Software Security and SCADA Protection in Critical Energy Facilities
Renewasoft | 2026
Level: Advanced Audience: SCADA Engineer, HPP Operator, CTO, Infrastructure Investor
Introduction
As hydropower plants digitalize with SCADA and IIoT, automated systems optimize energy production; however, even a small security vulnerability in these systems can lead to physical damage, efficiency loss or operational disruptions. In the 2025 cyber attack on Norway’s Bremanger dam, valves were opened through the control system and excess water was released for four hours[1]. According to NIST, OT/ICS environments carry high reliability, continuity and safety requirements[1]; therefore, layered defense and proactive security measures at both network and software layers are essential.
TL;DR — Executive Summary
- IT/OT Separation: HPPs prioritize real-time control and high continuity. Purdue model segmentation provides OT/IT isolation[1].
- Attack Surface: Legacy protocols like Modbus, DNP3, IEC-104 lack authentication or encryption. Open ports and engineering stations carry weak configuration risk[1][2].
- Defense Layers: OT network is protected with DMZ, network segmentation, Zero Trust and deep packet inspection[1][2].
- SSDLC + CI/CD: Security integrated into software development; SAST, DAST, container scan, SBOM and signature verification[3][4].
- Supply chain verification is critical for OT systems.
Infographic: HPP Software Security — Attack Surface, Defense Layers and SSDLC Pipeline [1][2][3]
Paradigm Shift: IT/OT Separation Through the Purdue Model
The fundamental network architecture of industrial control systems is layered according to the Purdue model. In this model, levels 0-1 are physical process and PLC/RTU layers; level 2 is the SCADA/HMI/DCS layer. Upper levels (3-5) include the control center and enterprise IT. This separation creates an air gap between OT/IT, enabling effective access control[1].
However, with digitalization these layers are increasingly intertwined. Business processes have integrated with cloud, IoT and remote access. This has expanded the threat surface of OT networks. During the NotPetya attack, weak segmentation caused malware to spread to factory automation networks[5]. As NIST states, if ICS networks become unexpectedly accessible, control over physical processes can be rapidly lost[1]. Therefore, defense-in-depth strategy and Zero Trust approach are essential in HPPs.
| Level | Layer | Components | Security Measure |
|---|---|---|---|
| 0-1 | Physical Process + PLC/RTU | Turbine, generator, sensor, PLC, RTU | Micro-segmentation, physical access control |
| 2 | SCADA / HMI / DCS | SCADA server, HMI terminal, historian | DPI, ML baseline, session monitoring |
| 3 | Control Center | Engineering workstation, patch server | Jump server, MFA, patch management |
| 3.5 | OT DMZ | Data diode, log broker, proxy | Unidirectional data flow, SIEM integration |
| 4-5 | Enterprise IT / Cloud | ERP, SOC/SIEM, UI | No direct OT access; through DMZ only |
Table 1: Purdue Model Layers and Security Measures [1][2]
Infographic: Purdue Model + IEC 62443 Security Zones [1][2]
Attack Surface Mapping: HPP Vulnerabilities
OT devices and protocols in HPPs have historically been designed for functionality rather than security. As NIST emphasizes, several industrial protocols lack authentication[1]. Common protocols like Modbus TCP, DNP3 or IEC 60870-5-104 lack encryption, authentication or integrity controls[1]. These protocols can easily be manipulated by eavesdropping or replay attacks on the network.
| Protocol / Component | Vulnerability | Attack Vector | Countermeasure |
|---|---|---|---|
| Modbus TCP (502) | No auth/encryption | Command injection, replay | DPI + allowlist, TLS wrapper |
| DNP3 (20000) | Auth optional, rarely used | Man-in-the-middle, spoof | DNP3 Secure Auth, segmentation |
| IEC 60870-5-104 | No encryption/auth | Fake commands, eavesdropping | IEC 62351 TLS, VPN tunneling |
| HMI/RTU (Windows) | Unpatched OS, default passwords | Lateral movement, RCE | Patch mgmt, application whitelisting |
| Engineering Workstation | USB, vendor SW, dual-homed | PLC program manipulation | PAM, jump host, USB control |
| Remote Access | Weak VPN, single factor | Credential harvesting | MFA + time-based + session recording |
Table 2: HPP Attack Surface Map and Countermeasures [1][2]
NIST warns: ICS components are problematic in terms of updates and patching; many devices run on legacy operating systems that are no longer supported[1]. Open ports, unauthorized remote access channels and untested third-party applications in the HPP network carry heavy risk[1].
