SCADA Security for Energy: Protecting HMIs, Historians and RTUs

What SCADA Components Need Protecting

A SCADA environment in energy is made up of distinct components, each with its own risk profile. Human-machine interfaces present operational control to engineers and are a prime target because controlling an HMI means controlling the process. Historians store the time-series operational data that drives reporting and analytics, and often bridge OT and IT. Remote terminal units and PLCs in the field translate SCADA commands into physical actions on breakers, valves and pumps. Securing SCADA means understanding and protecting each of these layers, not just the central servers.

• HMIs: operator workstations that issue control commands
• Historians: time-series databases bridging OT and IT analytics
• RTUs and PLCs: field controllers actuating physical equipment
• Master terminal units and front-end processors aggregating field data

The Legacy Protocol Problem

Many SCADA systems still communicate using protocols such as Modbus, DNP3 and older serial standards that were designed decades ago with no authentication, encryption or integrity checking. A device receiving a Modbus command has no way to verify who sent it or whether it is legitimate. This means that any attacker who reaches the control network can issue valid-looking commands, which is exactly how the Ukraine attackers operated breakers. Because these protocols cannot be retrofitted with security, protection has to come from the network and monitoring layers around them.

Compensating Controls for Systems You Cannot Patch

SCADA servers and HMIs frequently run on operating systems that are years past end of life because the equipment vendor has not certified anything newer. Patching on a 14-day cycle is simply not possible. The answer is a layered set of compensating controls: strict network segmentation so the systems are unreachable from IT, application allow-listing to prevent unauthorised executables, removal of internet connectivity, and tightly controlled, monitored remote access. Where patching is impossible, the risk is managed rather than eliminated, and documented as a formal acceptance.

Continuous Monitoring of SCADA Traffic

Because SCADA protocols cannot authenticate commands, the most effective detection capability is passive monitoring that understands industrial traffic. By baselining normal behaviour, monitoring can flag the abnormal: an HMI issuing commands outside operating hours, an unexpected device speaking Modbus, a configuration download to an RTU, or login from an unusual source. This is the visibility that would have raised the alarm in Ukraine as breakers began opening, rather than operators watching helplessly as their own systems were driven against them.

How Kyanite Blue and Sophos Deliver This

Kyanite Blue secures SCADA estates for energy operators by combining Sophos firewalls to enforce segmentation around HMIs, historians and RTUs with Sophos managed detection that monitors for anomalous behaviour on the control network. Our team baselines normal SCADA traffic, deploys deep-learning detection tuned to industrial environments, and provides 24/7 managed response so that abnormal commands are investigated by analysts, not just logged. The combination protects systems that cannot defend themselves, using the network and monitoring layers around them.

Frequently Asked Questions