What Is SCADA Security? A Practical Guide for Critical Infrastructure

SCADA systems sit at the heart of modern critical infrastructure. They monitor and control power grids, pipelines, water treatment plants, rail networks, manufacturing lines, and more. When a SCADA system is compromised, the impact is measured not only in data loss, but in outages, safety incidents, and real-world disruption.

SCADA security is the set of strategies, controls, and architectures used to protect these systems from unauthorized access, tampering, and cyber-physical attacks. Done well, it keeps operations safe and available—even when attackers are already inside the network.

This guide explains:

• What SCADA systems are and how they differ from other industrial control systems (ICS)
• The evolving threat landscape targeting SCADA
• Key standards and regulations shaping SCADA security
• Best practices to harden SCADA environments
• How Zero Trust and microsegmentation transform SCADA security without “network surgery”
• How Zentera’s overlay-based approach protects SCADA systems in live, safety-critical environments

A typical SCADA system includes:

• Field devices: Sensors; actuators; programmable logic controllers (PLCs); and remote terminal units (RTUs) connected to pumps, breakers, valves, and other equipment
• Communications network: Wired, wireless, and serial links carrying telemetry and control traffic across plants, substations, or remote assets
• SCADA master/servers: Central servers aggregating data, issuing control commands, managing alarms, and storing history
• Human-machine interface (HMI): Operator consoles and screens used to visualize status, acknowledge alarms, and interact with the process
• Historians and engineering workstations: Systems used for trending, performance analysis, maintenance, and configuration

SCADA is widely used in:

• Electric transmission and distribution
• Oil and gas pipelines
• Water and wastewater treatment
• Transportation and logistics
• Industrial manufacturing and process control

Industrial technologies where SCADA lives include:

• Operational technology (OT): The umbrella term for systems that monitor or directly influence physical processes (including ICS, safety systems, and building automation)

• Industrial control systems (ICS): The broader category of control systems, including SCADA, distributed control systems (DCS), and stand-alone PLC-based systems

• SCADA: ICS that is designed for remote, distributed environments, with centralized supervision and control

• DCS: Typically used in more localized, tightly coupled processes (e.g., refining or chemical plants)

In security terms, SCADA security is a subset of ICS/OT security, focused on the systems that coordinate real-time data acquisition and control, often across untrusted networks and remote locations.

The difference is often rooted in the fact that SCADA and OT security have prioritized “Availability” over “Confidentiality” and “Integrity” in the C-I-A Triad. In many cases, the “C” and “I” were in place at one time, but as security tools and policies evolved, the hardware that comprised SCADA and OT systems could not keep up, or security teams did not want to disrupt real-time production.

Security teams also need to consider several other characteristics of SCADA and OT systems that differ from traditional IT security:

1. Safety and Availability 

A misoperation can cause physical damage, environmental impact, or safety incidents. Downtime is often unacceptable. OT guidance from NIST emphasizes that availability and safety outrank confidentiality for many ICS environments. 

2. Legacy Systems and Long Lifecycles

Many PLCs, RTUs, and HMIs were never designed with cybersecurity in mind, and they can remain in service for 10–20 years or more—often with limited patching options and no support for agents.

3. Proprietary and Real-Time Protocols

Protocols such as Modbus, DNP3, and various vendor-specific fieldbuses were built for determinism, not for encryption or authentication. 

4. Tight Timing Constraints

Security controls must not break real-time operations or introduce unacceptable latency.

5. IT-OT Convergence

SCADA networks are increasingly connected to IT networks, cloud, and remote operations, which erodes the “air gap” and expands the attack surface. 

The result: SCADA security architectures must be identity-aware, resilient, and minimally disruptive, especially when applied to brownfield environments.

Examples and patterns include:

• Ransomware and disruptive attacks: Ransomware targeting industrial organizations has surged, impacting manufacturers, pipeline operators, and utilities. These attacks often start in IT and threaten OT/SCADA by disrupting operations or using OT as leverage. 
• Unauthorized remote access to SCADA consoles: In a widely publicized U.S. water treatment incident, attackers obtained unauthorized remote access to a SCADA system controlling chemical dosing, prompting federal advisories and renewed focus on remote access controls. 
• Ransomware directly impacting SCADA systems: Joint alerts have documented ransomware strains impacting SCADA systems at water facilities, encrypting systems that monitor and control treatment processes.
• Stealthy reconnaissance and lateral movement: Attackers use compromised credentials, exposed services, and “living-off-the-land” techniques to traverse flat or poorly segmented networks until they reach SCADA assets.

