SCADA security protects the systems that supervise and control critical physical processes: power grids, water treatment plants, pipelines, manufacturing lines and electrical substations. A SCADA system (Supervisory Control And Data Acquisition) does not manage abstract data, it governs turbines, valves, pumps and relays whose failure has real-world consequences. That distinction changes everything: in SCADA, the availability and integrity of the process matter far more than confidentiality, and a security lapse can translate into a blackout, a spill or a production stoppage with a multimillion-euro price tag.
This article is a system-specific deep dive into SCADA security, a companion to our broader overview of IoT and OT cybersecurity. We walk through the architecture of a SCADA system, its particular threat model, defense-in-depth best practices and how a professional OT penetration test is carried out on these environments.
What SCADA is and how its architecture works
A SCADA system is the supervisory and control layer that connects human operators with industrial machinery distributed across the field. Its core components are:
- HMI (Human-Machine Interface): the workstation where the operator visualizes process state and issues commands. It is usually a Windows PC running specialized software such as Wonderware, WinCC, Ignition or FactoryTalk.
- PLC (Programmable Logic Controller): the controller that executes automation logic in real time, reading sensors and driving actuators. Common families include the Siemens S7 line and Rockwell's Allen-Bradley.
- RTU (Remote Terminal Unit): a field device, similar to a PLC but optimized for telemetry in remote, dispersed locations such as pumping stations or substations.
- Historian: a time-series database that records millions of process values for analysis, compliance and optimization. It is also a frequent bridge between the OT network and the corporate network.
- SCADA server or MTU (Master Terminal Unit): the central node that aggregates data from PLCs and RTUs and distributes supervisory logic.
These components communicate through industrial protocols designed decades ago for isolated, trusted networks, not for the Internet. Modbus (TCP on port 502) has no authentication or encryption whatsoever: anyone who can reach the port can read or write registers. DNP3 (port 20000), widespread in the electricity and water sectors, was likewise born without security, although it later added the Secure Authentication (SAv5) extension. Other common protocols include IEC 60870-5-104 and IEC 61850 in substations, OPC UA, PROFINET and EtherNet/IP. The key lesson is that, in their native form, most of them never validate who sends a command or protect its contents.
The SCADA-specific threat model
The SCADA threat model is not a copy of the IT one. Here the attacker's goal is rarely to exfiltrate data, it is to manipulate or disrupt the physical process. Recent history proves it with cases that are now mandatory reference points:
- Stuxnet (2010): the first malware engineered to cause physical damage. It reprogrammed Siemens S7-300 PLCs at the Natanz enrichment plant, altering centrifuge speeds while feeding operators falsified normal readings. It proved that even an air-gapped system is reachable.
- Industroyer / CrashOverride (2016): modular malware that caused a power outage in Kyiv by natively speaking the IEC 101, IEC 104, IEC 61850 and OPC DA protocols. Its successor, Industroyer2, resurfaced in 2022 against Ukrainian infrastructure.
- TRITON / TRISIS (2017): it attacked Schneider Electric's Triconex Safety Instrumented Systems (SIS), the last barrier designed to prevent catastrophic accidents. It is the most disturbing example of an adversary aiming directly at functional safety.
Beyond these targeted attacks, the everyday threat is more mundane. Search engines like Shodan and Censys catalog thousands of HMIs, password-less VNC servers and Modbus 502 ports exposed directly to the Internet. Many are the result of misconfigured remote access or a forgotten integrator connection. The MITRE ATT&CK for ICS framework documents how these weaknesses chain together: techniques such as T0812 (Default Credentials), T0855 (Unauthorized Command Message) or T0836 (Modify Parameter) let an attacker with network access send legitimate commands to a PLC without exploiting any software vulnerability. The protocol simply obeys.
This picture ties into the regulatory exposure of the energy sector under NIS2, where grid operators and utilities are required to demonstrate effective controls over their industrial control systems.
SCADA security best practices
Protecting SCADA calls for defense in depth adapted to the operational constraints of the environment. These are the practices we consider non-negotiable.
Segmentation following the Purdue model
The Purdue model (based on ISA-95) organizes the architecture into levels, from field devices (level 0) up to the corporate and business network (levels 4 and 5). Between the OT zone and the IT zone there must be an industrial DMZ (IDMZ) that prevents direct traffic. No historian, no engineering workstation and no HMI should be reachable from the corporate network without passing through intermediate controls. The IEC 62443 standard formalizes this approach through zones and conduits, assigning each zone a target security level (SL1 to SL4).
