Survey of 100+ Energy Systems Reveals Critical OT Cybersecurity Gaps

A new industry study has uncovered significant cybersecurity shortcomings across operational technology (OT) environments in the global energy sector, raising concerns about the resilience of substations, power plants, and control centers against cyber threats.

The research, conducted by energy systems specialist OMICRON, analyzed data from more than 100 real-world energy installations worldwide. Drawing on several years of assessments, the study highlights persistent technical flaws, organizational gaps, and operational weaknesses that collectively increase the attack surface of critical energy infrastructure.

A Growing Attack Surface in Energy OT Environments

The findings are based on long-term deployments of OMICRON’s StationGuard intrusion detection system (IDS), a passive monitoring solution designed for protection, automation, and control (PAC) networks. By observing network traffic without interfering with operations, the system provided deep visibility into live OT environments.

Across installations, critical security issues were frequently identified within the first 30 minutes of connecting the IDS. These included outdated devices, weak network architectures, undocumented external connections, and limited visibility into connected assets. In addition to cybersecurity risks, the assessments exposed operational misconfigurations that could affect system availability and reliability.

The results reflect a broader trend across the energy sector: rapid convergence of IT and OT networks without equivalent progress in security governance and controls.

Why Intrusion Detection Is Essential for OT Networks

In industrial environments such as substations and power plants, many devices lack traditional operating systems, making endpoint-based security tools impractical. As a result, detection capabilities must be implemented at the network level.

Industry standards and frameworks — including the NIST Cybersecurity Framework, IEC 62443, and ISO/IEC 27000 — emphasize the importance of continuous monitoring and incident detection. Passive IDS solutions meet this need by analyzing network traffic through mirror ports or Ethernet TAPs.

Beyond identifying malicious activity, network-based IDS deployments offer additional benefits:

• Visualization of communication flows
• Identification of unnecessary or insecure services
• Automated asset discovery
• Detection of known vulnerabilities based on observed devices

Methodology Behind the Findings

The study aggregates insights from hundreds of IDS installations conducted since 2018 across substations, power plants, and control centers in dozens of countries. The findings were grouped into three core categories:

1. Technical cybersecurity risks
2. Organizational security challenges
3. Operational and functional issues

Sensors were typically deployed at network gateways and other critical junctions, allowing broad visibility into OT communications. In many substations, multicast traffic made it unnecessary to monitor individual bay-level networks.

Asset Visibility Remains a Major Blind Spot

Accurate asset inventories are foundational to OT security, yet many organizations struggle to maintain them. Manual processes are often incomplete or outdated, especially in complex and aging environments.

OMICRON addressed this challenge using a combination of passive and active asset discovery techniques. Passive identification relied on IEC 61850 system configuration description (SCD) files, which provide structured information about devices. However, these files often lack critical details such as firmware versions.

To close this gap, active querying via the MMS protocol was used to retrieve device nameplate information, including manufacturer, model, firmware version, and hardware identifiers. Together, these approaches produced a far more complete and reliable asset inventory.

Most Common Technical Cybersecurity Risks

The analysis revealed several recurring technical weaknesses across energy OT networks:

• Outdated PAC devices: Many systems were running firmware with well-known vulnerabilities. Some flaws, including denial-of-service weaknesses disclosed nearly a decade ago, remain unpatched in active environments.
• Undocumented external connections: Substations were frequently found to have persistent TCP/IP connections to external networks that were not formally documented or monitored.
• Insecure or unnecessary services: Unused file-sharing services, legacy IPv6 configurations, license servers with elevated privileges, and exposed PLC debugging functions were common findings.
• Poor network segmentation: Flat network architectures allowed unrestricted communication between large numbers of devices, significantly increasing the potential impact of an intrusion.
• Unexpected devices: IP cameras, printers, and other non-essential systems often appeared on OT networks without being recorded in asset inventories.

Organizational Challenges Amplify Cyber Risk

Technical issues were often compounded by organizational weaknesses. The study identified several recurring themes:

• Clear separation between IT and OT teams, with limited coordination
• Lack of personnel dedicated specifically to OT security
• Budget and resource constraints slowing security improvements

In many cases, IT teams were responsible for OT security despite differing risk models, availability requirements, and operational constraints — a mismatch that can leave critical systems exposed.

Operational Failures That Threaten Reliability

In addition to cybersecurity risks, IDS deployments uncovered widespread functional issues affecting system performance and reliability:

• VLAN misconfigurations, particularly involving inconsistent handling of GOOSE messages
• RTU and configuration mismatches, leading to failed SCADA updates
• Time synchronization errors, including incorrect time zones and default timestamps
• Network redundancy problems, such as spanning tree loops that caused severe degradation

While not always malicious in origin, these issues can magnify the impact of cyber incidents and complicate response efforts.

Key Takeaways for Utilities

The survey of more than 100 energy systems makes one conclusion clear: securing operational technology requires visibility, specialization, and continuous monitoring tailored to industrial environments.

Purpose-built OT security solutions that understand industrial protocols and provide real-time insight into network behavior are essential. Features such as automated asset inventories, allowlisting of expected communications, and support for both IT and OT protocols enable utilities to detect anomalies early without disrupting operations.

As energy infrastructure becomes increasingly connected, addressing these long-standing gaps is no longer optional. The resilience of power systems depends on it.