A practical framework to protect digital substations

In order to best understand how to protect digital substations, let’s take the attacker’s perspective using the Industrial Control System Kill Chain. This kill chain organizes attacker actions into a series of operations that build off one another to deliver the intended effect at the end of the chain (in our Ukraine example, loss of electric power). For our purposes, we’ll use a condensed version of the kill chain, outlining the steps as Preparation, Intrusion, Pivot to OT, Execute OT, and Attack.

Preparation

Attackers begin by gathering intelligence about their target. For utilities, this might include identifying substation locations, understanding SCADA architecture, researching vendor equipment, and mapping network infrastructure. The 2015 Ukraine attackers spent months studying their targets. Similarly, the 2021 Colonial Pipeline attack began with reconnaissance that identified vulnerable VPN credentials.

Defensive Controls: Utilities should minimize their digital footprint by limiting publicly available information about substation configurations and control systems. Employee security awareness training should emphasize the risks of oversharing operational details on social media or professional networks, as well as proper handling of sensitive data.

Intrusion

Attackers gain entry to the target environment. Common entry methods include spear-phishing emails, compromised software updates, infected USB drives, or exploitation of internet-facing systems. The Ukraine attackers used spear-phishing with malicious Microsoft Office attachments, which allowed the installation of the BlackEnergy malware and the necessary foothold for follow-on actions.

Defensive Controls: Follow best practices for enterprise IT cybersecurity, including robust email security solutions with advanced threat protection and sandboxing capabilities, antivirus/EDR solutions for corporate workstations, network intrusion detection systems, and security operations centers (either in-house or managed services delivery). Ensure that OT teams are aligned to and up to date with enterprise IT cybersecurity strategy.

Pivot to OT

Having gained access to corporate IT networks, attackers look to extend their reach into OT networks like those found in digital substations. This is typically done through exploitation of insecure remote access solutions, stealing valid user credentials from compromised IT systems, or utilizing infected transient devices like phones and laptops. The usage of infected USB drives in the Stuxnet attack is one example of how even air-gapped networks can be compromised. In the Ukraine attack, attackers utilized stolen credentials from IT systems to access OT networks via VPN connections.

Defensive Controls: Establish strict policies for removable media and external devices. Maintain an up-to-date asset inventory of all software and firmware, and keep assets updated with digitally signed security patches (as much as operations allow). Network access control (NAC) solutions can prevent unauthorized devices from connecting to substation networks, while the network between IT and OT networks and substation zones will disrupt lateral movement. Deploy industrial intrusion detection systems (IDS) that understand OT protocols and can identify anomalous communications. Secure remote access using multi-factor authentication and ensure that 3rd-party remote access (typically for vendor maintenance) is similarly secured. Eliminate default credentials on all IEDs, relays, and network devices, ideally implementing role-based access control. Finally, regular vulnerability assessments of OT networks help identify weaknesses before attackers do.

Execute OT Attack

The final stage involves attackers achieving their goals—whether data theft, system manipulation, or destructive actions. In Ukraine, this meant opening breakers (via substation HMIs) to create power outages. The Ukraine attackers utilized malicious firmware uploads to sever communications to field devices while executing denial-of-service attacks to call centers, leading to delayed recovery efforts and frustrated customers unable to get answers.

Defensive Controls: Deploy safety instrumented systems (SIS) that operate independently from control systems. Maintain offline backups of configurations and verify restoration procedures. Conduct regular tabletop exercises and incident response drills specific to OT environments, to ensure rapid response even when cybersecurity controls fail.

When defending digital substations implementing security controls is only half the battle and electric utilities must also align controls with established regulatory and industry frameworks and map defensive measures to both NERC CIP requirements and the NIST Cybersecurity Framework (CSF).

NERC CIP Alignment

The North American Electric Reliability Corporation's Critical Infrastructure Protection (CIP) standards provide mandatory requirements for bulk power system cybersecurity. Key standards relevant to digital substations include:

CIP-004 (Personnel & Training): Focuses on the most critical element of cybersecurity: humans. Lays out requirements for hiring, training, and onboarding/offboarding.

CIP-005 (Electronic Security Perimeters): Addresses the network segmentation and access control measures discussed in defending against intrusion and pivoting to OT.

CIP-007 (System Security Management): Covers the day-to-day “blocking and tackling” of cybersecurity: patch management, malware prevention, security event monitoring, and account management. This includes the endpoint protection, logging, and vulnerability management practices essential for early detection.

CIP-008 (Incident Response Planning): Ensures that organizations develop, maintain, and practice their capability to respond to attacks.

CIP-009 (Recovery Planning): Focuses on getting back to “normal” after an attack. Ensures that backup procedures are deployed and verified, and that restoration is periodically tested for speed and accuracy.

CIP-010 (Configuration Change Management): Defines baseline configurations for assets and establishes a structured change management process for those baselines, to include patch testing for operational integrity. Also includes requirements for periodic vulnerability assessments.

CIP-015 (Internal Network Security Monitoring): The newest CIP standard, approved in summer of 2025 and going into effect beginning October 2028. CIP-015 is all about knowing what’s happening “on the wire”: monitoring OT networks, detecting any anomalous activity, and making informed response decisions.

NIST CSF Integration

The NIST Cybersecurity Framework provides a flexible, risk-based approach organized around six core functions that represent a comprehensive cybersecurity strategy:

Govern: Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policies.

Identify: Build a common understanding of cybersecurity risk across systems, assets, data, and people. Gain visibility into current security posture and associated risks.

Protect: Implement the technical controls discussed previously: network segmentation, access controls, endpoint protection, etc. Aim to reduce the overall attack surface that an attacker can utilize to gain their foothold in the network.

Detect: Deploy capabilities to correctly identify the occurrence of malicious cybersecurity events in a timely manner. Utilize data aggregated from a wide variety of assets to add context to visibility.

Respond: Upon detection of a cyber attack, take action to blunt attackers’ progress, mitigate impact, and ultimately expel attackers from the network.

Recover: After having neutralized a threat, restore any capabilities or services that were impaired due to the incident. Utilize lessons learned to inform future security strategy.

Combining NERC CIP, NIST CSF, and Defensive Controls

Conclusion

The 2015 Ukraine attack demonstrated that digital substations represent critical targets where cyber vulnerabilities can translate directly into physical consequences. However, by understanding the attacker's kill chain and implementing layered defenses utilities can significantly reduce their risk profile. With buy-in from both IT and OT teams, and thoughtful application of strategy, digital substations can be placed on exceptionally strong security footing and be prepared for whatever attackers may try next.