Defense Layers and Zero Trust: Never Trust, Always Verify
Protection in HPPs is primarily achieved through multi-layered defense. Traffic to the OT network is separated into layers and different measures are applied at each level. A DMZ is established between the control network and the corporate network to limit access. Industrial firewalls only permit required SCADA traffic. Within the internal ICS network, zone/conduit segmentation isolates plant sections[1][2].
In the Zero Trust model, users, devices and applications are never automatically trusted; access is tested and restricted each time. For example, an engineer requesting PLC access is first subjected to identity verification (MFA). Network traffic is continuously monitored; immediate isolation occurs upon detecting abnormal activity. ISA/IEC 62443 standards also envision this layered architecture[2].
| Layer | Technical Function | HPP Implementation |
|---|---|---|
| Perimeter FW | deny-all / permit-by-exception; stateful + DPI [1] | NGFW: Modbus FC, DNP3, OPC UA parser for command filtering |
| DMZ | Blocks direct access from corporate network to OT [1] | OT gateway, log broker, time sync proxy |
| Jump Server | Routes OT access through a single controlled hop point [1] | MFA + time-based + session recording; split tunneling disabled |
| Micro-Segmentation | Cell/area-based segments; least privilege via PEP [2] | SCADA, sensor, PLC groups as separate secure zones |
| Data Diode | OT→DMZ unidirectional data flow; physical C2 block [1] | All reverse flow blocked except critical telemetry |
| IDS/IPS + SIEM | Traffic anomaly detection, log correlation, playbook [1] | Deterministic baselining + ML anomaly scoring |
Table 3: Defense Layers and HPP Implementation [1][2]
Secure Software Development (SSDLC) and CI/CD Security
Security integrated into the software development process is critically important. The NIST SSDF guide strongly recommends static analysis and secret scanning[4]. IEC/ISA 62443-4-1 defines secure product development principles for industrial products[2].
| # | Phase | Security Activity | Tools / Standard |
|---|---|---|---|
| 1 | Design | Threat modeling, security requirements, architecture review | STRIDE, cyber-HAZOP, IEC 62443-3-3 |
| 2 | Development | Code review, static analysis, dependency scanning, secret detection | SAST (SonarQube, Semgrep), Snyk, GitLeaks |
| 3 | Test | Dynamic analysis, penetration testing, fuzzing, performance test | DAST (OWASP ZAP, Burp), fuzzer, load test |
| 4 | Deployment | Container vulnerability scan, signature verification, SBOM generation | Trivy, Cosign, SBOM (CycloneDX/SPDX) |
| 5 | Monitoring | Runtime anomaly detection, log auditing, SIEM integration | Falco, ELK/Splunk, AI |
Table 4: SSDLC Pipeline Phases and Security Controls [2][4]
Renewasoft applies these SSDLC measures when developing HYDROWISE: every software component is packaged in containers and passed through vulnerability scanning systems; every step in the CI/CD pipeline goes through security controls. No unsigned software is accepted into the production line[2].
Supply Chain Attacks and Protection
A supply chain attack targets third-party components or update channels rather than the software developer to infiltrate a system. In the 2020 SolarWinds incident, attackers injected malicious code into the legitimate Orion management software, gaining access to thousands of organizations using this software[5]. In energy infrastructure, a similar situation could occur through infiltrating the control system with a fake PLC firmware update.
🔒 Supply Chain Protection Checklist
SBOM (Software Bill of Materials): Inventory of all dependencies maintained; CycloneDX or SPDX format.
Dependency Signing: Cryptographic signature of every library verified; dependency hijacking prevented.
Version Pinning: Dependency versions pinned in CI/CD; unexpected updates prevented.
Firmware Verification: PLC/RTU firmware updates done with manufacturer certificate + hash verification.
Secure Channel: Updates only from encrypted, authenticated channels (TLS + mutual auth).
