Sreekumar Narayanan
Chief Growth Officer, BNB Security & Automation solutions
India’s core sector infrastructure is going through its most exciting and most vulnerable phase. Power plants, refineries, ports, airports, LNG terminals, metro systems, data centres, transmission networks and large logistics hubs are all becoming more digital, more connected and more automated. This brings huge efficiency gains.
It also creates new kinds of risk that cannot be handled by ‘security teams’ alone. To protect these assets, India now needs a very different approach. Risk managers, security professionals, IT teams, OT engineers and behavioural scientists must work as one integrated ecosystem. Only then can we protect physical and digital assets, map human and machine activity intelligently and still respect the privacy of employees, visitors and citizens.
This article explores why that convergence is necessary, what it looks like in practice and how organisations can move in that direction.
What Makes Core Sector Infrastructure So Special?
When we talk about core sector infrastructure, we mean assets like:
- Power generation and transmission (thermal, hydro, nuclear, solar parks, substations).
- Oil and gas (refineries, pipelines, LNG terminals, storage depots).
- Ports, inland waterways and major logistics parks.
- Airports, metro rails, railway stations, freight corridors.
- Smart factories, industrial corridors and large data centres.
These assets have three common features:
1. High impact
A single incident – a fire in a refinery unit, a major substation outage, a pipeline leak, a cyber breach in a control room – can affect millions of people, cause environmental damage and disrupt the economy.
2. Converged environments
Inside the same facility you will find:
- Physical security systems (CCTV, access control, barriers, X-ray, perimeter intrusion detection).
- IT systems (business applications, email, ERP, cloud workloads).
- OT systems (SCADA, Distributed Control Systems, PLCs, RTUs, field sensors, VFDs).
- Safety systems (fire & gas detection, emergency shutdown, public address).
These are increasingly interconnected, which means a weakness in one layer can be exploited to affect the others.
3. Complex human ecosystems
Employees, contract workers, shift technicians, drivers, seafarers, pilots, regulators, auditors, visitors and vendors all move through the same space. Their behaviour – deliberate or accidental – can create or reduce risk every day.
Because of this, traditional siloed security (guards + cameras + fire alarms) is no longer enough. We need a joined-up approach that looks at risk from multiple angles.
Why ‘Activity Mapping’ is the New Core of Protection
Earlier, most security planning focused on assets – protect this transformer, guard that control room, fence this tank farm and so on. Today, the more powerful idea is to protect activities and flows around those assets.
This includes how people, vehicles and materials move from gate to plant to storage and back; which digital commands go from control room to field devices and under what conditions; or what patterns of behaviour usually precede a safety incident, a leak, an outage or a cyber breach.
This is called activity mapping – creating a consolidated, time-based picture of who/what did what, where, when and with which dependencies.
Examples in a refinery or power plant:
- Linking access control logs with CCTV video and control room operations:“When a contractor badge entered the switchyard, was there any manual command on breakers in the next 15 minutes?”
- Combining vehicle GPS, weighbridge data and gate CCTV:“Did the coal truck that entered fully loaded also leave fully loaded and did it follow the authorised route?”
- Correlating OT alarms with network security events:“We saw a remote login to an engineering workstation, followed by a setpoint change in a turbine controller – is this planned maintenance or a potential cyber-physical attack?”
Done well, activity mapping turns raw logs into meaningful stories about how the plant is being used. That is the true foundation of modern asset protection.
But this is only possible when:
- Risk teams define what really matters (safety, availability, environment, compliance).
- Security teams bring in surveillance, access control and incident data.
- IT teams manage identity, networks, logs and analytics tools.
- OT teams expose process and control system events safely.
- Behavioural scientists help interpret patterns, biases and human triggers, so we don’t overreact to normal behaviour or miss slow-building risk.
The Four Professional Worlds That Must Converge
1. Risk Management
Risk professionals think in terms of Threats (what can go wrong?), Vulnerabilities (where are we weak?), Consequences (what happens if it goes wrong?), and Likelihood (how often might this happen?).
In core sectors, they work with frameworks such as ISO 31000 (risk management), ISO 22301 (business continuity) and sector-specific safety standards.
Their job in this new world is to:
- Define risk scenarios that involve both cyber and physical elements (e.g., remote manipulation of a valve causing an environmental spill).
- Prioritise what needs continuous monitoring (critical pumps, main feeders, tank levels, explosive areas, high-risk contractors).
- Set risk appetite – how much residual risk is acceptable and what must be mitigated immediately.
2. Security (Physical + Cyber)
Security teams bring expertise in Perimeter protection (barriers, bollards, fences), Surveillance (CCTV, video analytics, drones, thermal cameras), Access control (badges, biometrics, visitor management), and Cybersecurity (firewalls, endpoint protection, SIEM, incident response).
In a converged environment they must:
- Treat ACS and CCTV as IT/OT systems with strong hardening, patching and configuration control.
- Integrate physical events (door forced open, intrusion alarm) with network and OT alerts in a single console or SOC.