Lessons from Major SCADA Attacks

A series of dramatic SCADA-focused attacks over the last two decades demonstrates how attackers can exploit weak security, a lack of network segmentation, unsecured remote access, and other gaps between IT and OT security. These attacks also demonstrate the value of Zero Trust security models, given their ability to reduce the spread of an attack or prevent compromise in the first place.

Stuxnet (2010)

What happened: Stuxnet was the first known SCADA-targeting cyberweapon developed to sabotage Iranian nuclear centrifuges. The attack used four Windows Zero Day exploits and an associated malware worm, spread through USB and shared networks. The attack modified PLC logic to damage equipment.

How attackers gained access: Malware propagated through Windows systems until it reached engineering workstations that were connected to PLCs. Once inside, the malware used preset commands to centrifuge controllers.

What controls could have prevented it:

• A Virtual Chamber around PLC networks would have blocked lateral movement, while a Zero Trust Gatekeeper would ensure only authenticated, authorized engineering sessions could reach controllers.
• Strict segmentation between engineering workstations and general-purpose networks, as well as identity-based access controls, would enforce who can program PLCs.

Ukraine Power Grid Attacks (2015 & 2016)

What happened: Coordinated attacks on the Ukrainian grid caused power outages for approximately 230,000 customers. This resulted in what is now known as the first confirmed cyber-induced blackouts.

How attackers gained access: Attackers spear-phished IT users, slowly explored the network, and moved laterally into OT systems before ultimately manipulating circuit breakers and deploying destructive malware.

What controls could have prevented it:

• Zentera’s ZTNA eliminates VPN-style open access, limiting attacker access to the network and hampering reconnaissance. 
• Virtual Chambers provide real-time policy enforcement that would have blocked unauthorized access, ensuring the integrity of SCADA commands and preventing manipulation of breakers.

Colonial Pipeline (2021)

What happened: A ransomware attack against Colonial Pipeline forced a six-day shutdown of the largest fuel pipeline in the U.S., causing widespread fuel shortages across the East Coast.

How attackers gained access: Attackers leveraged a compromised virtual private network (VPN) password to enter the network, ransom the billing system, and trigger shutdowns.

What controls could have prevented it:

• Zentera’s Virtual Chambers would cloak critical business applications like billing systems.
• Zero Trust Overlay controls would allow business applications to continue to access dependencies in the OT environment.

Oldsmar Water Treatment Facility (2021)

What happened: Attackers gained remote access to a water treatment SCADA console and attempted to increase sodium hydroxide levels to dangerous thresholds.

How attackers gained access: The facility used unsecured remote access tools that were shared across facility operators. This access method also had weak authentication protocols and a flat, unsegmented network.

What controls could have prevented it:

• Zentera’s Gatekeeper system would enforce per-user, policy-controlled access to SCADA consoles with no shared credentials. 
• Virtual Chambers would protect operator workstations and prevent unauthorized lateral movement.

As more SCADA environments connect to cloud analytics, remote operations centers, and third-party services, the threat surface continues to grow. 

1. Flat or poorly segmented networks: Once attackers breach an IT or DMZ system, they can often move laterally into SCADA environments because network boundaries are weak or non-existent.

2. Legacy protocols and unencrypted traffic: Many SCADA communications are unencrypted, unauthenticated, or both. Tools on the same network segment can sniff or modify traffic, enabling command injection or data spoofing.

3. Default or shared credentials: Shared operator accounts, default passwords, and vendor “backdoor” accounts remain common in field devices and HMI systems.

4. Unsecured remote access paths: VPNs, remote desktop gateways, and vendor support channels may bypass proper authentication or monitoring, or terminate too close to critical SCADA assets.

5. Limited monitoring inside OT networks: Traditional controls focus on perimeter firewalls. Internal east-west traffic within SCADA environments often lacks visibility and anomaly detection, a gap now being addressed by standards such as NERC CIP-015-1’s internal network security monitoring requirements.

6. Patching and configuration gaps: Many SCADA components cannot be patched frequently, or at all, without planned outages. Without compensating controls, known vulnerabilities can remain exploitable for years. 

Most SCADA Systems Are Running Legacy Protocols

The U.S. Department of Homeland Security’s advisories note that a large share of SCADA systems still rely on legacy protocols like Modbus and DNP3. These protocols were developed decades ago, before modern encryption and authentication tools. This means many organizations running OT systems are still transmitting critical operational data in cleartext and are vulnerable to interception, spoofing, and unauthorized command injection.

