As OT systems converge with IT, cyberattacks on industrial infrastructure are rising sharply. CISOs must lead with AI-driven defense, Zero Trust, and data governance to protect national security and operations
In the past, Operational Technology (OT) systems—responsible for powering critical infrastructure like energy grids, manufacturing plants, and transportation networks—were considered immune to the cyberattacks plaguing traditional IT systems. Shielded by air-gapped architectures, proprietary protocols, and physical isolation, OT environments enjoyed a false sense of security. But that era is over.
Today, industrial organizations are under siege. As digital transformation sweeps across sectors and OT systems become interconnected with IT, cloud, AI, and remote access technologies, they’ve emerged as high-value targets for cybercriminals, hacktivists, and nation-state actors alike. Ransomware syndicates, AI-generated phishing campaigns, and advanced persistent threats are infiltrating OT ecosystems with alarming frequency—and often with devastating impact. Factory shutdowns, energy grid failures, and large-scale supply chain disruptions have become all too real.
A recent survey found that 3 out of 4 organizations have experienced a cyberattack on their OT environments—many on a recurring, even daily basis. Nearly 70% faced attacks within the past year alone, and a quarter reported full operational shutdowns as a direct consequence. Most of these attacks didn’t originate in OT systems themselves but entered through IT—highlighting the urgent need for cohesive IT-OT cybersecurity strategies. The days of siloed security teams are numbered.
And the risks are only growing. The proliferation of AI, robotics, 5G, and cloud-based industrial platforms introduces new threat vectors even as they offer unprecedented operational efficiency. Meanwhile, compliance demands are escalating under new data privacy regulations like India’s DPDP Act. CISOs must now navigate a labyrinth of regulatory, technological, and geopolitical challenges—while also addressing acute cybersecurity talent shortages and legacy system constraints.
Pradipta Patro, Head of Cyber Security & IT Platform, RPG Group calls 2025 a “watershed moment” for OT security. He warns that AI-powered attacks are becoming more sophisticated, and defenders must match that intelligence with equally agile, AI-driven detection and response. He highlights the growing threat of data poisoning in telemetry systems, the risks of cloud misconfigurations, and the dangerous implications of insider attacks and deepfakes.
He advocates for a proactive, layered security posture centered on the Zero Trust model—not as a buzzword, but as an essential framework that integrates endpoint, network, and behavioral controls across both OT and IT domains. In his view, success depends on strong cyber governance, continuous monitoring, intelligent automation, and—most importantly—a cyber-aware workforce empowered to act as the first line of defense.
In an era where industrial resilience and national security are inextricably linked, OT cybersecurity is no longer a back-office concern—it’s a boardroom imperative. This story explores how visionary CISOs are adapting to this new reality, building cyber strategies that are not only reactive but resilient, intelligent, and future-ready.
CISO Forum: What are the most significant cybersecurity threats you foresee in 2025? And what strategies should CISOs employ to mitigate them effectively?
Pradipta Patro: The cybersecurity trends have been going upward for many years. Incidents are always upward. If you look at the World Economy Forum in 2025, which was released in January, there are also a lot of predictions for 2025 and the year after. We have seen that several incidents are going high every time, and there are a lot of tricks and tactics or challenges faced by the enterprise and organizations, as well as the whole country or the state.
The 2025 report finds a series of compounding factors driving escalating the complicity of the cyber landscape because the landscape is getting bigger and bigger. The way we work from anywhere, we work from any device, and you see that digitizations are happening. Emerging technology is also getting broader and broader. We’ll be seeing a lot of challenges, and that landscape is getting bigger and bigger from that perspective.
Even at the same time, if you look at geopolitical tensions, they contribute to a more uncertain environment. If you see some parts of Europe or certain parts of different Asian countries, we have seen a lot of geopolitics. It is also creating many challenges in cybersecurity, and it might be country to country, state to state, or organization to organization. The conflicts are also there. Also, increased integration and dependency on a more complex supply chain environment today lead to unpredictable risks. It also gives the upper side of the cybersecurity threats.
In the recent past, the threat of tariffs has impacted a lot of countries and their market. Those are also unpredictable. We are discussing the rebate of adopting emerging technology today and its contribution to new vulnerabilities in the threat landscape. I can give you an example; in that case, we have AI-powered ChatGPT or the Gen AI, and in many places, we are talking about, newer chatbots are coming up, and it also creates an open mouth of vulnerabilities in the environments.
