Continue your mission
SCADA (Supervisory Control and Data Acquisition) and Industrial Control System (ICS) security is the discipline of protecting the operational technology (OT) systems that monitor and control physical processes: electrical power generation and distribution, water and wastewater treatment, oil and gas
# SCADA and Industrial Control System (ICS) Security
SCADA (Supervisory Control and Data Acquisition) and Industrial Control System (ICS) security is the discipline of protecting the operational technology (OT) systems that monitor and control physical processes: electrical power generation and distribution, water and wastewater treatment, oil and gas pipelines, manufacturing assembly lines, chemical processing, transportation systems, and building management. These systems control physical processes that affect public safety, critical infrastructure, and human lives.
OT security is fundamentally different from IT security. IT systems process data. OT systems control physical processes. When an IT system is compromised, data is exposed or systems go offline. When an OT system is compromised, physical equipment can be damaged, services can be disrupted, and people can be harmed. The Ukraine power grid attacks (2015, 2016) caused blackouts affecting hundreds of thousands of civilians. A 2021 attack on a Florida water treatment facility attempted to raise sodium hydroxide levels to dangerous concentrations. The consequences of OT compromise are physical, not digital.
The threat environment has changed. OT systems that were historically isolated (air-gapped from IT networks and the internet) are now connected: for remote monitoring, predictive maintenance, data analytics, and operational efficiency. This IT/OT convergence has expanded the attack surface from the physically present adversary (who must enter the facility) to the remotely positioned adversary (who compromises the IT network and pivots to OT). Volt Typhoon, a Chinese state-sponsored group, has specifically targeted OT-adjacent infrastructure for pre-positioning, demonstrating that the convergence risk is not theoretical.
The Purdue Enterprise Reference Architecture (Purdue Model) defines a hierarchical model for OT environments that organizes systems into levels:
Level 0: Physical process. The physical equipment: valves, pumps, motors, sensors, actuators. These devices interact directly with the physical world.
Level 1: Basic control. Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and safety instrumented systems (SIS) that receive sensor data and execute control logic. A PLC controlling a water pump reads the water level sensor and opens or closes the pump based on the level reading.
Level 2: Area supervisory control. SCADA servers, Human-Machine Interfaces (HMIs), and distributed control systems (DCS) that provide operators with visibility into the process and the ability to modify control parameters. The HMI displays the water level and pump status. The operator can manually override the PLC's automatic control if needed.
Level 3: Site operations. Historians (databases that record process data over time), MES (Manufacturing Execution Systems), and site-level management systems. Level 3 provides operational reporting and production management.
Level 3.5: Demilitarized Zone (DMZ). The critical boundary between OT (Levels 0-3) and IT (Levels 4-5). The DMZ should contain no direct connectivity between IT and OT: data flows through intermediary systems (data diodes, jump servers, DMZ historians) that permit data out of OT to IT but restrict data flow from IT to OT.
Level 4: IT network. Enterprise IT systems: email, ERP, business applications, user workstations.
Level 5: Enterprise network. Internet-facing systems, cloud services, remote access infrastructure.
The Purdue Model's security principle: each level trusts the level below it (the SCADA server trusts commands from the PLC) and communicates upward through controlled interfaces. The DMZ between Level 3 and Level 4 is the critical boundary: compromising the IT network (Level 4) should not provide direct access to OT (Levels 0-3). In practice, many organizations have eroded or eliminated this boundary through direct connections between IT and OT for convenience, creating the attack path that Volt Typhoon and other actors exploit.
Legacy systems. OT systems have lifecycles measured in decades. PLCs, RTUs, and SCADA servers installed in the 2000s (or earlier) may run Windows XP, use proprietary protocols without authentication or encryption, and have no capability for security updates. Replacing these systems is often impractical: the PLC controlling a turbine is certified for that specific turbine model, and replacing the PLC may require recertification of the entire system. Security must work within the constraints of systems that were not designed for networked environments.
Availability priority. OT systems prioritize availability over confidentiality. An IT system can be taken offline for patching during a maintenance window. A power generation system, a water treatment plant, or a chemical processing facility cannot be casually taken offline. Downtime has physical consequences: communities lose power, water treatment stops, manufacturing production halts. Every security control must be evaluated against its availability impact: a firewall rule that blocks a legitimate control command can cause a physical process failure.
Proprietary protocols. OT systems communicate using industrial protocols (Modbus, DNP3, BACnet, EtherNet/IP, OPC UA) that were designed for reliability in controlled environments, not for security in networked environments. Many of these protocols have no authentication (any device on the network can send commands) and no encryption (all traffic is readable). Modern versions of some protocols add security features (OPC UA has authentication and encryption), but legacy installations use unprotected versions.
Limited visibility. Traditional IT security tools (EDR agents, vulnerability scanners, SIEM log collection) are often incompatible with OT systems. Installing an EDR agent on a PLC is not possible (the PLC runs a specialized RTOS, not Windows). Active vulnerability scanning against OT devices can cause process disruptions (the scan traffic overwhelms the PLC's limited network stack, causing it to restart). OT visibility requires passive monitoring: observing network traffic without generating traffic that could disrupt operations.
