Beacon Security
EnergySCADA Security

SCADA Security Hardening for a Gas Pipeline Operator

February 10, 2025

Background

A gas pipeline operator managing 380 km of high-pressure transmission pipeline with 26 remote terminal units (RTUs), 4 compressor stations, and a central SCADA control room received a regulatory compliance finding identifying critical cybersecurity gaps. The regulator's assessment found that SCADA communications between the control room and remote sites had no encryption or authentication, RTU configurations used default credentials, and no cybersecurity controls existed at any remote location.

The operator was given 6 months to demonstrate a remediation plan and begin implementation. The Head of Operations engaged Beacon Security to assess the full SCADA infrastructure and deliver a hardened baseline across all sites.

Note: All identifying details have been removed to protect client confidentiality.

The Challenge

Pipeline SCADA environments present security challenges that are fundamentally different from plant-based OT systems. The infrastructure is distributed across hundreds of kilometers, often in remote locations with limited physical security and unreliable communications.

Unencrypted SCADA Communications All communication between the central control room and 26 RTUs used legacy serial protocols tunneled over radio and cellular links with no encryption. Pressure readings, valve commands, and alarm states were transmitted in cleartext. An attacker with a software-defined radio within range of any relay point could intercept or inject SCADA traffic.

Default Credentials on Every RTU All 26 RTUs were configured with the manufacturer's default username and password. The credentials were identical across all sites and had never been changed since installation. Anyone with access to the vendor's publicly available documentation could log into any RTU.

No Cybersecurity Controls at Remote Sites Remote sites had no firewalls, no intrusion detection, and no access logging. Physical access relied on padlocks and chain-link fencing. Four sites had cellular modems with public IP addresses that were directly reachable from the internet.

Mixed Communication Infrastructure The 26 RTU sites used a mix of licensed radio, cellular, and satellite links depending on terrain and distance. Each communication type required different security approaches. The radio network had been designed 12 years earlier with reliability as the only consideration.

Limited Maintenance Windows The pipeline operated continuously with no scheduled shutdowns. Any changes to RTU configurations or SCADA communications had to be performed while the pipeline was live, with immediate rollback capability if flow monitoring or pressure control was affected.

Our Approach

Beacon Security executed a 16-week engagement structured to address the most critical exposures first while building toward full compliance across all sites.

Phase 1: SCADA Infrastructure Assessment (Weeks 1-4)

The assessment covered every component of the SCADA chain from the control room to the most remote RTU site.

Control Room Assessment:

  • SCADA servers, historian, engineering workstations, and operator consoles evaluated
  • Network architecture mapped, including all connections between SCADA, corporate IT, and external networks
  • SCADA application security reviewed including user accounts, access levels, and audit logging
  • Backup and disaster recovery procedures evaluated

Remote Site Surveys: All 26 RTU sites and 4 compressor stations were physically visited:

  • RTU hardware, firmware versions, and configuration states documented
  • Communication equipment (radios, cellular modems, satellite terminals) inventoried
  • Physical security assessed: fencing, locks, tamper detection, camera coverage
  • Local network equipment (switches, converters) documented
  • 4 sites found with cellular modems exposing management interfaces to the public internet

Communication Link Analysis:

  • SCADA protocol traffic captured and analyzed across all 3 communication types
  • Polling cycles, data volumes, and latency requirements documented per site
  • Redundancy paths mapped to ensure hardening would not compromise failover

Phase 2: Risk-Prioritized Remediation Plan (Weeks 5-6)

Findings were organized into a risk register with 38 entries. Remediation was sequenced based on exploitability and consequence:

Immediate actions (executed during assessment):

  • 4 internet-exposed cellular modems reconfigured to disable public access
  • Default SNMP community strings changed on all reachable network devices
  • SCADA server remote desktop access restricted to the engineering VLAN only

Phase 3: RTU and Communication Hardening (Weeks 7-12)

RTU hardening was performed site by site, with each site following the same procedure:

RTU Configuration Hardening:

  • Default credentials replaced with unique, per-site credentials stored in a secure credential vault
  • Unused ports and services disabled on all 26 RTUs
  • Firmware updated on 19 RTUs that were running versions with known vulnerabilities
  • Configuration baselines captured and stored for change detection

