What Is an OT SOC? India Context and Implementation Guide

An OT Security Operations Centre (SOC) is the operational capability that gives Indian industrial organisations eyes on their OT environments 24/7 - detecting threats that passive controls alone cannot stop. Unlike IT SOCs that monitor servers, endpoints, and cloud workloads, an OT SOC monitors industrial control systems, SCADA networks, and field device communications using tools and analysts specifically trained for operational technology environments. For Indian critical infrastructure operators under NCIIPC oversight, an OT SOC provides the continuous monitoring capability that NCIIPC guidelines require and that CERT-In's six-hour incident reporting mandate demands. Without a monitoring capability, organisations cannot know they have an incident within the mandated reporting window. (NCIIPC, 2025)

Only 28% of Indian industrial organisations with OT environments have a dedicated or shared OT SOC capability, according to NASSCOM's 2025 industrial cybersecurity survey. The remaining 72% rely on IT SOC capabilities that lack OT-specific tools, protocol knowledge, and operational context. This gap is a primary contributor to the long dwell times - averaging 212 days for OT breaches - that give adversaries months to establish persistence before detection. (NASSCOM, 2025)

Key Takeaways

• Only 28% of Indian industrial organisations have OT SOC capability; the rest rely on IT SOCs without OT expertise (NASSCOM, 2025).
• OT SOCs use passive monitoring and industrial protocol-aware tools rather than IT SOC endpoint agents.
• CERT-In's six-hour incident reporting mandate requires a monitoring capability to detect OT incidents within reportable timeframes.
• Managed OT SOC services offer Indian organisations access to OT expertise without the cost of building dedicated internal capability.
• OT SOC analysts need industrial process knowledge alongside cybersecurity expertise - a rare combination in India.

OT security best practices for Indian enterprises

How Is an OT SOC Different from an IT SOC?

The technology, skills, and operational processes of an OT SOC differ from an IT SOC in fundamental ways. Technology: IT SOCs use endpoint detection and response (EDR) agents, SIEM platforms processing Windows events and network flow data, and threat intelligence feeds focused on malware and phishing. OT SOCs use passive industrial protocol monitors (Dragos, Claroty, Nozomi), SIEM platforms configured to ingest OT-specific log sources, and threat intelligence focused on ICS-specific threats and industrial sector targeting. An IT SOC's standard toolset deployed in an OT environment will miss the vast majority of OT-specific threats and may generate so many false positives from normal industrial communications that alerts become unusable.

Skills: IT SOC analysts are trained on Windows event logs, MITRE ATT&CK techniques, and network traffic analysis. OT SOC analysts need additional knowledge of industrial protocols (Modbus, DNP3, PROFINET), PLC programming and operation, SCADA system architectures, process safety basics, and the operational context that makes an alert meaningful. A Modbus function code 5 (force single coil) on a pump controller is normal during commissioning and deeply anomalous during steady-state production - distinguishing these requires operational context that pure cybersecurity training does not provide. (ICS-CERT, 2025)

[CHART: OT SOC vs IT SOC - technology, skills, alert types, response procedures - Source: Opsio]

What Are the OT SOC Models for Indian Organisations?

Indian industrial organisations can establish OT SOC capability through three models. The first is a dedicated internal OT SOC: a team of OT security analysts with OT-specific tools, processes, and 24/7 coverage, dedicated to the organisation's OT environments. This model provides the deepest integration with operational context but requires significant investment in people, technology, and facilities. It is practical for large Indian industrial organisations - major PSUs, Tier 1 manufacturers, large refinery operators - but exceeds the budget and talent availability of most mid-market organisations.

