OT Security and Resilience in the Electricity Sector

Electricity becoming more digital.

It goes without saying that Electricity is becoming more digital, more distributed, and more dependent on third parties - at exactly the moment that adversaries are getting more sophisticated at exploiting the seams between IT, OT and the supply chain.

At the recent Operational Technology Security Conference, a keynote addressed that resilience in the electricity sector is no longer a "controls engineering" problem, or a "cyber team" problem but that it is now a governance problem and one that spans procurements, operations, maintenance, and regulatory assurance. We also noticed that three issues kept resurfacing: Supply chain visibility, the OT skills gap, and an evolving regulatory landscape that is converging on outcomes (resilience) rather than intentions (policies).

What is boils down to in supply chain visibility, is that you can't defend what you can't see - most electricity operators can map their primary substations, SCADA environments, and critical communications partners. However, few can confidently answer which vendors have remote access into which asset, and under what conditions; which firmware versions are running across protection relays, RTUs, PLCs and gateways; which components are end-of-life, end-of-support, or running with compensating controls, or; which suppliers' suppliers are embedded in critical systems (libraries, integrators, managed services, etc).

The Conference discussions further highlighted a shift: attackers increasingly target the 'invisible' parts of the ecosystem - trust relationships, maintenance channels, and updates - all because they bypass perimeter assumptions.

So, what does 'good' look like in practice?

With a key mindset based on change for procurement-to-operations continuity, whereby, if supplier risk is assessed once at onboarding and never revisited, you're effectively accepting unmanaged risk for the life of the asset - so example considerations should include:

• Asset-to-supplier mapping - tie EVERY critical OT asset to its vendor, integrator, maintenance provider, and remote access method.

• Remote access governance - by standardising access pathways (jump servers, MFA, session recording) and eliminate ad hoc VPNs and shared credentials

• Software and firmware provenance - treat firmware like software - track versions, validate all updates, and document all approval paths

• Operational SBOM thinking - even if full SBOM maturity is aspirational, start with your critical systems and build a 'minimum viable bill of materials' for what matters most

The skills gap in electricity OT security is not simply 'we need more cyber people' - it is that that sector neds more people who can overlap engineering realities (availability, safety, deterministic control), with cyber controls (identity, segmentation, monitoring), and, risk governance (prioritisation, assurance and availability).

Several of the conference sessions echoed the same operational truth: OT security programmes stall when they rely on a small number of individuals who understand both plant and the threat model - this creates fragility, especially during incidents, outages and, major change programmes.

This leads onto how does the electricity sector build capability without breaking operations - the answer is that reliance is the ultimate capability question - can the organisation detect issues early, contain them safely and, recover without improvising? To do so, means addressing areas such as role clarity, be defining who owns what across engineering, IT, and security, especially for patching, access, and exception management (not once, but as a continual review); Don't just hire analysts - look to upskill engineers because that already understand the process risks, but upskill them to gain security competence; Create 'security-in-operations' routines, that embed lightweight security checks into maintenance windows, change controls and commissioning; and, conduct meaningful tabletop exercises that reflect OT reality with practiced scenarios like loss of view, loss of control, unsafe states, and vendor compromise (not just ransomware on IT).

Regulation is tightening but more importantly, it's becoming more interconnected. Electricity operators are navigating requirements and expectations across critical infrastructure security regimes, supply-chain assurance, incident reporting and operational resilience, and, sector-specific cyber guidance and baseline controls - all moving from compliance to demonstrable resilience. The Conference made this clear, regulators and auditors increasingly expect evidence on 'how' resilience is achieved, not just that a policy exists.

So what does this mean for electricity operators?

In short, it means you must provide evidence-driven assurance and be ready to show traceability through risk assessments to controls to operational outcomes. You must be incident ready as a compliance artefact, with response plans, exercises and results, with recovery capabilities as auditable actions. Crucially, that your supplier assurance is continuous, and not, a questionnaire sent once, that doesn't meet the requirements around continuous review around remote access, managed services, asset lifecycle management, and operational recovery.

The Electricity sector does not need to choose between security and reliability - they should be the same objective because resilience is the ability to keep delivering power safely, even when systems and suppliers don't behave as expected and addressing core themes such as building a critical asset and supplier dependency map; standardising and hardening remote access; having a minimum viable OT vulnerability and lifecycle process (tested); through running OT-focussed resilience exercises; and, investment in cross-functional capability with clear ownership is a sure start.

About Tracey:

Tracey is our Consulting Director for all things Information Security related, and she is a retained ISO27001/ISO22301/ISO42001 Auditor with a UK-leading UKAS certification body, with a specialism across the Energy Sector - feel free to contact her LinkedIn and understand how she supports the Energy Sector.