SCADA Communication Security:

  • VPN tunnels established over cellular links, encrypting all SCADA traffic between the control room and 18 cellular-connected sites
  • Radio network upgraded with AES encryption across all 6 radio-connected RTU links
  • Satellite links secured with application-layer encryption for the 2 satellite-connected sites
  • Authentication tokens added to SCADA polling to prevent command injection

All changes were implemented one site at a time during low-demand periods. Each site had a dedicated rollback window. The control room maintained continuous monitoring throughout, with a Beacon engineer on-site for every cutover.

Phase 4: Compressor Station Security (Weeks 10-14)

The 4 compressor stations had more complex environments than standard RTU sites, each running local PLCs, HMIs, vibration monitoring, and gas detection systems:

  • Dedicated firewalls deployed at each compressor station
  • Network segmentation separating compressor controls from SCADA communications
  • Local HMI access controls implemented with individual operator credentials
  • USB restrictions applied to all engineering and operator interfaces
  • Physical security upgraded: electronic locks with audit trails replacing padlocks at all 4 stations

Phase 5: Monitoring, Documentation, and Handover (Weeks 13-16)

  • Centralized logging deployed, collecting security events from all 26 RTUs and 4 compressor stations
  • Alerting configured for failed login attempts, configuration changes, communication anomalies, and new device connections
  • SCADA security procedures documented covering routine operations, incident response, and change management
  • Control room operators trained on the new security monitoring dashboard and alert response procedures
  • Full compliance documentation package assembled for regulatory submission

Key Findings

Internet-Exposed RTU Management Four cellular-connected RTU sites had management interfaces reachable from the public internet. Automated scanning tools had already discovered two of them based on Shodan search results reviewed during the assessment.

Action: Public access disabled immediately during the assessment phase. All remote management routed through the encrypted VPN tunnels.

Unauthorized Cellular Modem One compressor station had a personal cellular modem connected to the local network by a technician for remote troubleshooting convenience. It had been active for over 6 months with no authentication required for access.

Action: Modem removed immediately. Finding used to reinforce the need for formal change management at remote sites.

Outcome

All 26 RTU sites and 4 compressor stations were hardened within the 16-week engagement. The regulator accepted the remediation evidence and closed the compliance finding.

Deliverables Provided:

  • Complete SCADA asset inventory: 26 RTUs, 4 compressor stations, all communication equipment
  • RTU hardening baseline applied across all 26 sites with per-site configuration documentation
  • Encrypted SCADA communication across all 3 link types (cellular VPN, radio AES, satellite encryption)
  • Firewall deployment and network segmentation at all 4 compressor stations
  • Centralized security logging and alerting platform
  • SCADA security procedures covering operations, incident response, and change management
  • Regulatory compliance evidence package

Results:

  • 26 RTUs hardened from default configurations to a documented security baseline
  • All SCADA communications encrypted across 380 km of pipeline infrastructure
  • 4 internet-exposed management interfaces eliminated
  • 1 unauthorized cellular modem removed
  • 19 RTU firmware updates applied, resolving 23 known vulnerabilities
  • 4 compressor stations segmented and firewalled for the first time
  • Regulatory compliance finding closed with documented evidence
  • Zero pipeline disruptions during the entire 16-week engagement

The operator subsequently engaged Beacon Security to develop a long-term SCADA security monitoring program and extend the security baseline to their distribution network.

Beacon Security designs and implements SCADA cybersecurity programs for pipeline operators and energy infrastructure. Contact us to discuss your SCADA security requirements.

Back to Case Studies
Industrial infrastructure
OT Cybersecurity Experts

Your OT Environment Deserves
Expert Protection

IT security tools were not built for Modbus, OPC, or safety-rated controllers. Get a dedicated OT cybersecurity team that understands industrial protocols, control system architecture, and the operational constraints of your environment.

Book an Assessment+91 98259 94220
IEC/ISA 62443 Aligned
NIST 800-82 Compliant
OTCC Ready
ECC Aligned
Zero Operational Disruption