And sometimes, if you also see the simultaneous proliferation of the regulatory requirement, the way we are talking about that GDPR, which has been there on, might be in India. We have to talk about the DPDP acts that are coming. It also adds a significant compliance system to organizations. I must do it in various ways when discussing different controls or people processing technology.
The cybersecurity skill gaps are also paramount. We talk about many of the skill challenges we have seen for organizations, how to help the country, and how we can make them more skilled in cybersecurity. These are key points we observe in 2025. Also, I will not forget one other fact: sophisticated cybercrimes. We are talking about AI helping the protectors and defenders. At the same time, crime also has AI-powered systems, which can have a very drastic impact. It is affecting various organizations and countries as well. And social engineering—if you look at it today—phishing attacks are among the most frequent threats in India’s digital space. In most of the cases I see daily, in different cities, senior citizens or certain individuals are losing significant amounts of money due to such attacks.
And this is also a concern—those social engineering attacks, maybe digital impersonations, phishing, or deepfakes we are talking about. These are all sophisticated attacks that are happening. And if you see most cases and ask about the trend of those technological challenges or risks we are looking at in 2025, I have witnessed more AI-powered cyberattacks, which are predicted to account for around 66% of total attacks happening today.**
The second is the convergence of OT and IT. That landscape is expected to account for around 13%. And with cloud technologies, of course, we see greater adoption. However, cloud configuration issues, misconfigurations, various SaaS platform solutions, and many other integrations contribute up to 11%.
And then, there is sophisticated ransomware. Ransomware today is more advanced and intelligent than before. Earlier, we could detect it faster, but now it is much harder—unless we have better tools and vigilant processes. If we don’t use AI-enabled protector or defender tools, we may not be able to detect these threats effectively.
And exploitation of IoT devices—because today, in many places, especially with Industry 4.0 or 4.5—we are seeing significant automation across supply chains. We’re also talking about smart cities, connected cars, autonomous vehicles, and a wide range of integrated systems in this hyper-connected world. Naturally, this brings many challenges in the IoT environment as well.
Misinformation and disinformation have also played a crucial role today. When something is highlighted, it spreads quickly. On social media, misinformation or disinformation often goes viral very fast. That is a major challenge we foresee in 2025.
From a technological or attack vector perspective, cybersecurity remains a top concern for most organizations. If we talk about ransomware attacks, they will be the most dominant. Cyber-enabled frauds—including phishing, business email compromise, and deepfakes—will account for around 20% to 21% of threats.
Supply chain disruptions and attacks are also increasing. These include cases where electricity utilities or ticketing systems are interrupted for extended periods. We expect such supply chain threats to rise in 2025.
Malicious insiders remain a significant threat. Insider attacks have had heavy impacts. Disinformation, as mentioned earlier, is projected to contribute around 6%–7%. Denial of service (DoS) attacks also continue to be a concern, though currently at single-digit levels.
These risks already exist and are growing year by year. From a cybersecurity strategy perspective, the first and foremost step is to get the basics right. Your foundational security controls must be strong. This includes implementing the right measures for people, processes, and technology. A robust cyber resilience framework and incident management plan are essential.
Second is proactive monitoring. Automation alone isn’t enough. If you’re not proactively monitoring your systems, you’re being reactive—and that puts you at risk. Monitoring, correlation of events, and actionable insights must all be in place to detect threats before they escalate.
Cyber intelligence is equally critical. If something is happening elsewhere in the world, you must understand its cause and assess how it might affect your environment. Strong governance of your cybersecurity program is crucial.
Lastly, cyber awareness is essential. Attacks often begin with identity compromise. People may unknowingly share usernames or passwords on social media or apps. Building awareness is key—it protects your organization and empowers others.
And finally, skilling your workforce is vital. You need trained professionals who can defend your digital assets. These are some of the strategies that we, and many other organizations, can adopt to support both business and cybersecurity community.
CISO Forum: How do you envision the evolution of the Zero Trust model in the coming years, and how will AI and automation enhance its implementation?
Pradipta Patro: Of course, AI always aligns with the Zero Trust framework or security principles by automating processes with greater accuracy. That is what I’m emphasizing: greater accuracy and faster response. That’s important—and the AI that is embedded in any tool, whether it’s Zero Trust or any surrounding technology, is enabling us.
In this context, it improves the speed at which the organization can detect malicious applications, anomalies in user actions, unauthorized access, or exposure of sensitive information. We talk about Mean Time to Respond (MTTR) or Mean Time to Detect (MTTD)—and with AI, both are much faster.
Zero Trust is not a single technology or solution—it is a layered approach. From endpoint to cloud, the controls across those processes need to be adequate.