Secure remote access
Remote access by vendors and integrators is one of the most exploited vectors. The rule is to never allow a direct VPN into the OT network. Instead, access is channeled through a jump host or bastion in the IDMZ, with mandatory multi-factor authentication, recorded sessions, explicit per-window approval and single-use credentials. For data flows that only leave OT toward IT (for example, shipping historian data to analytics), data diodes or unidirectional gateways physically remove any possibility of an inbound command.
Patch management and compensating controls
In SCADA you cannot reboot a PLC at will or install patches immediately: a poorly tested update can bring the plant down. The realistic strategy combines planned maintenance windows, prior testing in a mirrored environment and, when patching is not viable, compensating controls: virtual patching at the industrial firewall, application allowlisting on HMIs and engineering workstations, and strict isolation of assets that cannot be updated.
Passive OT monitoring
Visibility is the foundation of everything else. OT monitoring must be passive, listening to traffic via port mirroring or TAPs without injecting packets that could disturb the process. Specialized platforms such as Nozomi Networks, Claroty or Dragos, and open tools like Zeek with ICS parsers, build a live asset inventory, detect anomalous communications and alert on unusual write commands. A complete, up-to-date asset inventory is, in fact, the first control we find missing in most audits. The NIST SP 800-82 standard (Guide to Operational Technology Security) captures this set of recommendations as a recognized technical reference.
SCADA pentesting: validating security against the real process
Penetration testing a SCADA environment is nothing like a web audit. An aggressive Nmap scan can crash an old PLC and a malformed Modbus packet can trigger an emergency shutdown, so the methodology prioritizes process safety over test exhaustiveness: it begins with the passive phase (traffic capture with Wireshark and its industrial dissectors, without sending a single packet to the process) and only afterward applies controlled active tests against a lab or replica environment. Typical objectives are validating the real IT/OT segmentation (not the one on the diagram), locating default credentials on PLCs and HMIs, checking whether protocols accept unauthenticated commands, and assessing vendor remote access.
The full technical arsenal, the rules of engagement, the grading of active tests and their alignment with MITRE ATT&CK for ICS and IEC 62443 are covered in the dedicated guide to industrial pentesting and OT/ICS assessment. At Secra we run these exercises within our IoT/OT security audit, always with explicit client agreement, within maintenance windows and with an approach that starts non-intrusive.
Frequently asked questions
What is the difference between SCADA, ICS and OT?
OT (Operational Technology) is the broadest term: it covers all technology that interacts with physical processes. ICS (Industrial Control System) is the subset of industrial control systems, and SCADA is a specific type of ICS focused on supervising and acquiring data from geographically distributed processes. Put simply: all SCADA is ICS and all ICS is OT, but not the other way around. We expand this hierarchy and its defensive implications in the guide to what OT/ICS security is.
Why are SCADA protocols like Modbus insecure?
Because they were designed for isolated, trusted serial networks in the 1980s and 1990s, when Internet connectivity was not part of the model. Modbus, DNP3 in its original version and IEC 104 included no authentication or encryption, so they accept any command they receive as legitimate. Security must be layered on top, through network segmentation, access control and monitoring.
Can you run a SCADA penetration test without stopping production?
Yes, but with strict precautions. The passive traffic-analysis phase never touches the process and yields a great deal of information. Active testing is reserved for lab or replica environments, or for agreed maintenance windows, never for improvised scans against production. The golden rule is that physical process safety always prevails over test depth.
Which standards govern SCADA security?
The main references are IEC/ISA 62443 for industrial automation and control system security, NIST SP 800-82 as a technical OT security guide, and in the North American electricity sector the NERC CIP standards. In Europe, the NIS2 Directive additionally imposes risk-management and reporting obligations on critical infrastructure operators.
How do I start protecting an existing SCADA environment?
The first step is visibility: a complete asset inventory and a real map of communications and IT/OT bridges. From there you prioritize Purdue-model segmentation, remote-access control and passive monitoring. A professional OT audit accelerates this diagnosis and delivers a remediation plan ordered by risk.
Related reading
- What OT/ICS security is
- Industrial pentesting and OT/ICS assessment
- IEC/ISA 62443: OT cybersecurity standard
- IoT and OT cybersecurity: critical threats in 2026
- Industry 4.0 and OT cybersecurity: NIS2 protection
SCADA security and OT assessment with Secra
Secra evaluates SCADA environments with operational sensitivity: we start from passive discovery and asset inventory, validate IT/OT segmentation and the Purdue model, review vendor remote access and map findings to IEC 62443, all without compromising production. Every active test is agreed, scoped and reserved for a lab or maintenance windows.
If you operate power grids, water plants, pipelines or manufacturing lines and need to validate your real attack surface before an attacker does, explore our IoT/OT security audit or contact our team for a no-commitment initial conversation.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

