On 28 April 2025, the entire Iberian Peninsula went dark. A cascading failure originating from a cyber-physical attack on the Spain-Portugal power grid left over 60 million people without electricity for more than 12 hours. The estimated economic damage exceeded EUR 1.5 billion. It was the most significant cyber-enabled infrastructure disruption in European history -- and a stark warning for every nation with connected critical infrastructure.
India cannot afford to ignore this warning. Indian refineries faced 3.6 million attempted cyber intrusions in 2024. GPS spoofing attacks targeted 8 major Indian airports. The Central Electricity Authority's new cyber security regulations, effective April 2026, mandate comprehensive cybersecurity training for all personnel with access to OT systems. The message is clear: the convergence of IT and OT networks has created a new class of risk that traditional IT security approaches cannot address.
This article examines the OT threat landscape facing Indian critical infrastructure, explains the unique challenges of securing industrial control systems, and presents a training methodology that uses digital twin cyber ranges to build OT-specific cybersecurity capability without risking production systems.
The OT Threat Landscape: Real Incidents, Real Consequences
OT/ICS cyber attacks are no longer theoretical. The following incidents demonstrate the severity and variety of threats facing industrial control systems worldwide, including in India.
| Incident | Detail | Impact |
|---|---|---|
| Indian Refinery Attacks (2024) | 3.6 million attempted intrusions recorded against Indian oil and gas refineries in a single year. Adversaries targeted both IT and OT networks, exploiting IT-OT convergence points. | Operational disruption, safety system compromise risk, data exfiltration |
| Spain-Portugal Power Grid Blackout (2025) | A cascading failure originating from a cyber-physical attack left the entire Iberian Peninsula without power for over 12 hours. Investigation revealed exploitation of SCADA systems controlling grid interconnects. | 60+ million people affected, estimated economic damage of EUR 1.5 billion |
| Indian Airport GPS Spoofing (2024-2025) | GPS spoofing attacks targeting 8 major Indian airports caused navigation system anomalies affecting aircraft approach procedures. Attacks exploited the convergence of IT-based flight management systems with RF navigation infrastructure. | Flight diversions, pilot safety concerns, ATC disruption |
| Colonial Pipeline (2021) | Ransomware attack on IT systems forced shutdown of the largest fuel pipeline in the United States. Despite OT systems not being directly compromised, the inability to bill for delivered fuel led to a precautionary OT shutdown. | 5,500 miles of pipeline shut down, fuel shortages across the US East Coast |
| Ukraine Power Grid Attacks (2015-2016) | Nation-state adversaries used Industroyer/CrashOverride malware to directly manipulate ICS equipment at Ukrainian power distribution companies, causing widespread power outages. | 230,000+ customers without power, demonstrated ICS-specific malware capability |
IT-OT Convergence: Why Traditional IT Security Falls Short
The greatest risk to Indian critical infrastructure comes not from isolated OT attacks but from the convergence of IT and OT networks. As organisations connect previously air-gapped industrial systems to corporate networks for efficiency, monitoring, and data analytics, they create attack paths that bridge the IT-OT boundary.
Traditional IT security professionals are not equipped to handle OT environments. The differences are fundamental: OT systems prioritise availability over confidentiality, many run legacy operating systems that cannot be patched, safety systems must never be disrupted, and standard IT security tools (vulnerability scanners, EDR agents) can crash sensitive industrial controllers.
IT Security Assumptions
- -Confidentiality is paramount
- -Systems can be rebooted
- -Patches applied regularly
- -Endpoint agents deployed everywhere
- -Incident response: isolate and investigate
OT Security Realities
- -Availability is paramount (lives at stake)
- -Rebooting may cause physical damage
- -Many systems cannot be patched
- -Agents may crash controllers
- -Response: maintain safety, then investigate
10 ICS Protocols Every OT Security Professional Must Understand
Industrial control systems communicate using specialised protocols that are fundamentally different from standard IT protocols. Understanding these protocols -- their capabilities, limitations, and security weaknesses -- is essential for anyone defending OT environments.
| Protocol | Common Usage | Security Posture |
|---|---|---|
| Modbus TCP/RTU | PLCs, RTUs, sensors | No authentication or encryption. Widely deployed in Indian power and manufacturing. |
| DNP3 | Power grid, water systems | Secure authentication available (SA v5) but rarely implemented. Critical for SCADA systems. |
| OPC UA | Industrial automation, MES | Built-in security model with certificates. Increasingly adopted for IT-OT integration. |
| IEC 61850 | Power substation automation | MMS-based communication. Security depends on GOOSE/SV message authentication. |
| IEC 60870-5-104 | Power grid telecontrol | No built-in security. Widely used in Indian power transmission and distribution. |
| BACnet | Building automation, HVAC | Minimal security in most deployments. Common in smart building and data centre environments. |
| PROFINET | Manufacturing, process control | Security extensions available but not widely deployed. Siemens ecosystem dominant. |
| EtherNet/IP | Manufacturing, packaging | CIP Security available for newer devices. Allen-Bradley/Rockwell ecosystem. |
| HART/WirelessHART | Process instrumentation | WirelessHART has AES-128 encryption. Wired HART has no security. |
| S7comm/S7comm+ | Siemens PLCs | S7comm has no authentication. S7comm+ adds TLS. Target of Stuxnet. |
The Digital Twin Approach to OT Security Training
You cannot practise OT security on production systems. A misconfigured firewall rule in an IT network causes a service outage. A misconfigured firewall rule in an OT network can cause a turbine to overspeed, a reactor to overheat, or a pipeline to overpressurise. The consequences are not just financial -- they are physical and potentially fatal.
