From risk assessment to action: conducting effective OT security audits in substations (with hands-on checklist)

In the evolving cyber threat landscape, power substations, critical nodes in the electrical grid, have emerged as high-value targets for cyber attackers. As substations become more digitized with Intelligent Electronic Devices (IEDs), SCADA integration, and IP-enabled communications, the traditional security-by-isolation (aka air gap) model no longer holds. To counter this, Operational Technology (OT) security audits are now essential to evaluate vulnerabilities, enforce compliance (e.g., with CEA or NERC CIP standards), and harden substation-level cyber defenses.

Today’s OT security blog explores the anatomy of an effective CPS/ICS security audit in substations, breaking down phases, technical priorities, and ending with a hands-on checklist for practitioners.

Do reach out to us in case you have any questions.

Why substation OT security audits are crucial

Threat convergence

Nation-state actors, ransomware groups, and cybercriminals are increasingly targeting substations because they act as grid amplifiers, impacting large regions if compromised. Attacks like Industroyer and BlackEnergy showed how protocol misuse (like IEC 60870-5-101 or IEC 61850) can disrupt protection relays or switchgear.

Threats can also linger in substation for a prolonged period of time without detection.

Legacy systems in a digital world

Substations are often built on decades-old infrastructure that now connects with modern IT systems. Devices like RTUs, PLCs, and protective relays weren’t designed with cybersecurity in mind and require layered protection.

Regulatory drivers

Compliance with standards such as OTCC, NIS2, CEA cybersecurity guidelines, NERC CIP, and IEC 62443 increasingly mandates proactive assessments, risk mitigation plans, and proof of resilience.

Phases of an Effective OT Security Audit in Substations

Phase 1: Pre-audit planning and scoping

Before deploying tools or gathering logs, auditors must:

· Identify scope boundaries: Define whether the audit covers primary substations, distribution substations, or both.

· Align the scope with IEC 62443

· Catalog all OT assets: Include IEDs, PLCs, RTUs, serial-to-IP gateways, switches, firewalls, and HMI systems.

· Engage cross-functional teams: Involve electrical engineers, control system owners, cybersecurity teams, and vendors.

· Clearly identify the objectives of the risk assessment exercise

· Understand the network architecture: Request or generate updated topology diagrams, including VLANs, protocols, and trust zones.

· Talk to a OT security specialist vendor such as Shieldworkz for conducting a OT risk and gap assessment along with VAPT 

Avoid using traditional IT tools without multi-level validation, they can cause unexpected behavior in sensitive equipment like protection relays.

Phase 2: Passive network discovery and asset inventory

Instead of intrusive scans, use passive network monitoring and Network Detection and Response (NDR) tools such as Shieldworkz to identify:

· Communicating devices and their roles

· Protocol usage (DNP3, IEC 61850, Modbus)

· Communication patterns (such as polling cycles, setpoints, event triggers)

· Asset inventory should be up to date

This phase builds a baseline of normal behavior and highlights unknown or rogue devices, often a sign of misconfiguration or compromise.

Phase 3: Configuration and firmware review

· Check device firmware versions: Are they up-to-date? Do any contain known CVEs? Are they performing as per baseline?

· Analyze security hardening settings: For IEDs and PLCs, review password policies, USB ports, unused functions (like web servers), and remote access settings.

· Look for default credentials or unencrypted sessions: Telnet or plaintext SNMP are red flags.

Phase 4: Network segmentation and firewall audit

Audit internal firewalls including policy tuning, layer 2 segmentation, and remote access paths. Review:

· Demarcation between OT and IT: Is there a secure DMZ?

· Use of jump servers or bastion hosts for remote engineering access.

· ACLs and VLAN isolation to prevent lateral movement

· Policy and traffic management relevance

· Is there a possible way in which the segmentation could be bypassed?

Substations should follow a zoned architecture per IEC 62443, with defined trust levels between HMI, SCADA front-end, control LAN, and device LANs.

Phase 5: Vulnerability and patch assessment

· Run vulnerability mapping on firmware and OS builds (e.g., Windows XP-based HMIs, Linux kernel versions).

· Review patch history: When was the last OT patch applied? Is there a patching policy specific to substations? How frequently is it applied?

· Identify EOL (end-of-life) software that cannot be patched and needs compensating controls

· Is the asset inventory up to date?

· Are there any legacy systems that require additional defense?

· Have the attack paths been identified and broken?

It is advisable to perform vulnerability scans in test environments first to avoid disrupting live systems.

Phase 6: Logging, monitoring, and incident response readiness

· Check for OT-specific logging: Many IEDs offer limited logs, so correlate events via syslog, SNMP traps, or mirrored ports into SIEM/NDR platforms such as Shieldworkz.

· Incident response plan: Is there a substation-level IR playbook and plan in place? Do field engineers know how to disconnect malicious devices safely? Has this plan been tested?

· Time synchronization: Are all systems using NTP, and is it tamper-resistant?

Phase 7: Physical security and human factors

· Review physical access control systems: Who can physically enter the substation control room or panel areas? Do they need such access?

· Check portable media usage: Are USBs scanned using a media scanning solution before connection to relay laptops?

· Audit training records: Have operators received cybersecurity awareness training specific to OT systems including incident response?

· Have learnings from the last incident been used to improve security?

Moving from findings to action

After identifying all vulnerabilities and gaps, the focus shifts to remediation:

· Identify and work on IEC 62443 target Security Level

· Put a team of specialists together to set the plan in motion and track progress

· Prioritize high-impact findings using a risk matrix (likelihood × impact)

· Develop a remediation roadmap with OT downtime windows in mind

· Engage vendors for firmware updates, configuration guidance, and segmentation help with guidance from an OT security vendor

· Conduct awareness sessions for local operators and engineers

A good audit doesn't just end with a locked and read-only PDF report, it should trigger a chain of security improvements, training, and risk reduction.

OT Security Audit Checklist for Substations

Use this practical checklist during your next substation audit:

Interested in an IEC 62443-based cyber risk assessment audit for your substations? Talk to us.