SCADA Systems Are Often Exploited Within Hours of Initial Network Access

As seen in the major SCADA attacks described earlier, attackers can take a variety of different approaches to gain an initial foothold and obtain access to SCADA systems. However, industry research shows that once an attacker is in, exploitation of SCADA systems is often quick because of well-known, unpatched vulnerabilities and well-documented device configurations.

DTM 25-003: Implementing the DoD Zero Trust Strategy

The mandate builds on previous Department of Defense (DoD) Zero Trust mandates for OT and SCADA control systems by emphasizing identity-driven controls for brownfield environments. The use of overlay-based security solutions aid when the deployment of agents could be costly and hinder production.

NIST SP 800-82: Guide to ICS/OT Security

This resource provides foundational guidance on securing ICS, including SCADA systems, with recommended architectures, countermeasures, and risk management practices. 

ISA/IEC 62443: Industrial Automation and Control Systems Security

This resource provides a comprehensive standard family for industrial automation and control systems (IACS) across their lifecycle that addresses people, processes, and technology, and explicitly references ICS and SCADA environments.

IEC 62443: Zero Trust Alignment Resource

This comprehensive guide outlines the role of Zero Trust in achieving IEC 62443 compliance and key implementation considerations. 

NERC CIP: Critical Infrastructure Protection (Power Sector)

For North American bulk electric system operators, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards define required controls for Bulk Electric System (BES) cyber systems, including many SCADA assets. CIP-015-1 introduces internal network security monitoring (INSM) requirements inside electronic security perimeters. 

Sector-Specific Regulations and Guidance

Many countries and regions now treat energy, water, and other SCADA-heavy sectors as regulated critical infrastructure, with frameworks like the European Union’s NIS2 Directive and national OT security guidelines building on NIST and IEC 62443 concepts.

For asset owners, these frameworks are both a compliance obligation and a road map for strengthening SCADA resilience.

The CIA Triad (with “Safety” Added)

The classic Confidentiality, Integrity, Availability (CIA) Triad applies to SCADA, with a twist: integrity and availability often outweigh confidentiality, and safety is an explicit concern. 

• Confidentiality: Limit who can see sensitive operational data.
• Integrity: Ensure commands and measurements cannot be tampered with.
• Availability: Keep control systems up and responsive.
• Safety: Prevent physical harm to people, equipment, and the environment.

Defense in Depth

No single control can secure a SCADA environment. Effective architectures will layer:

• Network segmentation and microsegmentation
• Strong identity and access management
• Hardened endpoints and servers
• Monitoring, anomaly detection, and incident response
• Governance, training, and physical security

Zero Trust: Assume Breach

Zero Trust principles—“never trust, always verify” and “assume breach”—map well to SCADA. Instead of trusting anything on a given network segment, every access request is verified and constrained to the minimum needed, reducing lateral movement and limiting blast radius.

• Levels 0–1: Physical devices and basic control

• Level 2: Area supervisory control (local HMIs, SCADA)

• Level 3: Site operations and manufacturing

• Level 4+: Business and enterprise IT

Firewalls and DMZs sit between these layers to define “zones and conduits.”

In practice, however:

• Exceptions accumulate for remote access, vendor support, or cloud connectivity.
• Flat “islands” appear inside zones where internal traffic isn’t inspected.
• Adding more firewalls can increase complexity without closing gaps. 

Zero Trust Architecture Deployment Models

Modern SCADA environments are often a mix of legacy controllers, modern servers or human-machine interfaces (HMIs), and cloud connection systems, which Zero Trust can adapt to without disrupting operations. To do so, organizations can use some of the following considerations to customize their deployment.

Agent-Based vs. Agentless

• Use agent-based controls for IT-like assets (i.e., servers, HMIs, and engineering workstations).
• Use agentless overlays or gateways for programmable logic controllers (PLCs), remote terminal units (RTUs), relays, and other devices that cannot run software.
• Most OT programs use a hybrid mix, applying agents only where appropriate.

Zero Trust Gatekeeper vs. Virtual Chambers

• Gatekeeper: Best for controlling who can reach SCADA zones—remote access, vendor sessions, or engineering workstation flows.
• Virtual Chambers: Best for isolating what’s inside the zone, microsegmenting SCADA clusters, and limiting lateral movement.
• Hybrid approach: An organization can combine the two by using agents on workstations, gatekeepers at access points, and virtual chambers around critical systems. 

Whatever the approach, modern Zero Trust systems can be managed under a unified Zero Trust policy.

