Lead – OT/ICS Security & Data Risk

Lead OT/ICS Security & Data Risk

Location: Mumbai (Corporate HQ)

Function: BPSS&R Brand Protection, Security, Safety & Resilience

Reports to: Head Automation and Technology

Experience: 810 years in cybersecurity, OT/ICS security, or risk management (multi-site enterprise preferred)

Education: Bachelors/Masters in Computer Science, Engineering, Cybersecurity or equivalent

Certifications (preferred): CISSP, CISM, GIAC (GICSP/GRID/GCIA/GSEC), ISO/IEC 27001 LA/LI, ISA/IEC 62443, CEH; privacy (DSCI DCPP/IAPP) is a plus

Languages: English; Hindi. Good articulation is a plus

Compensation: Market-aligned (fixed + performance variable)

Role Purpose

Own risk analysis and control assurance at the intersection of data and OT/ICS for IHCLs hotels and facilities. Provide measurable reduction in cyber, safety, and brand risks by hardening BMS, FAS, elevators, DGs, water systems, ACS, VMS/CCTV, door-locks, and adjacent data flows; and by enforcing sound data governance in FlexiCore and connected systems. Act as the technical right-hand to Lead Brand Protection & Investigations for OT incidents, fraud-adjacent signals, and evidence quality.

Scope

• Properties, corporate offices, and critical plant/BoH areas.
• OT/ICS: BMS/FAS, HVAC/AHU, elevators, power/gensets, water treatment, metering, access control/door-locks, VMS/CCTV.
• Data risk across FlexiCore and integrations (PMS/POS/HRMS/Finance/ACS/VMS/IoT).

Key Responsibilities

1) Risk Assessment & Architecture Assurance

• Build and maintain the OT asset inventory (make/model/firmware/network zone/criticality).
• Perform risk assessments (threat modelling, zone & conduit reviews, segmentation checks, remote access hygiene, vendor pathways).
• Define and validate network reference architecture (levels/zones; firewalls; jump-hosts; one-way gateways where needed).

2) Monitoring, Detection & Anomaly Analysis

• Integrate OT telemetry with ISSOC/FlexiCore; baseline normal behaviour and tune detections (protocol anomalies, policy violations, unsafe states).
• Correlate SIEM/SOAR alerts with physical events (e.g., door-force + after-hours movement + card misuse).
• Operate or advise on passive discovery (e.g., Nozomi/Claroty/Armis-type tools or equivalents) and NDR/IDS in OT segments.

3) Control Design & Implementation (OT)

• Drive segmentation and least privilege for PLCs/controllers, HMIs, servers, and management stations.
• Establish secure remote maintenance patterns (brokered access, MFA, session recording).
• Design patch/compensating control regimes aligned to maintenance windows; track firmware/config drift; validate backups and restore tests.
• Implement hardening baselines (password vaulting, disable default services, logging levels, time sync, tamper controls).

4) Data Risk Governance (with FlexiCore)

• Classify data (PII/PCI/operational) and enforce data minimisation, masking/tokenisation, retention and access controls (RBAC/ABAC).
• Define data contracts for feeds into FlexiCore; ensure schema versioning, lineage, and reproducible evidence trails.
• Partner with Legal/DPO on DPDP compliance; run DPIAs for high-risk use cases (e.g., video analytics).

5) Incident Response, Forensics & Evidence (OT)

• Co-author playbooks for OT incidents (unsafe states, controller compromise, rogue remote access, camera/ACS tampering).
• Lead technical triage: log and packet capture, time-line reconstruction, volatile artefacts (where safe), system imaging via approved methods.
• Preserve chain-of-custody; produce court-defensible artefact packs for the Lead Brand Protection & Investigations.

6) Compliance & Audit Readiness

• Align and evidence controls to IEC 62443, NIST SP 800-82, ISO 27001/27019, ISO 22301; support PCI where applicable.
• Run control testing (walkthroughs, sample tests, tech validations) and close findings with Engineering/IT/vendors.

7) Vendor, Project & Change Risk

• Security review of new plant and retrofits, RFPs/SOWs, and Factory/Site Acceptance Tests; insist on logging, remote access controls, and updatable components.
• Gate change management (pre-/post-change checks, backout plans) with Engineering and ISSOC.

8) Training, Documentation & Reporting

• Create SOPs, network drawings, data-flow diagrams, and playcards for property teams.
• Train Engineering/ISSOC L1 on safe triage and escalation; run table-tops per cluster.
• Publish monthly risk dashboards (coverage, findings, remediation velocity, incident learnings).

Required Skills & Competencies

Technical

• OT/ICS security: zone/conduit design, protocol awareness (BACnet/Modbus/OPC/etc.), remote access patterns, safe patching, backup/restore.
• Threat detection: SIEM content, OT IDS/NDR tuning, anomaly baselining, use-case engineering and false-positive hygiene.
• Networking & identity: VLANs, routing, firewall rules, NAT, VPN, NAC; service accounts, PAM, SSO patterns for plant networks.
• Data governance: classification, retention, masking/tokenisation, lineage, and evidence logging.
• Forensics fundamentals: safe acquisition in OT, log/pcap analysis, time-line building, integrity verification (hashing), chain-of-custody.
• Standards & policy: IEC 62443, NIST 800-82, ISO 27001/27019, ISO 22301; basic PCI, DPDP principles.

Behavioural

• Clear, structured documentation; crisp incident communication under pressure.
• Ability to work shoulder-to-shoulder with Engineering/Facilities and vendors; pragmatic and safety-first.
• High integrity and discretion; comfortable coordinating with Legal/IA/External agencies when required.

Tools & Platforms (indicative; equivalents welcome)

• OT visibility/IDS/NDR: Nozomi, Claroty, Armis (or similar).
• SIEM/SOAR: Microsoft Sentinel, Splunk, QRadar; case mgmt in FlexiCore.
• Firewalls/NAC/VPN: Fortinet/Palo Alto/Cisco; Cisco ISE/Aruba ClearPass.
• Forensics & logs: Sysmon/Windows Eventing, Zeek/tcpdump/Wireshark; Magnet/FTK/X-Ways for selective host work; secure evidence vault.
• Data stack: Data catalog/lineage tools, DLP, secrets management (e.g., Key Vault/Vault).

KPIs & Success Measures (quarterly)

• Coverage: 95% critical OT assets identified with baseline and zone mapping.
• Segmentation health: 90% of OT segments pass access-path tests; no direct internet egress.
• Detection quality: False positive rate on top 10 OT use-cases 15% after tuning; P1 MTTD 10 minutes in monitored zones.
• Patch/compensating control SLA: 90% critical items addressed within agreed maintenance windows.
• Data governance: 100% of new feeds into FlexiCore with approved data contract, classification, retention, and DPIA (where required).
• IR & evidence: 100% chain-of-custody compliance in OT incidents; tabletop exercises 1 per cluster per half-year; corrective actions closed within SLA.