Kishan Kendre, Global Head of Information Security at Blue Star, discusses proactive cyber‑defence, OT/IoT safeguards, and leadership in complex environments with BW Security World
In an era where cyber threats overlap operational systems, securing digital and physical infrastructures demands both vision and discipline. Kishan Kendre, Global Head–Information Security at Blue Star Limited, brings over 20 years’ experience in cybersecurity, IT strategy, and enterprise architecture to the challenge. In this exclusive interview for BW Security World, he reveals how he integrates multi‑layered defence, fosters a security-aware culture, and elevates resilience across global locations.
Below, he explains his robust approach to remote-site protection, incident response, IoT/AI deployment, and leadership in critical infrastructure security.
How do you ensure the safety and security of remote project sites, especially during high‑risk installations in sectors like infrastructure and data centres?
Ensuring the safety and security of remote project sites, particularly during high-risk installations in infrastructure and data centres, requires a multi-layered approach grounded in strong governance, advanced technology controls, and continuous monitoring.
First and foremost, access control is strictly enforced. We follow a role-based access model to ensure that only authorised personnel can interact with critical systems, applications, and data. Remote access is granted exclusively through secure channels such as Zero Trust Network Access (ZTNA), with multi-factor authentication (MFA) mandated as a baseline.
Endpoint security is maintained through hardened devices equipped with updated Endpoint Detection and Response (EDR) tools and encryption. The use of removable media is either restricted or closely monitored using Data Loss Prevention (DLP) solutions to mitigate risks of data exfiltration.
For high-risk environments such as data centre builds, we adopt network segmentation and establish secure configuration baselines. Temporary project-specific networks are continuously monitored for anomalies, and all configuration changes are logged and reviewed.
We also rely on Security Information and Event Management (SIEM) systems to provide real-time oversight of remote sites. Any suspicious activity, such as unauthorised access attempts or data anomalies, is immediately triaged by our central Security Operations Centre (SOC).
When it comes to third-party and vendor engagement, stringent controls are in place. All external teams must comply with our internal security protocols, reinforced through contractual agreements, NDAs, and periodic security audits.
Lastly, we prioritise human-centric security. Regular awareness sessions are conducted for both onsite and remote staff to educate them on phishing threats, secure data handling, and incident reporting procedures.
This layered defence strategy ensures that even the most remote and high-risk installations remain secure, resilient, and compliant.
Every security leader faces a defining moment that puts their training, instincts, and protocols to the test. Could you share one such high-stakes incident that challenged your team, how you responded, and the long-term changes that followed?
One such critical incident occurred during a data migration exercise at one of our remote sites supporting vital infrastructure. Midway through the process, our security monitoring system flagged unusual outbound traffic originating from a server that was not part of the scheduled migration. The pattern resembled potential data exfiltration, raising immediate concerns around either an insider threat or a compromised endpoint.
Recognising the urgency, we activated our incident response protocol without delay. The affected server’s access was revoked, and the device was immediately isolated from the network. A swift forensic investigation revealed that a contractor had unknowingly connected a personal USB device containing a script that mirrored directory structures to an external destination, triggering the anomaly.
What made the difference in that moment was precise coordination and clearly defined roles. Within 30 minutes, the SOC, network team, and on-site lead had successfully contained the situation, avoiding any actual data loss.
Following the incident, we implemented several long-term measures to strengthen our security posture:
Reinforced endpoint controls: USB ports were blocked across all project sites, and policy-based encryption was enforced for all removable media.
This incident served as a strong reminder of the value of preparedness, cross-functional collaboration, and ongoing refinement in securing critical infrastructure environments.
As Albert Einstein wisely said, “In the middle of difficulty lies opportunity.” Could you walk us through your approach to building a security strategy for a multi-location organisation?