- Work with risk management to define ‘risk-to-outcome’ playbooks – what do we do when multiple weak signals add up to a critical pattern?
3. IT (Information Technology)
IT teams run data centres and cloud platforms, business networks (LAN/WAN/Wi-Fi) and identity systems, central logging, SIEM and analytics platforms, and endpoint management and patching.
In the new model, they play three crucial roles:
- Data plumbing: Bringing together logs and events from physical security systems, OT gateways, business applications and sensor platforms into a unified data lake or analytics platform.
- Identity and access control: Ensuring that the same worker identity works across HR, IT, access control and some OT actions – so activity mapping can follow a person or role without confusion.
- Privacy and compliance: Implementing data minimisation, encryption, access control and retention policies aligned with India’s data protection regulations and with internal policies on employee and visitor privacy.
4. OT (Operational Technology)
OT engineers work with SCADA, DCS, PLCs, RTUs, field instruments; industrial networks (Modbus, Profibus, OPC, IEC 61850, etc.); Safety Instrumented Systems (SIS) and emergency shutdown; and maintenance and reliability systems.
Traditionally, OT has been air-gapped and isolated. But with more remote monitoring, OEM support and integration with enterprise systems, that isolation is fading.
OT’s role in convergence includes:
- Exposing safe, read-only telemetry from SCADA/DCS to security analytics platforms.
- Defining which commands or parameter changes are high-risk and must be heavily monitored or require multi-factor approvals.
- Designing segmented architectures where attacks on IT do not directly jump into critical control networks.
Why Behavioural Science is the Missing Glue
Most incidents in core sectors are still linked to human factors:
- Shortcuts to save time.
- Poorly understood procedures.
- Fatigue in 12-hour shifts.
- Misaligned incentives (rewarding speed, not safety).
- Social engineering and phishing.
- Insider threat, sometimes driven by financial pressure or resentment.
This is where behavioural scientists and organisational psychologists become vital partners.
They help in:
Understanding ‘normal’ behaviour What is a typical shift pattern for a crane operator? How do technicians really bypass interlocks under pressure? Without this, analytics may treat normal workarounds as ‘suspicious’ or miss genuinely abnormal actions.
Designing alerts that humans can handle If operators already see hundreds of alarms per hour in DCS, pushing another 50 ‘security alerts’ on another screen will create fatigue. Behavioural experts help design tiered alerts, colour coding, phrasing and escalation paths that humans can respond to meaningfully.
Building a security and safety culture Training, communication, safety observations, peer feedback and leadership behaviours all shape how seriously people take risk. Behavioural science ensures these programmes are realistic, empathetic and grounded in how adults actually learn at work.
Ethical use of monitoring If employees feel they are under constant surveillance, trust collapses. Behavioural inputs help design transparent, fair monitoring policies that focus on high-risk zones and actions, not micro-control of individuals.
Technical Building Blocks for Converged Privacy-Aware Security
While each site will be unique, certain technical building blocks are common across power plants, refineries, ports and data centres.
Integrated Command and Control
A modern Integrated Command & Control Centre (ICCC) or Security Operations Centre (SOC) brings together:
- Video wall showing live CCTV, maps, process overviews and dashboards.
- Incident management platform with ticketing and workflow.
- Feeds from access control, visitor management, CCTV, video analytics, fire and gas systems, OT alarms (where safely possible), and network and cybersecurity tools.
The goal is not just to see more screens, but to build correlated views – ‘Gate 3 badge-in + vehicle number plate + route deviation + door forced in substation + unusual setpoint change in feeder panel’ becomes a single high-priority incident, not five unconnected alerts.
Data Architecture and Event Correlation
A typical data flow for activity mapping might look like:
1. Collection layer
- Log collectors and syslog servers.
- OT data gateways (OPC UA, MQTT brokers, historian exports).
- Video analytics boxes feeding event metadata (not full video).
2. Transport and storage
- Message buses or streaming platforms.
- Central log storage/SIEM/data lake.
- OT historian integration.
3. Correlation and analytics
- Rules-based correlation (if A and B occur within 5 minutes, raise alert).
- Machine learning models for anomaly detection (unusual combinations of badge, time, zone, command).
- Dashboards and risk heatmaps for plant leadership.
4. Response orchestration
- Automatic actions (lock doors, isolate network segment, switch camera views) for pre-approved scenarios.
- Human-led triage and incident handling for complex or ambiguous events.
OT Security Basics
Even at a general level, there are some non-negotiable OT security practices:
- Network segmentation: Separate IT and OT networks with strict, monitored gateways. Use demilitarised zones (DMZ) for historian and engineering stations.
- Secure remote access: Strong authentication, jump servers, session recording. Time-bound access for OEMs and vendors with approvals.
- System hardening: Disable unused services and ports on controllers and HMIs. Standard, tested configurations and baselines. Controlled patching windows aligned with plant operations.
- Monitoring OT traffic: Passive network monitoring using ICS-aware tools. Detection of unusual commands, firmware uploads or new devices.