Patching constraints. OT systems cannot be patched on the same cadence as IT systems. A PLC firmware update requires testing against the specific control logic, scheduling downtime, and verifying that the update does not change the system's behavior. Many OT vendors release firmware updates infrequently, and some legacy systems no longer receive updates at all. Compensating controls (network segmentation, monitoring) protect what patching cannot.
Network segmentation. The most critical OT security control. Enforce the Purdue Model DMZ between IT and OT. Use industrial firewalls (Palo Alto, Fortinet, Cisco, Claroty, Nozomi) that understand OT protocols and can enforce protocol-specific rules (permit Modbus read commands, block Modbus write commands from unauthorized sources). Segment within the OT network: separate safety systems (SIS) from control systems, separate different process areas, and restrict lateral movement between OT zones.
Passive monitoring. Deploy OT network monitoring platforms (Claroty, Nozomi Networks, Dragos, Microsoft Defender for IoT) that passively observe OT network traffic, inventory OT assets, identify vulnerabilities, and detect anomalous behavior without generating traffic that could disrupt operations. Passive monitoring provides the visibility that active IT tools cannot safely provide in OT environments.
Secure remote access. Remote access to OT systems (for vendor maintenance, remote operations, monitoring) must be tightly controlled: MFA required, session recording, time-limited access, jump server architecture (the remote user connects to a jump server in the DMZ, then accesses OT systems from the jump server rather than directly from the IT network). VPN connections directly into the OT network bypass the DMZ and should be prohibited.
Asset inventory. Maintain a complete inventory of every OT asset: PLCs, RTUs, HMIs, SCADA servers, historians, network devices, safety systems. Include firmware versions, network addresses, protocol configurations, and vendor support status. The inventory enables vulnerability assessment (which assets have known vulnerabilities?), change detection (was a PLC configuration modified?), and incident response (which systems are affected?).
Incident response for OT. OT incident response requires different skills, different tools, and different decision-making than IT incident response. Isolating a PLC from the network may stop the attack but may also stop the physical process the PLC controls (which may have safety consequences). OT IR teams must include process engineers who understand the physical implications of containment actions. Response playbooks must address both the cyber dimension (contain the attacker) and the physical dimension (maintain safe process operation during and after containment).
Volt Typhoon (Chinese state-sponsored, pre-positioning in U.S. critical infrastructure), Sandworm (Russian GRU, Ukraine power grid attacks), and other state actors have demonstrated both the intent and capability to target OT systems. The Volt Typhoon campaign specifically targeted sectors with OT environments: energy, water, transportation, and telecommunications. Pre-positioning in OT-adjacent IT infrastructure provides the access needed to reach OT systems during a conflict.
CDA's founder documented the collaborative cyber strategies of state adversaries through the Irregular Warfare Initiative. The research demonstrates that OT targeting is not opportunistic. It is strategic: nations are pre-positioning for the ability to disrupt adversary critical infrastructure during wartime. Defending OT is defending critical infrastructure. Defending critical infrastructure is defending national security.
The convergence of IT and OT networks creates attack paths that did not exist when OT was air-gapped. An attacker who compromises the IT network (through phishing, credential theft, or VPN exploitation) can reach OT systems if the Purdue Model DMZ is not enforced. Every IT vulnerability becomes a potential path to OT compromise. Defending OT requires defending IT and maintaining the boundary between them.
OT security is regulated in critical infrastructure sectors. NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) mandates cybersecurity controls for the electricity sector. TSA Security Directives mandate cybersecurity requirements for pipeline operators (issued after the Colonial Pipeline attack). CISA's Cross-Sector Cybersecurity Performance Goals include OT-relevant controls. IEC 62443 provides the international standard for industrial automation and control system security.
OT security maps to the existing six PDM domains. VSD owns the attack surface: the IT/OT boundary, the OT network architecture, and the vulnerability landscape of OT devices. SPH owns the posture: OT asset inventory, configuration management (to the extent possible given OT constraints), and network segmentation maintenance. TID owns the detection: passive OT monitoring, anomaly detection, and threat intelligence specific to OT-targeting actors (Volt Typhoon, Sandworm, Xenotime/TRITON).
CDA's Continuous Surface Reduction (CSR) methodology applies to OT through the Purdue Model: every unnecessary connection between IT and OT is a surface that CSR identifies and eliminates. Every direct remote access path into OT that bypasses the DMZ is a surface that CSR eliminates. Every unmonitored OT protocol is a visibility gap that CSR closes through passive monitoring.
CDA approaches OT security with one principle: segmentation is the primary control. OT systems that cannot be patched, cannot run EDR agents, and cannot be actively scanned are protected by the network boundary that isolates them from threats originating in IT networks and the internet. The boundary must be enforced at the architecture level (Purdue Model DMZ), monitored continuously (passive OT monitoring), and tested periodically (OT-specific penetration testing that respects availability constraints).
For organizations with OT environments, CDA's FRM includes OT-specific assessment components: IT/OT boundary architecture review, OT asset inventory, OT protocol analysis, remote access assessment, and OT-specific threat landscape mapping based on the client's industry and the state actors known to target it.
Word count: 1,976
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.