Designing a robust security strategy for a multi-location organisation requires a centralised governance model coupled with decentralised, context-aware execution. This ensures uniformity in standards while allowing flexibility to address location-specific risks. My approach is structured as follows:
Risk Assessment and Asset Mapping
The foundation lies in conducting comprehensive risk assessments across all locations. This involves identifying critical assets, local threat vectors, regulatory obligations, and interdependencies, spanning physical infrastructure, networks, and data exposure at each site.
Establish a Centralised Security Framework
A unified security policy is created, aligned with global standards such as ISO 27001, NIST, or GDPR. This framework encompasses access control, data classification, incident response, third-party governance, and employee awareness. It is ratified by senior leadership and backed by a cross-functional governance committee.
Implement Defence-in-Depth Controls
We deploy layered security controls across all sites:
Centralised Monitoring & Incident Response
A central Security Operations Centre (SOC) monitors activity across locations in real-time. We maintain detailed response playbooks and empower local teams to act quickly on alerts, ensuring timely containment and escalation.
Regulatory Compliance & Auditing
We ensure compliance with relevant regional laws (e.g., the IT Act in India or GDPR in Europe). Regular audits, third-party assessments, and gap analyses are conducted to maintain and improve adherence.
Localised Awareness & Training
Tailored security awareness programmes are delivered to employees based on their roles and the unique threat landscape at each site. This builds a strong human firewall across the organisation.
Continuous Improvement
We actively monitor KPIs and KRIs, analyse threat intelligence, and conduct post-incident reviews. These insights drive iterative enhancements, ensuring that our security posture evolves alongside emerging risks.
This blended approach allows us to maintain a resilient, standardised, and agile security ecosystem across all locations, strengthening both compliance and business continuity.
How is your organisation integrating IoT and AI‑powered security systems to safeguard smart HVAC and building automation technologies?
Our organisation is strategically embedding IoT and AI-driven security into its smart HVAC and building automation systems, with a dual focus on operational efficiency and robust cyber resilience. Here’s how we approach it:
Smart Device Connectivity & Remote Monitoring
We’ve deployed a centralised monitoring platform that connects HVAC units across hundreds of sites. Real-time sensor and controller data is securely transmitted via GPRS/VPN to our Command & Control Centre. This setup supports remote diagnostics, early anomaly detection, and even over-the-air fixes—minimising on-site interventions and improving uptime.
AI-Powered Predictive Maintenance & Threat Detection
AI algorithms analyse continuous streams of sensor data to identify early signs of equipment failure, enabling predictive maintenance—vital for mission-critical infrastructure. While current models rely on machine learning, we are actively evaluating advanced AI for fault diagnostics, performance optimisation, and future readiness.
Secure Integration with Building Automation Systems (BMS/BAS)
Through technology partnerships, such as with CoolAutomation’s CoolMasterNet, we enable secure integration of VRF and HVAC systems into broader BMS ecosystems. These gateway solutions are designed with strong encryption and authentication protocols to prevent unauthorised access or tampering.
Factory & Cloud-level Security
In our manufacturing environments, we leverage platforms like ThingWorx to implement secure, AI-driven IoT analytics for quality assurance and production integrity. Our cloud architecture is secured through encrypted data channels, stringent role-based access controls, and centralised oversight.
Ongoing Cyber Resilience & SOC Monitoring
To further fortify our IoT ecosystem, we’ve scaled up cybersecurity investments, deploying end-to-end security controls across smart infrastructure. Our centralised SOC, powered by SIEM solutions, continuously monitors remote HVAC operations. Additionally, network segmentation at the gateway level mitigates lateral movement, reducing the attack surface.
This integrated approach ensures our smart building technologies remain secure, agile, and aligned with the evolving threat landscape, supporting both operational excellence and long-term sustainability.
What are some unique security challenges you face in protecting critical HVAC systems and smart building infrastructure?