Why Perimeter-Only SCADA Security Falls Short

As attackers demonstrate repeatedly, perimeter-centric designs struggle with:

• Compromised VPN accounts or jump hosts
• Lateral movement across flat subnets
• Blind spots inside supposedly “trusted” zones
• Legacy assets that can’t run agents or be easily re-IP’d

To address these gaps, many operators are turning to Zero Trust architectures and microsegmentation tailored for OT environments. 

1. Secure What Matters Most

Apply Zero Trust protections to the SCADA and ICS systems that have the greatest impact on operations and/or safety in order to reduce risk fast.

• User Zero Trust solutions like microsegmentation to limit access and hinder lateral movement without having to re-IP networks or disrupt production.
• Monitor access patterns to refine policies.

2. Broaden Network Segmentation  for Other Assets

Identify additional assets to expand Zero Trust protections using segmentation.

• Separate additional SCADA assets  from corporate IT and internet access.
• Use firewalls, data diodes, or specialized gateways between zones.
• Prefer application-level or identity-aware segmentation where possible, instead of relying solely on IP subnets and static access control lists (ACLs).

3. Harden Remote and Vendor Access

Remote access is one of the highest-risk paths into SCADA environments, so take the following precautions:

• Replace shared accounts and generic VPN access with identity-based, least-privilege access per role and system.
• Enforce multi-factor authentication (MFA) for all remote access to SCADA environments.
• Use brokered, time-limited access for vendors, with session recording where feasible.
• Terminate remote sessions in a Zero Trust DMZ or secure overlay, not directly on SCADA hosts.

4. Secure SCADA Protocols and Data in Transit

Where protocols and devices support it:

• Encrypt traffic between control centers and remote sites.
• Wrap legacy protocols (like Modbus or DNP3) inside secure tunnels that authenticate endpoints and protect against spoofing or tampering.
• Restrict which systems can initiate SCADA sessions and to which devices.

5. Apply Strong Identity, RBAC, and Least Privilege

Treat operator and engineer access as high-value by taking the following steps:

• Integrate SCADA user access with centralized identity where practical.
• Apply role-based access control (RBAC), ensuring different roles (i.e., operator, engineer, vendor, or administrator) have clearly separated permissions.
• Regularly review and prune access, and avoid privileged “catch-all” accounts. 

6. Manage Patching and Compensating Controls

Given the constraints on patching, prioritize patches by risk and criticality, and plan maintenance windows thoughtfully. Where patching isn’t feasible, use the following compensating controls:

• Place vulnerable systems behind stricter microsegmentation policies.
• Limit allowed communications to known-good destinations and ports.
• Monitor those systems more closely for anomalies.

7. Monitor Internal SCADA Traffic and Behavior

Traditional perimeter monitoring is not enough. Consider taking the following precautions, as well:

• Deploy OT-aware monitoring within SCADA networks to detect anomalous commands, new devices, and unexpected traffic patterns.
• Align monitoring with emerging requirements like NERC CIP-015-1 for internal network security monitoring.
• Integrate telemetry with SOC workflows, incident response plans, and industrial threat intelligence.

8. Prepare for Incidents and Recovery

Create and test an OT/SCADA-aware incident response plan that includes the following:

• Define playbooks for suspected SCADA compromise (e.g., containment steps that won’t endanger safety).
• Maintain validated offline backups of critical configurations (such as PLCs, RTUs, and SCADA servers).
• Practice tabletop exercises that involve both IT security and operations staff.

9. Build a Culture of Security in Operations

Technology controls only work if people use them correctly. Ensure your operations include a culture of security by taking the following steps:

• Train operators, engineers, and technicians on phishing prevention, remote access hygiene, and reporting of suspicious behavior.
• Include vendors and contractors in relevant policies and onboarding.
• Make security a shared responsibility between IT, OT, and risk/compliance.

Zero Trust Fabric as a Secure Overlay

Zentera’s CoIP® Platform implements Zero Trust controls above existing networks, cloaking critical assets from unauthorized traffic while preserving existing IP schemes and physical connectivity.

Virtual Chambers Around SCADA Systems

Instead of relying solely on perimeter firewalls, Virtual Chambers create logical “bubbles” around SCADA servers, HMIs, and engineering workstations. Only authenticated, authorized identities can reach them—packet by packet—blocking lateral movement and hiding assets from discovery.

Zero Trust DMZ for OT

For environments where software agents cannot be installed on PLCs or HMIs, Zentera’s Zero Trust Gatekeeper deploys inline as a Zero Trust DMZ for OT, enforcing identity- and policy-based access to SCADA networks with minimal disruption.

