SCADA Cybersecurity Best Practices for OT Networks

The OT Cybersecurity Landscape

Operational Technology (OT) cybersecurity for SCADA systems differs fundamentally from IT security. In IT environments, confidentiality is typically the highest priority, followed by integrity and availability. In OT environments, availability is paramount because downtime means lost production, safety hazards, or environmental incidents. A cybersecurity strategy that prioritizes protection at the expense of system availability is counterproductive in an industrial setting.

The threat landscape for SCADA systems has evolved dramatically. State-sponsored attacks (Triton/TRISIS targeting safety systems, Industroyer targeting power grids), ransomware (Colonial Pipeline), and supply chain attacks have demonstrated that industrial control systems are high-value targets. Texas energy infrastructure is particularly attractive to threat actors due to its critical role in national energy supply.

Network Architecture and Segmentation

The Purdue Model and IEC 62443 Zones

Proper network segmentation is the foundation of SCADA cybersecurity. The Purdue Enterprise Reference Architecture defines five levels:

• Level 0-1: Physical process and basic control (sensors, actuators, PLCs, RTUs)
• Level 2: Area supervisory control (HMI workstations, engineering workstations)
• Level 3: Site operations (SCADA servers, historians, application servers)
• Level 3.5 (DMZ): Industrial demilitarized zone separating OT from IT
• Level 4-5: Enterprise IT (business systems, email, internet)

Each level should be separated by firewalls or next-generation firewalls with rules that permit only necessary traffic. IEC 62443 formalizes this concept as zones (groups of assets with the same security level) and conduits (communication paths between zones with defined security controls).

Industrial DMZ Design

The industrial DMZ (Level 3.5) is the most critical network boundary. It prevents direct communication between enterprise IT (Level 4) and the control network (Level 3). Data transfer between zones should occur through DMZ-resident services such as historian replication servers, data diodes for unidirectional data flow, jump servers for remote access, and patch management servers that stage updates before deployment to OT systems. Never allow direct connections from the corporate network or internet to SCADA servers, HMI workstations, or PLCs.

Access Control and Authentication

Access control in SCADA environments requires balancing security with operational needs:

• Multi-factor authentication (MFA): Required for all remote access to OT networks. TSA Security Directives mandate MFA for pipeline operators.
• Role-based access control (RBAC): Operators, engineers, and administrators should have different privilege levels. Operators need read and control access; only engineers should modify configurations.
• Shared account elimination: Replace shared operator accounts with individual accounts for accountability. SCADA platforms like Ignition support Active Directory integration for centralized user management.
• Privileged access management (PAM): Engineering workstation and server administrator accounts should require checkout from a PAM solution with session recording.
• Physical access: Control rooms, server rooms, and communication closets require physical access controls (badge readers, cameras) in addition to logical controls.

Continuous Monitoring and Detection

OT-Specific Monitoring Tools

Traditional IT security tools (SIEM, EDR) are necessary but insufficient for OT environments. Purpose-built OT monitoring platforms provide:

• Asset discovery: Passive network monitoring identifies all devices on the OT network including PLCs, RTUs, switches, and unmanaged devices
• Protocol-aware inspection: Deep packet inspection of industrial protocols (Modbus, DNP3, EtherNet/IP, OPC-UA) to detect anomalous commands or unauthorized configuration changes
• Baseline deviation: Machine learning models establish normal communication patterns and alert on deviations that could indicate reconnaissance or lateral movement
• Vulnerability assessment: Identification of known CVEs affecting OT firmware and software versions discovered through passive scanning

Leading OT monitoring platforms include Claroty, Dragos, Nozomi Networks, and Microsoft Defender for IoT. NFM Consulting helps energy companies deploy and tune these platforms for their SCADA environments.

Patch Management in OT Environments

Patching SCADA systems requires a fundamentally different approach than IT patching. You cannot simply apply patches automatically because untested patches can disrupt control system functionality. A proper OT patch management process includes: maintaining a current asset inventory with firmware and software versions, monitoring vendor advisories and ICS-CERT alerts for relevant vulnerabilities, risk-assessing each patch against operational impact, testing patches in a lab or staging environment before production deployment, scheduling patch installation during planned outages, and maintaining rollback procedures for every patch.

For systems that cannot be patched (legacy PLCs, embedded devices with no vendor updates), implement compensating controls such as network isolation, enhanced monitoring, and application whitelisting on associated HMI or engineering workstations.

Incident Response for OT Environments

OT incident response plans must account for the unique aspects of industrial environments. Unlike IT where you might immediately isolate a compromised system, disconnecting a SCADA server could cause a loss of visibility and control over physical processes. OT incident response must include procedures for maintaining safe operations during an incident, even if that means switching to manual control. Plans should be developed jointly by OT engineers and cybersecurity staff, and tested through tabletop exercises at least annually.

Compliance Frameworks

Several frameworks guide SCADA cybersecurity implementation:

• IEC 62443: The most comprehensive standard for industrial cybersecurity, covering system architecture, component security, and organizational processes
• NIST Cybersecurity Framework (CSF): Provides a risk-based approach organized around Identify, Protect, Detect, Respond, and Recover functions
• API 1164: Pipeline-specific SCADA security standard addressing control system architecture, access control, and monitoring
• TSA Security Directives: Mandatory requirements for pipeline operators including network segmentation, MFA, and continuous monitoring
• NERC CIP: Mandatory standards for bulk electric system cybersecurity, applicable to power generation and transmission SCADA

NFM Consulting performs cybersecurity assessments against these frameworks for Texas energy companies, identifying gaps and developing prioritized remediation roadmaps that balance security improvements with operational constraints and budget realities.