Preloader Image
OT Under Siege: Why Grid Control Systems Need a New Kind of Cyber Defense

At a remote substation in the Midwest, I watched recently as a team of cybersecurity specialists gathered not to fix a breach but to simulate one. The substation—a medium-impact test site built by one of the nation’s largest utilities—has become a proving ground for the future of grid security.

Before the North American Electric Reliability Corporation Critical Infrastructure Protection “Cyber Security–Internal Network Security Monitoring” standard (NERC CIP-015-1) was formally approved by the Federal Energy Regulatory Commission (FERC) on June 26, 2025, this utility wasn’t waiting. They had already been deploying monitoring tools, running penetration tests, and learning what “normal” network behavior looks like in preparation for what’s to come.

Beyond testing tools, they were getting to know the substation’s nervous system, watching how the network behaved under pressure and figuring out what counts as normal. It exceeded merely playing defense and focused more on getting ready for the next act. Because when a real threat shows up, you don’t want to be guessing.

This early, aggressive approach signals a shift in critical infrastructure operators’ thinking about cyber defense. Because the grid has become more decentralized as the cyber threat landscape grows more complex, these testbeds show how utilities can turn compliance into capability—and why waiting for 2028 to meet the compliance deadlines may already be too late.

Too many utilities still treat cybersecurity as a regulatory hoop to jump through. While compliance with standards like NERC CIP may create the impression that risks are being managed, it’s often little more than a box-checking exercise. In practice, meeting minimum requirements usually means leaving systems needlessly exposed. Just because the NERC CIP-002-5.1a impact assessment doesn’t meet a certain threshold on paper doesn’t mean it’s immune from attacks. The last decade of cyber incidents teaches us that adversaries don’t just disrespect impact designations; they exploit them.

Why Traditional OT Defenses Fall Short

Most operational technology (OT) environments didn’t grow up in a world of remote access, vendor-supplied firmware, and internet-facing components. And yet, that’s the world they now inhabit with modern, internet-connected devices layered on top of legacy infrastructure. Internal users now have more access across the network than ever before, which alone shouldn’t be a problem. However, even a minor breach can spread fast in environments that don’t understand or monitor lateral movement.

Case in point: I recently learned about an inverter that shipped with built-in backdoor access that quietly sent data to foreign threat actors. The breach went undetected for months—not because the attackers were particularly sophisticated, but because no one was watching the network. Firewall rules were technically in place, but there was zero visibility into East-West traffic—and no baseline for what “normal” looked like. So, no one knew the data exfiltration was happening. These blind spots are common in environments that rely solely on perimeter security. What’s more, the older the equipment the more likely it is to be misconfigured or unmonitored.

New Threat Landscape

Attacking OT systems no longer takes elite skills. With off-the-shelf tools readily available on the Dark Web, just about anyone can take a swing. The bigger problem? We still see cutting-edge digital systems dropped into aging, brittle environments—often with little thought given to the risks.

A better approach starts by recognizing that security involves a continuous, risk-based discipline. This means involving leadership from the outset and ensuring that cybersecurity is a top operational priority.

Real resilience starts with understanding the risks that matter to the business. That means clear, threat-informed assessments and controls built specifically for OT. It also takes monitoring that knows what “normal” looks like across industrial systems, not just what looks suspicious on a corporate network.

Opportunities and Challenges

Older systems predate today’s cyber threats, so we help operators adapt to the realities of modern operations. With the right tools, planning, and expertise, organizations can retrofit their infrastructure to meet modern cybersecurity threats. Utilities that build in security from the beginning, writing cyber requirements into requests for proposals (RFPs) and planning sensor placement up front, have an easier time of it as they can choose equipment that won’t trigger integration headaches down the road.

There’s a myth that cybersecurity planning is too expensive to do early. The opposite is true: skipping early design usually costs more, sometimes a lot more. An upgrade like a distributed control system (DCS) overhaul presents an opportunity to build resilience, not just patch over vulnerabilities.

So why isn’t this happening more often? Not because leaders don’t care. Most executives understand the stakes. The problem is translating that awareness into implementation. Cyber priorities usually get stuck at the middle-management level, where operational friction and resource constraints become convenient excuses for inaction.

One way forward is to get involved in standard-setting committees and industry working groups. These forums help stakeholders stay ahead of regulatory shifts, share practical lessons, and shape guidance that works in the field. Just as important, they clarify roles and responsibilities—something boilerplate RFPs and contracts often overlook.

The Stakes Are Growing

The regulatory environment is only getting tougher. Standards like NERC CIP-015 are raising the bar for what counts as “good enough,” and utilities that wait until the last minute will end up scrambling to catch up. But this isn’t about compliance—it’s about resilience. As more grid functions move to the edge and more devices connect in more locations, the attack surface will continue to expand. So, the sooner organizations treat cybersecurity as a core part of operational excellence—not a bolt-on afterthought—the better prepared they’ll be for what’s already on the horizon.

Anirban “Sunny” Ghosh is NERC CIP lead, Industrial Cybersecurity Consultant, with Black & Veatch.