Agentless Protection for Legacy ICS and SCADA

Even devices that cannot be patched or upgraded can be shielded behind overlay-based controls that:

• Cloak them from unauthorized scanning and access
• Restrict allowed commands and destinations
• Enforce encrypted, identity-based tunnels for remote access
  

Alignment with IEC 62443, NIST 800-82, and NERC CIP

By building strong segmentation, identity-centric access control, and internal monitoring into the overlay, operators can make meaningful progress toward IEC 62443 zones and conduits, NIST guidance for ICS security, and NERC CIP-driven visibility and access control requirements. 

The net effect: SCADA security that reduces risk quickly, without “ripping and replacing” production networks.

Electric Utilities and the Grid

Utilities rely on SCADA to monitor substations, breakers, transformers, and distribution networks. New mandates such as NERC CIP-015-1 emphasize internal network monitoring and stricter remote access controls.

• Virtual Chambers can isolate protection relays and substation controllers.
• Zero Trust DMZs can broker vendor and operator remote access without exposing internal SCADA networks.

Oil and Gas Pipelines

Pipeline SCADA systems manage pressures, flows, valves, and safety systems along hundreds or thousands of miles. The Colonial Pipeline ransomware attack highlighted the operational and economic impact when these environments are disrupted.

• Overlay-based Zero Trust protects pipeline control centers and remote terminal units from threats originating in IT or third-party networks.
• Identity-based access helps prevent unauthorized control sessions, even if VPN accounts are compromised.

Water and Wastewater

Water utilities use SCADA to control pumps, valves, and treatment processes. Incidents affecting water treatment facilities have underscored the potential safety impact of cyber-physical manipulation. 

• Microsegmentation and strict remote access policies reduce the chance that an attacker can change chemical dosing or override safety interlocks.
• Monitoring internal SCADA traffic can detect unusual commands or configuration changes.

Manufacturing and Industrial Production

Manufacturers use SCADA for real-time monitoring of lines, equipment, and environmental conditions. Ransomware and ICS-targeting attacks have made this sector one of the most frequently targeted by adversaries.

• Virtual Chambers can separate critical lines, safety systems, and quality systems from general plant networks.
• Zero Trust overlays help secure IT-OT convergence, including IoT sensors, cloud analytics, and AI-driven optimization tools.
  

1. Clarify objectives and constraints.

• What are your top safety and reliability concerns?
• Which regulatory frameworks (NERC CIP, IEC 62443, NIS2, and so on) apply? 
  • Determine the specific compliance mandates for your industry. Zentera provides technical guides to help you map Zero Trust controls to these requirements:
    • Application Brief: Preparing for NERC CIP-015-1 Compliance – A detailed roadmap for implementing Internal Network Security Monitoring (INSM).
    • Solution Brief: Zero Trust for OT Security – Learn how to meet IEC 62443 and NIS2 segmentation standards using a secure overlay.

2. Identify critical assets and define Zero Trust chambers

• Identify SCADA assets that need to be protected, determine the Zero Trust chambers needed to isolate them, and define who or what can access them.
• Map supporting systems, data flows, and dependencies, as needed, to enforce the access policies and prevent lateral movement. 

3. Estimate ROI and business impact.

• Quantify the cost of downtime for critical SCADA and OT processes to set a baseline for future risk-reduction.
• Include compliance penalties and exposures avoided from process audits.
• Factor in insurance and operational efficiency gains, including lower insurance premiums, reduced change windows, and safer remote access.

4. Design Zero Trust chambers.

• Define logical zones for SCADA assets and the identities that should reach them.
• Map out where a Zero Trust overlay, Zero Trust Gatekeeper, or Zero Trust DMZ can provide maximum risk reduction.

5. Pilot in a focused area.

• Start with a single plant, substation group, or SCADA subsystem.
• Prove that you can reduce risk without impacting uptime or operator usability.

6. Scale and integrate with compliance.

• Extend controls across sites and fleets.
• Map overlay-based controls to IEC 62443 requirements, NIST recommendations, and NERC CIP evidence needs.

7. Continuously monitor and refine.

• Use telemetry to tune policies.
• Incorporate lessons learned from incidents, red-teaming, and audits.

Zentera’s CoIP Platform, Virtual Chambers, and Zero Trust Gatekeeper give you a Zero Trust fabric for SCADA that:

• Cloaks critical SCADA assets from unauthorized access
• Enforces identity-based, packet-level policy around PLCs, RTUs, HMIs, and servers
• Bridges IT and OT without redesigning your network or taking systems offline