The second model is an integrated OT/IT SOC: the existing IT SOC is extended to cover OT environments with additional OT-specific technology, OT analyst training, and OT-specific playbooks. This model is more cost-effective and leverages existing IT SOC infrastructure, but risks applying IT security logic to OT situations where it does not apply. Success requires sustained investment in OT knowledge development for IT SOC analysts and clear protocols for escalating OT alerts to personnel with operational context. The third model is managed OT SOC: an external provider with OT-specific expertise, technology, and 24/7 coverage provides SOC services for the organisation's OT environments, typically integrating with the internal IT SOC for coordinated response. This is the most accessible model for Indian mid-market industrial organisations and provides OT expertise that is difficult to build and retain internally.

Choosing an OT security partner in India

What Technology Does an OT SOC Need?

An OT SOC requires three technology categories. Passive OT monitoring: tools like Dragos Platform, Claroty Continuous Threat Detection, and Nozomi Networks Guardian that listen to OT network traffic, build asset inventories, and detect anomalies in industrial protocol behaviour. These tools generate the primary alert stream for OT SOC analysts. OT-capable SIEM: a security information and event management platform that can ingest OT monitoring tool alerts alongside traditional IT log sources (Windows events, firewall logs, authentication logs) to provide unified visibility. CERT-In's 180-day log retention requirement applies to OT relevant logs. Incident response tooling: forensic tools appropriate for OT environments - network capture capability, protocol analysis tools, and connection to OT vendor technical support for equipment-specific forensics.

How Does an OT SOC Support CERT-In Compliance?

CERT-In's six-hour incident reporting requirement creates a practical dependency on OT monitoring capability. An organisation that discovers an OT incident through manual investigation - an operator noticing unusual behaviour, a maintenance engineer finding evidence of unauthorised access - typically discovers incidents days or weeks after they begin, long past the six-hour reporting window. An OT SOC with continuous monitoring can detect incidents in near-real-time, giving the organisation the window needed to assess the incident and complete the mandatory CERT-In report within the six-hour requirement.

The OT SOC is also the operational anchor for CERT-In log retention compliance. CERT-In requires 180 days of log retention from relevant systems. The OT SOC's log collection infrastructure - which must capture OT monitoring tool alerts, firewall logs, access control logs, and engineering workstation events - provides the evidence base for CERT-In audits and incident investigations. Organisations without log collection capability from OT environments cannot demonstrate CERT-In compliance for OT-relevant incidents.

Frequently Asked Questions

How many analysts does an OT SOC need?

A minimum viable OT SOC for 24/7 coverage requires at least six to eight analysts to cover shifts, training, leave, and specialist escalation. For a mid-sized Indian industrial organisation with one to three sites, a managed OT SOC service is typically more practical than staffing an internal team of this size. Larger organisations with multiple critical sites may staff 10-20 OT security analysts when operational support roles are included alongside pure monitoring functions. The skills scarcity in the Indian OT security market makes analyst recruitment a significant constraint for internal OT SOC build programmes. (NASSCOM, 2025)

Can an IT SOC tool like a SIEM be used for OT monitoring?

A SIEM platform can ingest OT monitoring tool alerts and OT-relevant logs, making it useful for correlating OT and IT data. However, a SIEM alone cannot replace dedicated OT passive monitoring tools - it can only process the log data that other tools collect. An OT SOC needs both: passive OT monitors that collect industrial protocol data and asset inventories, and a SIEM that aggregates and correlates this data with IT security events for unified visibility. SIEM platforms like Splunk, Microsoft Sentinel, and IBM QRadar all have OT integrations available for the major OT monitoring platforms. (Dragos, 2025)

What is the response procedure when an OT SOC detects a threat?

OT SOC response procedures must be specifically designed for OT environments and approved by both the CISO and plant operations leadership before being activated. The key difference from IT response is that isolation or shutdown of OT systems requires operational sign-off - an OT SOC analyst cannot independently decide to isolate a SCADA server that is actively managing a production process. Response procedures should define the escalation chain for OT incidents, the criteria for different response actions, the CERT-In reporting trigger and procedure, and the coordination process with equipment vendors for technical support. These procedures should be tested through tabletop exercises at least annually. (CERT-In, 2022)

For hands-on delivery in India, see managed ot security services.