Securing the grid: A deep dive into OT security for electrical substations

As part of the Cybersecurity Awareness Month, we are doing a deep dive into OT security strategy and measures for various critical infrastructure sectors. Today we will examine cybersecurity measures that we recommend for electrical substations.

Electrical substations are undoubtedly the critical nodes of our power grid. They manage, transform, and distribute electricity to our homes, hospitals, and industries. But this critical role also makes them a high-value target for cyberattacks and are always on the radar of state-backed threat actors and hacktivists. As substations evolve from isolated, air-gapped facilities into highly connected digital hubs, their Operational Technology (OT) attack surface has expanded dramatically.

Securing these environments cannot in any way be equated to securing a typical IT set up. We are dealing with a complex and high-stakes world where a cyber incident can lead to a physical-world blackout. Combine this with the rapid rise in the number of state-backed actors, conflicts and AI-based malware and targeting tactics, the magnitude of the problem becomes apparent. Today’s post explores the unique challenges of substation security and provides a multi-layered strategy for building a resilient defense.

Don’t forget to check out our previous post on Securing airport MRO facilities here.

The unique asset profile hosted by substations  

The core challenge in substation security is its complex asset profile which is essentially a functional blend of old and new assets, diverse processes and monitoring techniques. Each sub-station may have its own cybersecurity risk profile based on the above as well as its link to other factors such as geographical location and level of employee awareness.

A single substation is most often a blend of:

• Legacy devices: Decades-old Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs) that were built for reliability, not security. Many of these devices have limited processing power and cannot support modern encryption or authentication.

• Contemporary technology: New Intelligent Electronic Devices (IEDs), sensors, and SCADA (Supervisory Control and Data Acquisition) systems that are highly interconnected.

• Proprietary protocols: Communication often relies on industrial protocols like DNP3, Modbus, and IEC 61850, which are often unencrypted and lack basic security checks.

• The "IT/OT Convergence": The once-clear line between the IT (business) network and the OT (control) network has blurred. Remote access for maintenance and data sharing for analytics create new pathways for attackers to "pivot" from IT into the critical control environment.

• Varying processes: To manage the power passing through it.

The threat landscape

The threats to substations are real and have already been demonstrated. Many of you may remember the 2015 cyberattack on Ukraine's power grid, where hackers remotely operated circuit breakers to shut down substations. It was then considered as a wake-up call for the entire industry. We have had many wake-up calls since. In fact, since then there were complex attacks on grids and substations in India, US, Spain, Japan and the UK. Almost all of these attacks involved a state-backed actor.

Cyber threats to sub-stations usually fall into these categories:

• Nation-state actors: Seeking to conduct espionage or pre-position for future disruption of a rival's critical infrastructure. They may also stay latent within a target network and trigger an attack when a geo-political event occurs.

• Cybercriminals: Ransomware groups and digital crooks have realized the immense leverage they gain by crippling critical infrastructure, as seen in the Colonial Pipeline attack.

• Insider threats: Whether malicious (a disgruntled employee) or accidental (an engineer clicking a phishing link or plugging in an infected USB drive), insiders with legitimate access pose a significant risk.

• Hacktivists: Motivated by political or social agendas, these are elements seeking to make a statement by causing a disruption.

Common attack vectors include exploiting unpatched remote access VPNs, spear-phishing campaigns targeting engineers, supply chain attacks via compromised hardware, and physical security breaches.

A multi-layered defense: Key solutions for substation security

As the cliché goes, there is no single "silver bullet." A robust defense for a substation should instead rely on an integrated, defense-in-depth strategy.

Asset and network visibility is the key: Network Detection and Response (NDR)

In OT environments, you can't run "active" vulnerability scanners as you would in IT, as they could overwhelm, disrupt or crash sensitive control devices. So then how do you find out what your assets are up to?

This is where an Network Detection and Response (NDR) solution for OT becomes essential.

• Passive monitoring: NDR tools such as Shieldworkz connect to the network and "listen" to traffic without sending any packets. This provides 100 percent visibility with zero operational risk. Since the tool is built for OT, it works within the constrains imposed by the OT infrastructure.

• Behavioral baselines: The system uses machine learning to build a baseline of what's "normal" for your substation. It learns which devices talk to each other, what protocols they use, and what commands are typically sent. NDR solutions such as Shieldworkz can go a step further and conjure a baseline of baselines to further reduce false positives.

• Anomaly detection: When an anomaly occurs like for instance an unauthorized laptop connecting, a PLC receiving a "shutdown" command from an unknown source, or data being exfiltrated, the NDR platform issues an immediate alert.