Privacy-by-Design in Monitoring and Analytics
Since activity mapping deals with people as well as machines, privacy cannot be an afterthought. A few practical principles:
- Data minimisation: Collect only what is needed for safety and security. Avoid storing unnecessary personal attributes if not directly useful for risk reduction.
- Pseudonymisation and role-based views: In routine dashboards, use anonymised or role-based identifiers (Operator-ShiftA-12) instead of full names. Allow full identity resolution only to authorised roles (e.g., incident investigators, HR/Legal in defined cases).
- Purpose limitation: Clearly document that security and safety data will not be used for micro-managing productivity or unfair performance evaluation. Put this into policy and communicate it to employees and contractors.
- Controlled retention: Define how long you store access, video and activity logs. Longer retention for high-risk zones (tank farms, control rooms) and shorter for low-risk general areas.
- Transparency and consent: Signage and induction programmes explaining the types of monitoring in place. Regular Q&A sessions and FAQs that demystify security tools and answer employee concerns.
Illustrative Use Case: A Large Coastal Power Plant
Imagine a large coastal power plant in India – coal-based, with a private jetty, coal conveyors, high-voltage switchyards, ash ponds and a central control room.
Risks
- Cyclones and storm surges impacting jetty and coal yards.
- Insider or contractor misuse of access in switchyards or control buildings.
- Cyber compromise of boiler/turbine controls or auxiliaries.
- Fuel pilferage across truck, conveyor and bunker chain.
- Environmental non-compliance (stack emissions, ash disposal).
Converged Solution
- Risk team defines critical outcomes – no loss of life, no long outage beyond agreed tolerance, no uncontrolled environmental incident, and no regulatory breach or fraud above a defined threshold.
- Security team deploys Integrated CCTV (optical + thermal) across jetty, coal yard, conveyors, and switchyards; Access control with zonal separation (jetty, coal handling, control room, turbine floor); and Perimeter intrusion detection and drone surveillance in sensitive zones.
- IT team builds a data lake that ingests access logs, CCTV events, network alerts; integrates with HR identities and contractor management systems; and ensures encryption, secure storage and dashboards with role-based access.
- OT team provides read-only feeds of critical alarms from DCS and coal handling PLCs; marks ‘high-risk commands’ for extra monitoring (e.g., manual bypass of interlocks, emergency stop overrides); and supports network segmentation and secure gateways between IT and OT.
- Behavioural scientists map typical shift behaviours and shortcuts (e.g., tailgating at gates, informal handovers); design realistic drills and training that reflect actual pressures (time, production targets); and advise on non-intrusive monitoring and communication that maintains trust.
The Outcome: Now, when an incident occurs, say – a barge offloads coal in heavy rain, a conveyor belt motor overheats, a contractor badge is used twice at different gates in a short interval, and there is a remote login to an engineering workstation – the SOC can see these as linked signals in one storyline, not as four unrelated events.
Practical Steps for Indian Organisations
Many Indian core sector organisations are at different maturity levels. Some have advanced ICS security programmes; others are still at basic CCTV and guard stages. A practical roadmap usually looks like this:
1. Map your ecosystem
- List critical assets (people, processes, plant, technology).
- Identify IT, OT, safety, security and HR systems currently in use.
- Understand existing monitoring and incident response methods.
2. Create a converged governance structure
- A cross-functional steering group with Risk, Security, IT, OT, HR and Operations.
- Common definitions of incidents, severity levels and reporting lines.
3. Start with high-impact zones
- Control rooms, tank farms, high-voltage yards, jetty/berths, data centres.
- Implement integrated monitoring and clear playbooks for these first.
4. Invest in data and integration, not just hardware
- Before buying more cameras or sensors, ensure existing ones are properly integrated.
- Build a basic but robust data pipeline for logs and events.
5. Bring behavioural and privacy experts into the design room
- Consult them early when deciding what to monitor, how to alert and how to communicate with staff.
- Make privacy and ethics part of the design, not a post-facto compliance exercise.
6. Plan for continuous improvement
- Review incidents and near misses with all stakeholders.
- Update rules, analytics models, training and procedures regularly.
- Benchmark against Indian and global peers and standards.
The Upshot: From Tools to Teamwork
The future of securing India’s core sector infrastructure is not only about more cameras, smarter analytics or stronger firewalls. These are important, but they are just tools.
Real resilience will come from how well we make different disciplines work together – Risk giving the big-picture priorities, security guarding both physical and cyber frontiers, IT providing the data backbone and privacy controls, OT protecting the integrity of critical processes, and behavioural science ensuring that the human being remains at the centre, not the edge, of the security design.
When these perspectives converge, asset protection and activity mapping become powerful, proactive tools rather than a surveillance burden. And when privacy is built into the system from day one, both employees and citizens are more likely to trust that security is being done for them, not against them.
For India, which is rapidly scaling its infrastructure and digital backbone, this integrated approach is not optional. It is the only sustainable way to keep the lights on, the fuel flowing, the cargo moving and the data humming – safely, securely and with respect for the people who make it all work.