Securing critical HVAC systems and smart building infrastructure presents a distinct set of challenges, primarily due to the convergence of operational technology (OT) and information technology (IT). Below are some of the most pressing concerns:
Legacy Systems with Limited Security Capabilities
Many HVAC systems continue to operate on legacy protocols such as BACnet or Modbus, which were not designed with modern cybersecurity in mind. These lack essential features like encryption or authentication, leaving them vulnerable to unauthorised access or manipulation.
Expanded Attack Surface via IoT Devices
Smart HVAC infrastructure depends on a wide array of IoT sensors, controllers, and gateways. While these enhance automation and monitoring, they also significantly broaden the attack surface. Additionally, their limited processing power often restricts the implementation of robust security controls.
Third-party Integration Risks
HVAC systems are often integrated with Building Management Systems (BMS), cloud platforms, and remote vendor tools. These touchpoints can become security liabilities if third-party controls are inadequate or poorly aligned with internal governance frameworks.
Risks from Remote Access & Monitoring
Remote access is essential for diagnostics and real-time control, yet it poses risks if VPN configurations, credentials, or access devices are compromised. Such breaches could allow threat actors to alter environmental controls in critical facilities, including data centres.
Complexity of Patching & Updates in OT Environments
Unlike traditional IT systems, many OT environments operate with minimal downtime, making patching and firmware updates challenging. This delay in applying security updates increases exposure to known vulnerabilities.
Insider Threats & Configuration Errors
Well-intentioned technicians, facility staff, or external contractors may inadvertently misconfigure systems or mishandle credentials, creating potential internal vulnerabilities that can be exploited.
Data Privacy & Regulatory Compliance
Smart HVAC systems increasingly collect sensitive environmental and occupancy-related data. Ensuring compliance with data privacy regulations, such as GDPR or India’s DPDP Act, adds another layer of responsibility, especially where data is processed or stored across distributed systems.
These challenges underscore the need for a holistic security framework that bridges the gap between OT and IT, ensuring resilient, compliant, and future-ready infrastructure.
What’s been the most rewarding experience of your career so far, and how do you share that sense of purpose with your team?
One of the most rewarding milestones in my career was leading the end-to-end security implementation for a multi-location data centre and smart infrastructure project. The engagement involved securing IoT-enabled HVAC components, integrating cybersecurity with operational technology (OT) systems, and aligning the overall architecture with both local and international compliance standards.
The scale and complexity of the project, ranging from legacy system challenges to third-party coordination and the need for uninterrupted operations—made it particularly demanding. However, what truly made the experience fulfilling was our ability to proactively identify and neutralise several potential security incidents during the rollout, thanks to the layered defence mechanisms and real-time monitoring capabilities we had implemented. This outcome reaffirmed the importance of proactive security in safeguarding critical infrastructure.
What stood out even more was how this initiative shifted the perception of cybersecurity within the organisation, from being seen purely as a compliance necessity to being recognised as a true business enabler. Operational efficiency improved, leadership buy-in increased, and client trust was significantly strengthened.
To instill that same sense of purpose in my team, I place strong emphasis on ownership, impact, and recognition. I make sure every team member understands how their role contributes to protecting essential systems that people and businesses depend on daily. We celebrate key achievements, reflect on lessons learned, and foster a collaborative culture where cross-functional learning is encouraged. I also mentor younger professionals, involving them in strategic decisions so they can appreciate the broader value of their contributions.
My guiding principle remains simple: don’t chase short-term acclaim. Focus on learning, excel at the fundamentals, and maintain consistency. That’s what leads to meaningful milestones and enduring recognition—both within your organisation and across the wider industry.
About the Interviewee:
Kishan Kendre is an information‑security veteran with two decades of experience across Retail, Telecom, IT/ITES, Manufacturing, Pharma, Petrochemicals, and Infrastructure. He built and oversees Blue Star’s enterprise-security framework, aligned to NIST, ISO 27001, COBIT 5, and manages security architecture for over 100,000 users worldwide.
Disclaimer: Views expressed are in individual capacity and must not be treated as employer’s views.