Lead – OT​/ICS Security & Data Risk

Lead – OT/ICS Security & Data Risk

Location:

Mumbai (Corporate HQ)

Function: BPSS&R — Brand Protection, Security, Safety & Resilience

Reports to:

Head Automation and Technology

Experience:

8–10 years in cybersecurity, OT/ICS security, or risk management (multi-site enterprise preferred)

Education:

Bachelor’s/Master’s in Computer Science, Engineering, Cybersecurity or equivalent

Certifications (preferred): CISSP, CISM, GIAC (GICSP/GRID/GCIA/GSEC), ISO/IEC 27001 LA/LI, ISA/IEC 62443, CEH; privacy (DSCI DCPP/IAPP) is a plus

Languages:

English;
Hindi. Good articulation is a plus

Compensation:
Market-aligned (fixed + performance variable)

Role Purpose

Own risk analysis and control assurance at the intersection of data and OT/ICS for IHCL’s hotels and facilities. Provide measurable reduction in cyber, safety, and brand risks by hardening BMS, FAS, elevators, DGs, water systems, ACS, VMS/CCTV, door-locks, and adjacent data flows; and by enforcing sound data governance in Flexi Core and connected systems. Act as the technical right-hand to Lead – Brand Protection & Investigations for OT incidents, fraud-adjacent signals, and evidence quality.

Scope

- Properties, corporate offices, and critical plant/BoH areas.
- OT/ICS: BMS/FAS, HVAC/AHU, elevators, power/gensets, water treatment, metering, access control/door-locks, VMS/CCTV.
- Data risk across Flexi Core and integrations (PMS/POS/HRMS/Finance/ACS/VMS/IoT).

Key Responsibilities

1) Risk Assessment & Architecture Assurance

- Build and maintain the OT asset inventory (make/model/firmware/network zone/criticality).
- Perform risk assessments (threat modelling, zone & conduit reviews, segmentation checks, remote access hygiene, vendor pathways).
- Define and validate network reference architecture (levels/zones; firewalls; jump-hosts; one-way gateways where needed).

2) Monitoring, Detection & Anomaly Analysis

- Integrate OT telemetry with ISSOC/Flexi Core; baseline normal behaviour and tune detections (protocol anomalies, policy violations, unsafe states).
- Correlate SIEM/SOAR alerts with physical events (e.g., door-force + after-hours movement + card misuse).
- Operate or advise on passive discovery (e.g., Nozomi/Claroty/Armis-type tools or equivalents) and NDR/IDS in OT segments.

3) Control Design & Implementation (OT)

- Drive segmentation and least privilege for PLCs/controllers, HMIs, servers, and management stations.
- Establish secure remote maintenance patterns (brokered access, MFA, session recording).
- Design patch/compensating control regimes aligned to maintenance windows; track firmware/config drift; validate backups and restore tests.
- Implement hardening baselines (password vaulting, disable default services, logging levels, time sync, tamper controls).

4) Data Risk Governance (with Flexi Core)

- Classify data (PII/PCI/operational) and enforce data minimisation, masking/tokenisation, retention and access controls (RBAC/ABAC).
- Define data contracts for feeds into Flexi Core; ensure schema versioning, lineage, and reproducible evidence trails.
- Partner with Legal/DPO on DPDP compliance; run DPIAs for high-risk use cases (e.g., video analytics).

5) Incident Response, Forensics & Evidence (OT)

- Co-author playbooks for OT incidents (unsafe states, controller compromise, rogue remote access, camera/ACS tampering).
- Lead technical triage: log and packet capture, time-line reconstruction, volatile artefacts (where safe), system imaging via approved methods.
- Preserve chain-of-custody; produce court-defensible artefact packs for the Lead – Brand Protection & Investigations.

6) Compliance & Audit Readiness

- Align and evidence controls to IEC 62443, NIST SP 800-82, ISO 27001/27019, ISO 22301; support PCI where applicable.
- Run control testing (walkthroughs, sample tests, tech validations) and close findings with Engineering/IT/vendors.

7) Vendor, Project & Change Risk

- Security review of new plant and retrofits, RFPs/SOWs, and Factory/Site Acceptance Tests; insist on logging, remote access controls, and updatable components.
- Gate change management (pre-/post-change checks, backout plans) with Engineering and ISSOC.

8) Training, Documentation & Reporting

- Create SOPs, network…