Of course, AI plays a crucial role in improving MTTR and MTTD, giving us the advantage of runtime visibility—such as better efficiency, faster response, and timely detection. For example, we can quickly identify if bots or malware are in place, or if user behavior suddenly shifts—like a user logging in from Asia and then from Europe within 10–15 minutes, accessing the same resources. These anomalies can be detected effectively.
Zero Trust ensures that all technologies within its framework can be integrated to derive accurate insights and enable faster, appropriate action. AI helps with that—enhancing both response and detection capabilities.
CISO Forum: Regarding AI in cybersecurity, is your approach primarily focused on leveraging it for operational efficiency, or are you more concerned about mitigating its potential misuse?
Pradipta Patro: It is a balance of both because you can’t have one and ignore the other. But of course, first, AI can be leveraged to optimize efficiency—whether you’re talking about SIEMs or XDR—detecting threats faster, or at the same time, emerging technologies like ChatGPT, GenAI, or others that may be misused by employees, leading to data breaches. Sometimes this happens when someone enters organizational proprietary information into the cloud to get answers from ChatGPT or other AI tools.
That is where we have seen a lot of challenges. Still, as I said, AI is helping us enhance operational efficiency by ensuring faster detection, response, proactive reporting, and intelligence gathering—giving you the edge to be more proactive.
But at the same time, if we talk about GenAI, ChatGPT, or other AI chatbots, they also bring certain risks to the organization. An employee may unknowingly share confidential data on public platforms, leading to potential data breaches.
So, from that perspective, it’s a balance. We need to work toward leveraging AI for better resilience. At the same time, we must ensure that we adopt these new-edge technologies responsibly. More awareness and governance need to be established to ensure we remain protected on that front as well.
CISO Forum: With the introduction of the DPDP Act, how is your cybersecurity strategy evolving to ensure compliance, and what challenges do you anticipate?
Pradipta Patro: The DPDP Act is critical to organizations, especially significant data-producing sectors like the health industry, BFSI, or B2C businesses. To be very honest, we gather a lot of information—BI information and more.
So, from that perspective, of course, BI will play a crucial role in protecting personally identifiable information for the country. If you look at how organizations need to approach this, it’s not a one-time activity—it’s a journey. It’s not that you suddenly get a tool, assign people, implement processes, and everything starts working on day one. That is not possible.
It is more of a journey you have to begin. In this journey, we need to conduct assessments, identify and classify BI data, protect it, and then align it with business processes to ensure sustainability year after year. That’s where we have to start and implement it effectively across domains or industries.
There will be additional challenges—such as skill gaps, process gaps, and technology limitations. We need to evaluate how implementation can be effective across domains and what additional resources are required, including people, technology, and awareness.
It’s not just about implementing a DLP solution to classify data—that’s important—but it’s also about how the DLP detects sensitive data and whether it can do so automatically or manually. Sometimes, emails or data may not be allowed to go out of the organization, depending on enterprise policies.
We also need to create strong cultural awareness about the importance of DPDP. That awareness is essential. I acknowledge there are challenges in implementing this effectively across any organization, but somewhere, we have to begin the journey. As an organization, we have already started identifying and classifying data as part of those initial stages.
CISO Forum: How is the industry adapting its data governance frameworks to meet DPDP Act compliance, particularly when managing sensitive personal data across multiple jurisdictions?
Pradipta Patro: DPDP is the framework and the Act we are talking about, and specific basic frameworks exist for all industries—whether they are insignificant, primary production, or smaller or listed organizations. Something common for all organizations is the perspective of data governance. Whatever the data—customer data, individual data, or your organization’s IP—you have to start somewhere from the data governance perspective.
The four key pillars of the data governance framework are:
- Data Quality – You need the right quality of data.
- Data Ownership – Data must be owned, which involves having the right owner and aligned business processes.
- Data Protection – Ensuring the data is secured.
- Data Compliance and Management – This includes the processes and practices at the end of the data lifecycle.
So, we must ensure that all these pillars support integrity, security, and usability, forming a solid foundation for managing data effectively. Otherwise, data may exist but won’t be available for meaningful use. If the integrity is missing, it doesn’t make sense to retain or use that data. So that’s important.
At the same time, if we talk about best practices—for example, judiciary or cross-border data transfer challenges—we’re discussing data localization. These should also be part of DPDP. Most of the time, you’ll find that DPDP allows the government to restrict data transfers to specific countries or entities and requires data to be stored within India.