Technical Risk Scoring Model
Risk analysis in energy facilities must be quantitative. The common model:
Threat = Actor capability/intent | Vulnerability = Gap severity | Impact = Operational loss, hardware damage, safety breach
Impact criteria in hydropower projects include production loss, equipment failure or environmental damage. Heluany et al. proposed a detailed risk assessment using the cyber-HAZOP method for HPPs[5]. Each control element is assigned a 0-100 risk score so that investment and security resources are prioritized toward highest-risk areas.
| Asset / Scenario | Threat | Vuln. | Impact | Risk Score |
|---|---|---|---|---|
| SCADA Server (unpatched) | 0.8 | 0.9 | 0.9 | 0.648 → Critical |
| PLC (Modbus, no auth) | 0.7 | 0.8 | 0.9 | 0.504 → High |
| Engineering WS (dual-homed) | 0.6 | 0.7 | 0.8 | 0.336 → Medium-High |
| OT Gateway (DMZ, TLS) | 0.5 | 0.2 | 0.7 | 0.070 → Low |
Table 5: HPP Asset-Based Risk Scoring Example [1][5]
Case Study: Real Scenarios
💥 Evidence-Based Background
Bowman Avenue Dam (2013, USA): Iranian-origin hackers were found to have infiltrated the dam’s SCADA system. No physical damage occurred but access was confirmed[5].
Bremanger/Risevatnet Dam (2025, Norway): Control system compromised through a weak password; attackers fully opened valves, increasing water discharge 497 L/s above normal for four hours[1].
NotPetya (2017): Spread through supply chain; weak segmentation caused infection of factory automation networks[5].
SolarWinds (2020): Malicious code injected into legitimate Orion software provided access to thousands of organizations[5].
A typical HPP attack scenario: The attacker gains access to the engineering workstation via phishing, captures PLC credentials and modifies flow control commands with incorrect data. Result: sudden turbine trip, energy production disruption and mechanical damage from sudden load changes. Early warning and anomaly detection systems with rapid response capability are vital.
Enterprise Security Architecture: A Layered and Integrated Approach
Security in critical energy facilities cannot be achieved through a single technology or solution. An effective approach requires the coordinated operation of multiple layers, including network security, software security, access control, data analytics, and monitoring.
This approach is built on the following core principles:
• Network segmentation and Zero Trust architecture
• Secure software development processes (SSDLC)
• CI/CD pipeline security controls
• Supply chain verification mechanisms
• Real-time monitoring and anomaly detection
Through this structure, security evolves from a reactive defense mechanism into a proactive and measurable system.
Frequently Asked Questions (FAQ)
Q1: Why is energy plant software considered more critical than other sectors?
Energy plants require real-time control and high reliability due to their uninterrupted power supply mission. According to NIST, ICS/OT systems are subject to instant response times and continuous operation demands. A software error can affect physical processes and lead to serious financial losses[1].
Q2: What are the security weaknesses of common ICS protocols in HPPs?
Legacy protocols like Modbus, DNP3, IEC-104 lack authentication and encryption. Data can be easily eavesdropped or fake commands can be sent. SCADA devices use standard ports; if left uncontrolled, they allow command injection[1][2].
Q3: How is Zero Trust implemented in HPPs?
The OT network is divided into segments, transitions between segments are restricted by firewalls. Access to critical devices is verified with MFA. Network traffic is continuously monitored; upon anomaly detection, the system is immediately isolated. ISA/IEC 62443 envisions this layered architecture[2].
Q4: How is technical risk scoring applied?
Risk = Threat × Vulnerability × Impact formula is used. Each asset’s risk is scored (0-100). Cyber-HAZOP creates detailed scenarios. Investment is prioritized to highest-risk areas[1][5].
Q5: What security measures should be taken in SSDLC and CI/CD?
Code review, SAST, dependency scanning, DAST, container scan, SBOM and signature verification are applied. NIST SSDF recommends static analysis and secret scanning. No unsigned software enters production[3][4].
Q6: How to protect against supply chain attacks?
Maintain SBOM, sign dependencies, pin versions, verify firmware certificates and use secure update channels. SolarWinds showed that even legitimate update channels can be attack vectors[5].
Conclusion
Security in critical energy facilities determines operational continuity as much as competitive advantage. This article covered SCADA/OT architecture vulnerabilities, defense layers, risk analysis methods, software development security and supply chain protection. A problem-solution focused approach was adopted at every stage[1][2][4].
If you would like to learn more about securing critical energy infrastructure and improving OT cybersecurity practices, feel free to contact us: