Job Title

Lead – OT/ICS Security & Data RiskLocation:Mumbai (Corporate HQ) Function:BPSS&R — Brand Protection, Security, Safety & Resilience Reports to:Head Automation and TechnologyExperience:8–10 years in cybersecurity, OT/ICS security, or risk management (multi-site enterprise preferred)Education:Bachelor’s/Master’s in Computer Science, Engineering, Cybersecurity or equivalentCertifications (preferred):CISSP, CISM, GIAC (GICSP/GRID/GCIA/GSEC), ISO/IEC 27001 LA/LI, ISA/IEC 62443, CEH; privacy (DSCI DCPP/IAPP) is a plusLanguages:English; Hindi. Good articulation is a plusCompensation:Market-aligned (fixed + performance variable)Role PurposeOwn risk analysis and control assurance at the intersection ofdataandOT/ICSfor IHCL’s hotels and facilities. Provide measurable reduction in cyber, safety, and brand risks by hardeningBMS, FAS, elevators, DGs, water systems, ACS, VMS/CCTV, door-locks , and adjacent data flows; and by enforcing sounddata governancein FlexiCore and connected systems. Act as the technical right-hand toLead – Brand Protection & Investigationsfor OT incidents, fraud-adjacent signals, and evidence quality.Scope Properties, corporate offices, and critical plant/BoH areas. OT/ICS: BMS/FAS, HVAC/AHU, elevators, power/gensets, water treatment, metering, access control/door-locks, VMS/CCTV. Data risk across FlexiCore and integrations (PMS/POS/HRMS/Finance/ACS/VMS/IoT).Key Responsibilities1) Risk Assessment & Architecture AssuranceBuild and maintain theOT asset inventory(make/model/firmware/network zone/criticality). Performrisk assessments(threat modelling, zone & conduit reviews, segmentation checks, remote access hygiene, vendor pathways). Define and validatenetwork reference architecture(levels/zones; firewalls; jump-hosts; one-way gateways where needed).2) Monitoring, Detection & Anomaly AnalysisIntegrate OT telemetry withISSOC/FlexiCore ; baseline normal behaviour and tunedetections(protocol anomalies, policy violations, unsafe states). CorrelateSIEM/SOARalerts with physical events (e.g., door-force + after-hours movement + card misuse). Operate or advise onpassive discovery(e.g., Nozomi/Claroty/Armis-type tools or equivalents) andNDR/IDSin OT segments.3) Control Design & Implementation (OT)Drivesegmentationandleast privilegefor PLCs/controllers, HMIs, servers, and management stations. Establish secureremote maintenancepatterns (brokered access, MFA, session recording). Designpatch/compensating controlregimes aligned to maintenance windows; track firmware/config drift; validate backups and restore tests. Implementhardening baselines(password vaulting, disable default services, logging levels, time sync, tamper controls).4) Data Risk Governance (with FlexiCore)Classify data (PII/PCI/operational) and enforcedata minimisation, masking/tokenisation, retentionandaccess controls(RBAC/ABAC). Definedata contractsfor feeds into FlexiCore; ensure schema versioning, lineage, and reproducible evidence trails. Partner with Legal/DPO onDPDPcompliance; run DPIAs for high-risk use cases (e.g., video analytics).5) Incident Response, Forensics & Evidence (OT)Co-authorplaybooksfor OT incidents (unsafe states, controller compromise, rogue remote access, camera/ACS tampering). Leadtechnical triage : log and packet capture, time-line reconstruction, volatile artefacts (where safe), system imaging via approved methods. Preservechain-of-custody ; producecourt-defensibleartefact packs for the Lead – Brand Protection & Investigations.6) Compliance & Audit ReadinessAlign and evidence controls toIEC 62443 ,NIST SP 800-82 ,ISO 27001/27019 ,ISO 22301 ; support PCI where applicable. Runcontrol testing(walkthroughs, sample tests, tech validations) and close findings with Engineering/IT/vendors.7) Vendor, Project & Change RiskSecurity review ofnew plant and retrofits , RFPs/SOWs, andFactory/Site Acceptance Tests ; insist on logging, remote access controls, and updatable components. Gatechange management(pre-/post-change checks, backout plans) with Engineering and ISSOC.8) Training, Documentation & ReportingCreateSOPs , network drawings, data-flow diagrams, andplaycardsfor property teams. Train Engineering/ISSOC L1 on safe triage and escalation; run table-tops per cluster. Publishmonthly risk dashboards(coverage, findings, remediation velocity, incident learnings).Required Skills & CompetenciesTechnicalOT/ICS security:zone/conduit design, protocol awareness (BACnet/Modbus/OPC/etc.), remote access patterns, safe patching, backup/restore. Threat detection:SIEM content, OT IDS/NDR tuning, anomaly baselining, use-case engineering and false-positive hygiene. Networking & identity:VLANs, routing, firewall rules, NAT, VPN, NAC; service accounts, PAM, SSO patterns for plant networks. Data governance:classification, retention, masking/tokenisation, lineage, and evidence logging. Forensics fundamentals:safe acquisition in OT, log/pcap analysis, time-line building, integrity verification (hashing), chain-of-custody. Standards & policy:IEC 62443, NIST 800-82, ISO 27001/27019, ISO 22301; basic PCI, DPDP principles.BehaviouralClear, structured documentation; crisp incident communication under pressure. Ability to work shoulder-to-shoulder withEngineering/Facilitiesand vendors; pragmatic and safety-first. High integrity and discretion; comfortable coordinating with Legal/IA/External agencies when required.Tools & Platforms (indicative; equivalents welcome)OT visibility/IDS/NDR:Nozomi, Claroty, Armis (or similar). SIEM/SOAR:Microsoft Sentinel, Splunk, QRadar; case mgmt inFlexiCore . Firewalls/NAC/VPN:Fortinet/Palo Alto/Cisco; Cisco ISE/Aruba ClearPass. Forensics & logs:Sysmon/Windows Eventing, Zeek/tcpdump/Wireshark; Magnet/FTK/X-Ways for selective host work; secure evidence vault. Data stack:Data catalog/lineage tools, DLP, secrets management (e.g., Key Vault/Vault).KPIs & Success Measures (quarterly)Coverage:≥ 95% critical OT assets identified with baseline and zone mapping. Segmentation health:≥ 90% of OT segments pass access-path tests; no direct internet egress. Detection quality:False positive rate on top 10 OT use-cases ≤ 15% after tuning; P1 MTTD ≤ 10 minutes in monitored zones. Patch/compensating control SLA:≥ 90% critical items addressed within agreed maintenance windows. Data governance:100% of new feeds into FlexiCore with approved data contract, classification, retention, and DPIA (where required). IR & evidence:100% chain-of-custody compliance in OT incidents; tabletop exercises ≥ 1 per cluster per half-year; corrective actions closed within SLA.