It might involve local provisions ensuring data remains stored domestically. Data should only be transferred to approved jurisdictions and judicial systems. Certain countries, not currently on the approved list, may be restricted under the Act, and data transfer to them will not be permitted. So that’s one important aspect.
While it’s not a blanket restriction on cross-border data transfers, the Act grants the government broad authority to enforce limitations on transfers to specific countries or entities controlled by such nations. India may identify specific countries where data transfer is restricted. These provisions are already being introduced into the Act.
Of course, there are challenges and complexities—because not every piece of data can be tracked and traced. When it comes to digital assets, most organizations don’t fully know where their digital assets reside. At best, they may know 80%, but 20% still falls into a grey area.
The challenges also include localization requirements, managing data, and maintaining security during cross-border transfers. However, these challenges can be mitigated through robust security measures—such as strong access control, HTTP restrictions, and implementing monitoring systems to prevent unauthorized access or data breaches.
Secondly, contractual safeguards must be in place. These include signing data processing agreements (DPAs) and ensuring the use of standard data transfer agreements with legal clauses that ensure compliance.
From a risk assessment perspective, regular reviews are important. Data minimization should be practiced—only collecting personal data that is essential for the specific purpose. There should also be clear limitations on how that data is used.
In consent management, we are talking about clear, explicit, and voluntary consent. Data processing principles should be followed to ensure consent is properly taken.
While the Act may not elaborate in detail on data breach notification, organizations must have mechanisms in place to notify and protect affected areas in the event of a breach.
From a compliance perspective, regular audits must be conducted, and organizations must stay updated with applicable laws and regulations. Employee training is crucial. Employees should never say, “I wasn’t aware.” Awareness of the latest regulations is essential.
We also need to establish a strong data protection framework, whether through digital workspace solutions, third-party data compliance, or breach incident management. Organizations must maintain records, ensure encryption of data (both at rest and in transit), and uphold data integrity through secure technologies.
That is how we can maintain compliance and meet the challenges. These responsibilities must also be formalized through contracts or agreements between parties to ensure accountability.
These are the key data localization and cross-border transfer challenges under the DPDP Act.
Several notable Operational Technology (OT) breaches have targeted Indian organizations in recent years, highlighting the growing cybersecurity risks in critical infrastructure and industrial sectors:
· Tata Power Ransomware Attack (2023): The Hive ransomware group infiltrated Tata Power’s IT systems, encrypting critical data and demanding ransom. The attackers exfiltrated sensitive information including employee records, customer data, financial documents, engineering drawings, and private cryptographic keys. When the ransom was not paid, part of the stolen data was leaked on the dark web, exposing highly sensitive credentials.
· Oil India Limited Cyberattack (2022): Hackers launched a cyberattack on Oil India Limited, demanding a ransom exceeding Rs 57 crore. Although production and drilling systems were reportedly unaffected, the attack disrupted IT systems and led to the decommissioning of impacted systems to safeguard operations.
· Kudankulam Nuclear Power Plant Attack (2019): India’s largest nuclear power station suffered a malware attack involving the Dtrack malware, linked to the North Korea–based Lazarus Group. The attackers gained domain controller-level access to the plant’s IT network, stealing administrative credentials and sensitive data. Although the OT network controlling critical plant operations was reportedly not compromised, the breach raised serious concerns about potential future attacks on critical infrastructure.
· Operation FlightNight (2024): A cyber espionage campaign targeted multiple Indian government entities and private energy companies. Attackers used phishing emails and malware to exfiltrate 8.81 GB of sensitive data, including financial documents, employee details, and drilling activity information. This operation demonstrated the persistent threat to India’s energy sector and government infrastructure.
These incidents underscore the urgent need for Indian CISOs to strengthen OT cybersecurity defenses, as breaches can disrupt critical services, compromise national security, and expose sensitive data to hostile actors.
CISO Forum: What best practices are emerging to address data localization and cross-border data transfer challenges under the DPDP Act, and how are organizations ensuring compliance?
Pradipta Patro: Data localization and cross-border data transfer challenges will always exist. As I said, while we follow the law of the land, we must ensure that data localization is enforced from India and that restrictions are followed wherever the Act specifies that data should not be transferred across borders to certain countries.
In a digital or hyperconnected world, we can’t trace every individual document. However, having said that, it is the organization’s responsibility to ensure those countries are already blocked. Or, if a transfer is happening, there should be controls and options to manage it.
That is where we can see these controls coming into play.
As I mentioned, the challenges must be mitigated through robust cybersecurity measures. These include encryption of data at rest, access control—especially access control—and implementation of monitoring systems to proactively detect and block unauthorized actions.
