Job Title

Lead – OT/ICS Security & Data Risk Location: Mumbai (Corporate HQ)Function: BPSS&R — Brand Protection, Security, Safety & ResilienceReports to: Head Automation and TechnologyExperience: 8–10 years in cybersecurity, OT/ICS security, or risk management (multi-site enterprise preferred)Education: Bachelor’s/Master’s in Computer Science, Engineering, Cybersecurity or equivalentCertifications (preferred): CISSP, CISM, GIAC (GICSP/GRID/GCIA/GSEC), ISO/IEC 27001 LA/LI, ISA/IEC 62443, CEH; privacy (DSCI DCPP/IAPP) is a plusLanguages: English; Hindi. Good articulation is a plusCompensation: Market-aligned (fixed + performance variable)Role Purpose Own risk analysis and control assurance at the intersection of data and OT/ICS for IHCL’s hotels and facilities. Provide measurable reduction in cyber, safety, and brand risks by hardening BMS, FAS, elevators, DGs, water systems, ACS, VMS/CCTV, door-locks, and adjacent data flows; and by enforcing sound data governance in FlexiCore and connected systems. Act as the technical right-hand to Lead – Brand Protection & Investigations for OT incidents, fraud-adjacent signals, and evidence quality.Scope Properties, corporate offices, and critical plant/BoH areas.OT/ICS: BMS/FAS, HVAC/AHU, elevators, power/gensets, water treatment, metering, access control/door-locks, VMS/CCTV.Data risk across FlexiCore and integrations (PMS/POS/HRMS/Finance/ACS/VMS/IoT).Key Responsibilities 1) Risk Assessment & Architecture Assurance Build and maintain the OT asset inventory (make/model/firmware/network zone/criticality).Perform risk assessments (threat modelling, zone & conduit reviews, segmentation checks, remote access hygiene, vendor pathways).Define and validate network reference architecture (levels/zones; firewalls; jump-hosts; one-way gateways where needed).2) Monitoring, Detection & Anomaly Analysis Integrate OT telemetry with ISSOC/FlexiCore; baseline normal behaviour and tune detections (protocol anomalies, policy violations, unsafe states).Correlate SIEM/SOAR alerts with physical events (e.g., door-force + after-hours movement + card misuse).Operate or advise on passive discovery (e.g., Nozomi/Claroty/Armis-type tools or equivalents) and NDR/IDS in OT segments.3) Control Design & Implementation (OT)Drive segmentation and least privilege for PLCs/controllers, HMIs, servers, and management stations.Establish secure remote maintenance patterns (brokered access, MFA, session recording).Design patch/compensating control regimes aligned to maintenance windows; track firmware/config drift; validate backups and restore tests.Implement hardening baselines (password vaulting, disable default services, logging levels, time sync, tamper controls).4) Data Risk Governance (with FlexiCore) Classify data (PII/PCI/operational) and enforce data minimisation, masking/tokenisation, retention and access controls (RBAC/ABAC).Define data contracts for feeds into FlexiCore; ensure schema versioning, lineage, and reproducible evidence trails.Partner with Legal/DPO on DPDP compliance; run DPIAs for high-risk use cases (e.g., video analytics).5) Incident Response, Forensics & Evidence (OT) Co-author playbooks for OT incidents (unsafe states, controller compromise, rogue remote access, camera/ACS tampering).Lead technical triage: log and packet capture, time-line reconstruction, volatile artefacts (where safe), system imaging via approved methods.Preserve chain-of-custody; produce court-defensible artefact packs for the Lead – Brand Protection & Investigations.6) Compliance & Audit Readiness Align and evidence controls to IEC 62443, NIST SP 800-82, ISO 27001/27019, ISO 22301; support PCI where applicable.Run control testing (walkthroughs, sample tests, tech validations) and close findings with Engineering/IT/vendors.7) Vendor, Project & Change Risk Security review of new plant and retrofits, RFPs/SOWs, and Factory/Site Acceptance Tests; insist on logging, remote access controls, and updatable components.Gate change management (pre-/post-change checks, backout plans) with Engineering and ISSOC.8) Training, Documentation & Reporting Create SOPs, network drawings, data-flow diagrams, and playcards for property teams.Train Engineering/ISSOC L1 on safe triage and escalation; run table-tops per cluster.Publish monthly risk dashboards (coverage, findings, remediation velocity, incident learnings).Required Skills & Competencies Technical OT/ICS security: zone/conduit design, protocol awareness (BACnet/Modbus/OPC/etc.), remote access patterns, safe patching, backup/restore.Threat detection: SIEM content, OT IDS/NDR tuning, anomaly baselining, use-case engineering and false-positive hygiene.Networking & identity: VLANs, routing, firewall rules, NAT, VPN, NAC; service accounts, PAM, SSO patterns for plant networks.Data governance: classification, retention, masking/tokenisation, lineage, and evidence logging.Forensics fundamentals: safe acquisition in OT, log/pcap analysis, time-line building, integrity verification (hashing), chain-of-custody.Standards & policy: IEC 62443, NIST 800-82, ISO 27001/27019, ISO 22301; basic PCI, DPDP principles.Behavioural Clear, structured documentation; crisp incident communication under pressure.Ability to work shoulder-to-shoulder with Engineering/Facilities and vendors; pragmatic and safety-first.High integrity and discretion; comfortable coordinating with Legal/IA/External agencies when required.Tools & Platforms (indicative; equivalents welcome) OT visibility/IDS/NDR: Nozomi, Claroty, Armis (or similar).SIEM/SOAR: Microsoft Sentinel, Splunk, QRadar; case mgmt in FlexiCore.Firewalls/NAC/VPN: Fortinet/Palo Alto/Cisco; Cisco ISE/Aruba ClearPass.Forensics & logs: Sysmon/Windows Eventing, Zeek/tcpdump/Wireshark; Magnet/FTK/X-Ways for selective host work; secure evidence vault.Data stack: Data catalog/lineage tools, DLP, secrets management (e.g., Key Vault/Vault).KPIs & Success Measures (quarterly) Coverage: ≥ 95% critical OT assets identified with baseline and zone mapping.Segmentation health: ≥ 90% of OT segments pass access-path tests; no direct internet egress.Detection quality: False positive rate on top 10 OT use-cases ≤ 15% after tuning; P1 MTTD ≤ 10 minutes in monitored zones.Patch/compensating control SLA: ≥ 90% critical items addressed within agreed maintenance windows.Data governance: 100% of new feeds into FlexiCore with approved data contract, classification, retention, and DPIA (where required).IR & evidence: 100% chain-of-custody compliance in OT incidents; tabletop exercises ≥ 1 per cluster per half-year; corrective actions closed within SLA.