• An NDR solution can also help with compliance

Know your security gaps

The cyber threat landscape and your own network are constantly changing and evolving. A once in a blue moon risk assessment is never enough. Utilities must conduct frequent, OT-specific risk assessments at the sub-station and beyond to:

• Maintain an accurate inventory of all connected assets (hardware, software, and firmware).

• Identify known vulnerabilities in those assets.

• Analyze the potential operational impact of a compromise.

• Prioritize remediation efforts, focusing on the most critical vulnerabilities first.

• Gauge their security levels and address any gaps

• Inform all stakeholders about the prevailing level of security

Specialized OT security training

Your employees are a critical part of your defense, but only if they are properly trained. We are talking about awareness that is actionable and leads to informed decision making. Standard IT phishing training is insufficient. OT-specific training must cover:

• Physical security: Recognizing social engineering attempts to gain physical access, tailgating, and securing unattended workstations.

• Digital hygiene: Strict policies on the use of removable media (especially USB drives), which are a common infection vector.

• OT-specific phishing: Training to spot malicious emails disguised as vendor updates, maintenance schedules, or engineering diagrams.

• Incident response and reporting: A clear, no-blame process for immediately reporting any suspicious activity and respond appropriately.

A robust Incident Response (IR) Plan

It's not a matter of if an incident will occur, but when. An OT-specific IR plan is vital. The primary goal in OT incident response is different from IT: the priority is safety and operational continuity (keeping the power on), not just data confidentiality.  

A strong plan includes:

• A defined CSIRT: A Cyber Security Incident Response Team with clear roles, including OT engineers, operators, and IT security.

• Containment playbooks: Pre-defined steps to quickly isolate affected network segments to prevent an attack from spreading.

• Recovery procedures: Tested plans to safely restore operations rapidly from a known-good state.

• Forensics: The ability to preserve evidence and leave a trail to understand the attack's root cause without compromising the restoration of service.

Integrated Cyber Defense Measures

This is the "defense-in-depth" architecture that ties everything together.

• Network segmentation: Using the "Zones and Conduits" model (from IEC 62443) to separate the control network from the business network and to create micro-segments within the control network.

• Access control: Enforcing the principle of "least privilege" so users and devices only have the minimum access required for their job. This includes using Multi-Factor Authentication (MFA) for all remote access.

• System hardening: Disabling unused ports and services on IEDs, servers, and workstations.

• Secure Remote Access: All remote access must be routed through a secure, monitored "jump host" or demilitarized zone (DMZ).

The blueprint: An IEC 62443 checklist for substations

The IEC 62443 standard is the global gold standard for securing Industrial Automation and Control Systems (IACS). Instead of a generic checklist, it provides a framework for assessing risk and applying controls. Here’s a simplified checklist based on its core concepts:

Define zones and conduits:

• Have you mapped your entire substation network?

• Have you grouped assets into logical "Zones" based on their function and criticality (Such as "Protection Zone," "SCADA Zone," "Remote Access Zone")?

• Have you identified all communication pathways ("Conduits") between these zones?

Determine Target Security Levels (SLs):

• For each zone, have you defined a Target Security Level (SL-T) from 1 (lowest) to 4 (highest) based on the risk?

• SL 1: Protects against accidental misuse.

• SL 2: Protects against intentional attack with simple tools.

• SL 3: Protects against sophisticated attacks by skilled actors (e.g., cybercriminals).

• SL 4: Protects against nation-state-level attacks.

Implement Foundational Requirements (FRs):

• For each zone, are you applying the seven Foundational Requirements to meet your Target SL?

• FR1 (Access Control): Who can access what? (e.g., user authentication, MFA).

• FR2 (Use Control): What are they allowed to do? (e.g., permissions).

• FR3 (System Integrity): Are the devices and software trustworthy? (e.g., patch management, malware protection).

• FR4 (Data Confidentiality): Is sensitive data encrypted?

• FR5 (Restricted Data Flow): Are you controlling traffic between zones? (e.g., OT-aware firewalls).

• FR6 (Timely Response): Can you detect and respond to an event? (e.g., NDR, IR plan).

• FR7 (Resource Availability): Can your system withstand a denial-of-service attack?

Secure the supply chain:

• Are you vetting your vendors and their supply chains?

• Do you require that new devices (IEDs, PLCs) are certified to IEC 62443-4-2 (component requirements) and conduct Security Acceptance Tests?

Securing our electrical substations is a non-negotiable aspect of national security from a people and economic perspectives. It requires a continuous process of assessment, layered technical defenses, and a well-trained human and virtual barriers. By adopting a modern strategy rooted in standards like IEC 62443, we can build a grid that is not only reliable but truly resilient.

Talk to a Shieldworkz expert about security needs for your sub-station

Test drive the Shieldworkz OT Security NDR through a demo.