Contractual agreements or safeguards, such as Data Processing Agreements (DPAs), should be signed off with parties—even when data is being transferred across borders. This would also require a DPA.
The risks we discussed earlier must be addressed through data minimization, periodic review, and consent management. Consent managers must ensure that individuals can seamlessly grant or manage their consent, and that it is handled effectively.
Data breach notifications, as I mentioned, are also key parameters in addressing these challenges.
At the end of the day, employee training is critical—especially training in data protection principles. Employees need to understand why we protect data and the compliance consequences of mishandling it. This training should go beyond general cybersecurity awareness and specifically cover data protection.
We also need a strong data protection framework, as I mentioned—across people, processes, and technology. It’s essential to implement data protection frameworks effectively.
We must use secure digital workspace solutions that address how and where data is stored—whether in local apps, endpoints, devices, or systems. These should be centralized more effectively to enable better governance.
In preparing for data breach incidents, if something goes wrong, there must be a proper incident response plan in place to address potential breaches. This helps us understand what actions to take immediately.
Maintaining a record of all data transfers and ensuring traceability for audit purposes is also important.
So, these are some of the challenges and risks surrounding the DPDP Act. And of course, while some aspects are yet to come into effect, the Act is already in place, and the final rules and integrity clauses will be published soon by the Government of India.
CISO Forum: You previously referred to the convergence of IT and OT and the associated challenges. Given your experience in the energy and infrastructure sectors, what are the emerging cybersecurity challenges you are observing on the OT side?
Pradipta Patro: A few years back, most IT or security leaders focused solely on IT or OT. However, over the last five or six years, OT has increasingly converged with IT. We’ve seen a rise in telemetry data generated from supply chains, plants, and plant information management systems, which is now being pushed into the cloud. Data no longer resides in one centralized place—it’s part of a broader industrial, supply chain, or plant ecosystem.
In the past, OT was treated as a separate, isolated island. Today, it is deeply integrated—not only with SAP and ERP systems but also with customers, consumers, and even the OEMs who manufacture machinery. These OEMs connect remotely to enable predictive maintenance.
So, OT and IT are now closely integrated. A lot of analytics—like predictive maintenance, productivity, quality control—are conducted in real-time using telemetry data. This is consolidated in industrial clouds or command and control centers. For example, we can now measure how much power leakage occurs between Point A and Point B in a transmission network. That kind of real-time data gives actionable insights to optimize processes, improve supply chain visibility, and enable better decision-making.
However, there are challenges. Sensors, PLCs, and scanner systems are often deployed at the edge. These systems—many of which are legacy—weren’t built with today’s telemetry or cybersecurity demands in mind. You can’t just replace them overnight. Greenfield projects are easier—they’re designed for connectivity. But brownfield or legacy systems require significant capex investment to upgrade.
Many of these systems use outdated operating systems, are not connected via Ethernet, or operate on older, incompatible protocols—not modern IoT protocols. Integration becomes a challenge. But organizations are working to monitor these systems effectively, even with such constraints.
We’re setting up systems to monitor breaches, alerts, and behavior anomalies. We then build policies around these insights. That’s how we’re addressing OT and IT security challenges together.
And if you look at broader technology trends—connected cars, Industry 4.0, and the coming Industry 5.0—automation and autonomy are increasing. We’re deploying thousands of sensors across production floors, supply chains, and processes to capture telemetry 24/7. This isn’t just for one shift—it runs around the clock, generating analytics in real-time to help us take the right actions to protect OT environments.
The data volume is enormous. We’re no longer talking about gigabytes—it’s terabytes or even petabytes generated daily.
CISO Forum: Does it worry you that when you collect all this data, malicious actors could manipulate it through data poisoning?
Pradipta Patro: Yes, absolutely. That’s one of the biggest concerns. We’ve seen instances of data poisoning in the past. You may recall the Stuxnet scenario—where malware altered telemetry data and caused significant operational impact. Similar attacks still happen.
In today’s hyperconnected world, where data is constantly moving from endpoints to the cloud, even minor configuration changes—say, a turbine RPM misreading from 5,000 to 50,000—can cause massive disruption. A single malicious data point can corrupt entire processes. These risks become very real when data is injected into data warehouses during transitions.
We’ve seen several cases where one bad data input can impact the full operational flow—across systems and industries. So yes, this remains a very real and evolving threat, especially with the scale of OT-IT convergence and data centralization in modern industrial ecosystems.
