophisticated Threat Actors Targeting India

India faces OT threats from nation-state actors, financially motivated cybercriminals, and hacktivists. Nation-state actors, particularly APT groups associated with China and Pakistan, have demonstrated documented interest in Indian critical infrastructure OT. The RedEcho campaign against Indian power sector organisations (2020-21) established that nation-state actors have operational OT capabilities and have deployed them against Indian targets. Financially motivated ransomware groups target Indian industrial organisations because production disruption creates payment pressure. CERT-In documented a 15% year-on-year increase in critical infrastructure cyber incidents in 2024-25. (CERT-In, 2025)

Risk 2: Legacy OT Technology with Known Vulnerabilities

India's industrial base includes OT equipment ranging from pre-2000 devices with no security capabilities to current-generation systems with modern security features. The average Indian OT environment carries 6.6 unmitigated vulnerabilities per device (Claroty, 2024). Legacy devices cannot be patched on IT timelines, require compensating controls for the duration of their operational lives (often decades), and represent a permanent vulnerability that attackers with knowledge of Indian industrial ecosystems can target reliably.

Risk 3: IT/OT Convergence Without Adequate Security Architecture

96% of OT environments have IT network connections (Dragos, 2025). In India, Industry 4.0 adoption, remote monitoring expansion, and smart city deployments are accelerating this convergence. Without adequate network segmentation, IT compromises can reach OT systems through lateral movement. Indian manufacturing's PLI expansion is creating new IT/OT convergence that often lacks the security architecture needed to manage the resulting risks.

[CHART: OT risk categories and Indian sector exposure matrix - Source: CERT-In / Opsio]

Risk 4: Remote Access Exploitation

Remote access to OT systems has become a permanent feature of Indian industrial operations, expanded dramatically by COVID-19 and sustained by efficiency and monitoring requirements. VPN exploitation, RDP-based attacks, and vendor remote access abuse are consistently in CISA's and CERT-In's top OT attack vector lists. Indian facilities that have remote access configured for vendor support but lack MFA, session monitoring, and access controls provide persistent attack paths that sophisticated actors can exploit at their convenience.

Risk 5: Supply Chain Compromise

Indian industrial OT is heavily dependent on foreign-manufactured equipment from Siemens, ABB, Honeywell, Yokogawa, and Rockwell Automation. Supply chain compromise at the firmware, software, or component level can introduce persistent access that survives replacement and patching cycles. The SolarWinds attack demonstrated the scale of damage possible from supply chain compromise in IT environments; OT supply chain attacks carry the additional consequence of potential physical process manipulation.

Risk 6: Insider Threats and Human Error

Insider threats in Indian OT environments are predominantly negligent rather than malicious: engineers connecting personal devices to OT networks, operators sharing credentials, and contractors installing unauthorised remote access tools create vulnerabilities that external actors can exploit. Malicious insiders - though rarer - have access to OT systems that external attackers must work to acquire, making them disproportionately dangerous for high-consequence environments. Security awareness and access controls are the primary mitigations.

Risk 7: Regulatory Non-Compliance Risk

Non-compliance with CERT-In's six-hour reporting requirement, NCIIPC CII protection guidelines, and sector-specific regulatory requirements creates regulatory risk alongside security risk. Indian critical infrastructure operators that experience OT incidents and cannot demonstrate CERT-In-compliant incident response and reporting face regulatory consequences that amplify the direct cost of the incident. For organisations designated as CII by NCIIPC, non-compliance with protection guidelines can trigger regulatory action even before any incident occurs.

NCIIPC guidelines and OT security compliance India

What India-Specific OT Risk Factors Amplify These Categories?

Several India-specific factors amplify the seven risk categories above. The pace of industrial expansion under PLI and National Infrastructure Pipeline creates OT deployments faster than security programmes can keep up. The OT security skills shortage - NASSCOM estimates fewer than 5,000 OT security professionals in India against an industry need orders of magnitude larger - means most Indian industrial organisations rely on personnel without adequate OT security expertise. India's geopolitical context maintains the motivation of nation-state actors to maintain access to critical infrastructure. And the regulatory framework, while strengthening rapidly, still has gaps that sophisticated actors exploit in sectors with less mature NCIIPC oversight.

How Should Indian Organisations Prioritise OT Risks?

OT risk prioritisation for Indian organisations should be driven by three factors: the likelihood of each risk materialising given the organisation's sector, connectivity profile, and threat exposure; the impact of each risk if it materialises given the organisation's operational and regulatory context; and the cost-effectiveness of available mitigations. For most Indian industrial organisations, the highest priority risks are: remote access exploitation (high likelihood, high impact, cost-effective mitigations available) and IT/OT convergence without segmentation (high likelihood for connected environments, high impact, mitigations available). These two categories should receive first investment priority. Nation-state pre-positioning is the highest consequence risk but requires more sophisticated detection capabilities to address; it should be the second investment priority for critical infrastructure operators. ([NIST](https://www.nist.gov), 2023)

Frequently Asked Questions

What is the single highest OT security risk for Indian critical infrastructure?

Nation-state pre-positioning - where sophisticated APT groups establish persistent access in critical infrastructure OT systems before any active attack - is the highest consequence risk for Indian critical infrastructure operators, as demonstrated by the RedEcho campaign against India's power sector. However, the highest probability risk for most Indian industrial organisations is opportunistic ransomware crossing from IT into inadequately segmented OT networks. Addressing the most probable risk (network segmentation for ransomware) simultaneously reduces the attack surface for nation-state actors. (Recorded Future, 2021)

Which Indian industrial sectors face the highest OT security risk?

The energy sector (power generation, transmission, distribution) faces the highest documented threat activity and the greatest national consequence from OT incidents. Oil and gas is second based on strategic value, physical safety risk from process manipulation, and documented APT interest. Manufacturing (automotive, pharmaceutical, semiconductor) faces growing industrial espionage and ransomware risk amplified by PLI expansion. Water utilities face lower sophistication threats but have the least mature OT security programmes and direct public health consequences from compromise. Healthcare OT is growing in risk as ABDM connectivity expands medical device network exposure. (CERT-In, 2025)

How does the DPDPA 2023 change OT security risk for Indian organisations?

DPDPA 2023 adds a data protection risk dimension to OT security for systems that process personal data. OT systems including smart meters, connected medical devices, industrial wearables, and building occupancy sensors may process personal data subject to DPDPA obligations. A cyber incident that compromises personal data processed by these OT systems triggers DPDPA breach notification obligations alongside CERT-In reporting requirements. Organisations with OT systems processing personal data should assess DPDPA applicability and integrate data protection controls and breach notification procedures into their OT security programme. ([DPDPA](https://meity.gov.in/dpdpa), 2023)

For hands-on delivery in India, see Risk Mitigation & Management for India.