Digital twin cyber ranges solve this problem by creating virtualised replicas of OT environments that behave identically to their physical counterparts. These digital twins include emulated PLCs, SCADA HMIs, engineering workstations, historian servers, and the industrial protocols that connect them -- all running in isolated virtual environments where trainees can make mistakes safely.
Training outcome: Organisations using digital twin cyber ranges for OT security training report a 52% improvement in OT-specific mean time to detect (MTTD) threats within the first year. This improvement is driven by trainees gaining hands-on experience with industrial protocol analysis, OT-specific attack patterns, and safe response procedures that cannot be practised on production systems.
Indian Regulatory Framework for OT Cybersecurity
The regulatory landscape for OT cybersecurity in India is rapidly evolving. Four major frameworks now govern cybersecurity obligations for critical infrastructure operators.
NCIIPC Mandate
The National Critical Information Infrastructure Protection Centre designates power, oil and gas, banking, telecom, transport, government, and strategic sectors as critical. Regular cybersecurity exercises and drills are mandated for all CII operators.
CEA Cyber Security Regulations (April 2026)
The Central Electricity Authority has issued comprehensive cyber security regulations for the power sector, effective April 2026. These mandate cyber security training for all personnel with access to OT systems, regular vulnerability assessments, incident response plans, and sector-specific exercises.
IEC 62443 (Industrial Automation and Control Systems Security)
The international standard for IACS security provides a comprehensive framework for securing industrial control systems. Increasingly referenced by Indian regulators and adopted by major Indian industrial organisations as the baseline security standard.
CERT-In Directives for Critical Infrastructure
CERT-In mandates 6-hour incident reporting for all organisations, with enhanced requirements for critical infrastructure operators. OT incidents must be reported with specific technical details including affected systems, protocols, and potential safety implications.
OT Security Training Methodology
Effective OT security training requires a different approach than IT security training. The methodology must account for the unique constraints of industrial environments: safety-first response, protocol-specific analysis, and cross-domain (IT and OT) investigation capabilities.
Phase 1: ICS Fundamentals (2 weeks)
Understanding industrial control system architecture, Purdue Model, ICS protocols (Modbus, DNP3, OPC UA), PLC operation, SCADA systems, and the critical differences between IT and OT security. Hands-on labs with protocol analysis tools.
Phase 2: OT Threat Analysis (2 weeks)
MITRE ATT&CK for ICS technique study. Analysis of real-world OT incidents (Stuxnet, Industroyer, TRITON). OT-specific threat hunting using industrial protocol deep packet inspection. Identifying anomalies in Modbus, DNP3, and OPC UA traffic.
Phase 3: Defence and Response (2 weeks)
Network segmentation and monitoring for OT environments. Industrial firewall and data diode configuration. OT-specific incident response procedures (safety-first methodology). Integration with IT SOC for unified visibility.
Phase 4: Digital Twin Live-Fire Exercise (1 week)
Full-scale exercise on digital twin environment replicating a power substation, water treatment plant, or manufacturing facility. Teams defend against progressive attacks from initial IT compromise through lateral movement to OT impact. Timed response with safety constraints.
IEC 62443: The Gold Standard for OT Security
IEC 62443 provides the most comprehensive framework for securing industrial automation and control systems. It defines security levels (SL 1 through SL 4), zones and conduits for network segmentation, and requirements for system integrators, asset owners, and component suppliers.
Cyber range exercises aligned to IEC 62443 provide practical training on implementing the standard's requirements: defining zones and conduits, configuring security levels, implementing access control, monitoring network traffic across zone boundaries, and responding to incidents that cross zone boundaries.
For Indian organisations, IEC 62443 alignment is increasingly important. The CEA cyber security regulations reference international standards including IEC 62443, and major Indian industrial organisations (NTPC, Indian Oil, Tata Steel, Reliance Industries) are adopting IEC 62443 as their baseline OT security standard.
Conclusion
The convergence of IT and OT networks has created a new frontier of cybersecurity risk for Indian critical infrastructure. The 3.6 million attacks on Indian refineries, the Spain-Portugal blackout, and the airport GPS spoofing incidents are not isolated events -- they are indicators of a rapidly escalating threat landscape that demands a fundamentally different approach to cybersecurity training.
Traditional IT security training cannot prepare teams for the unique challenges of OT environments. The safety-first response paradigm, protocol-specific analysis requirements, legacy system constraints, and cross-domain attack paths all demand specialised training on digital twin environments that replicate real industrial systems.
With CEA regulations effective April 2026 and NCIIPC mandates already in force, the window for voluntary adoption is closing. Indian critical infrastructure operators must invest in OT-specific cybersecurity training now -- before the next Spain-Portugal-scale incident happens on Indian soil. The 52% improvement in OT MTTD that digital twin training delivers is not optional -- it is the minimum standard for responsible critical infrastructure protection.