Beacon Security
EnergyNetwork Segmentation

OT Network Segmentation for a Power Generation Facility

February 10, 2025

Background

A power generation facility operating a 450MW combined-cycle gas turbine (CCGT) plant engaged Beacon Security to address a critical finding from a cyber insurance audit. The auditor had demonstrated that a laptop connected to the guest Wi-Fi network could reach turbine control systems through the facility's flat network architecture. The insurer threatened to revoke the facility's cyber liability coverage unless network segmentation was implemented within 90 days.

The facility's control systems, including turbine controllers, plant DCS, and Safety Instrumented Systems, shared network infrastructure with corporate IT systems with no boundary protection.

Note: All identifying details have been removed to protect client confidentiality.

The Challenge

The facility's network architecture had grown organically over several years of plant upgrades and digital connectivity projects, resulting in conditions that are unfortunately common in power generation:

Flat Network Architecture A single flat network connected turbine control systems, plant DCS, operator workstations, engineering stations, historian servers, and corporate IT desktops. No firewalls, VLANs, or access controls separated these environments. Every device could communicate with every other device.

DCS Accessible from Enterprise Plant DCS workstations could be reached from any enterprise workstation on the network. Engineering changes to control logic could theoretically be initiated from a corporate laptop. A single compromised corporate email attachment could lead to manipulation of turbine controls.

No Network Monitoring No OT-specific network monitoring or anomaly detection was in place. The IT team monitored enterprise network traffic but had zero visibility into OT protocol communications including Modbus and OPC-UA traffic.

Safety System Exposure Safety Instrumented System (SIS) communications traversed the same shared network switches as corporate printers and email traffic. The independent safety function was effectively undermined by the shared network architecture.

Our Approach

Beacon Security designed and implemented a comprehensive IEC 62443 zone and conduit architecture over a 12-week engagement, meeting the insurer's 90-day deadline.

Phase 1: Current State Assessment (Weeks 1-3)

We began with a thorough assessment of the existing network:

  • Passive network traffic analysis mapping all 847 unique communication flows between devices
  • Asset discovery identifying 156 networked devices (versus 98 in existing documentation)
  • Protocol identification including Modbus, OPC-UA, DNP3, and several proprietary protocols
  • Critical communication dependency mapping ensuring no control loops would be disrupted

Phase 2: Zone and Conduit Design (Weeks 4-6)

Working with plant operations, engineering, and IT teams, we designed a segmentation architecture:

Zone 1: Safety Systems (SL3 Target) - SIS controllers and safety logic solvers isolated onto dedicated infrastructure with a single, tightly controlled conduit to the control zone.

Zone 2: Control Systems (SL2 Target) - Turbine controllers and plant DCS in a dedicated zone with conduits to safety, supervisory, and engineering zones.

Zone 3: Supervisory (SL2 Target) - Operator HMIs, historian servers, and monitoring workstations with read access to control data but no direct control capability.

Zone 4: Engineering (SL2 Target) - Engineering workstations in a dedicated zone with controlled, logged access to control and safety zones. Access requiring explicit authorization and session recording.

Zone 5: Enterprise DMZ (SL1 Target) - Demilitarized zone as the only connection between OT and IT, with a data diode for historian replication to enterprise.

Twelve conduits were designed with explicit allow-list rules governing every permitted communication flow.

Phase 3: Implementation (Weeks 7-10)

During a planned 72-hour maintenance window:

  • Industrial firewalls installed at all zone boundaries
  • VLAN restructuring and switch configuration completed
  • Conduit rules deployed with protocol-aware deep packet inspection for Modbus and OPC-UA
  • OT network monitoring sensors deployed at every zone boundary

Phase 4: Validation and Handover (Weeks 11-12)

Comprehensive validation confirmed:

  • All control loops operated normally through the new architecture
  • All 847 required communication flows permitted through conduits
  • No unauthorized communication paths remained
  • OT monitoring capturing and analyzing all protocol traffic

Key Findings During Implementation

Discovery: Two Unknown Devices Within the first month of monitoring post-deployment, the OT monitoring system flagged two previously unknown devices communicating with external IP addresses. Investigation revealed they were legacy data loggers installed by a third-party consultant years earlier, configured to upload data to a cloud service. Neither device appeared in any facility documentation.

Action: Both devices disconnected and replaced with monitored, approved data collection points within the proper zone architecture.

Discovery: Unauthorized Engineering Access Path During traffic analysis, we discovered that a contractor had configured a direct SSH tunnel from an enterprise workstation to a turbine controller, bypassing all standard access procedures. The tunnel had been active for over eight months.

Action: Tunnel terminated immediately. Access control procedures formalized for all engineering connections.

Outcome

The segmentation was deployed during the planned maintenance window with zero impact on control loops or plant operations upon restart. The insurer confirmed compliance and renewed coverage.

Deliverables Provided:

  • IEC 62443 zone and conduit architecture documentation
  • Firewall rule sets for all 12 conduits with protocol-aware inspection rules
  • OT network monitoring deployment with baseline traffic profiles
  • Validation test results confirming zero operational impact
  • Ongoing monitoring procedures and escalation workflows

Operational Impact:

  • Safety systems fully isolated for the first time, restoring true independence of the safety function
  • Engineering access controlled, logged, and auditable with session recording
  • Continuous OT monitoring providing real-time visibility into all network activity
  • Clear separation between enterprise IT and plant OT environments
  • Two previously unknown devices with external communications discovered and addressed
  • Cyber insurance coverage maintained with documented compliance evidence
  • Foundation established for achieving higher Security Levels over time

The facility achieved IEC 62443 Security Level 2 across all zones and established a baseline for a continuous improvement program.

Beacon Security designs and implements OT network segmentation for power generation and energy facilities. Contact us to discuss your segmentation requirements.

Back to Case Studies
Industrial infrastructure
OT Cybersecurity Experts

Your OT Environment Deserves
Expert Protection

Generic IT security tools fail in industrial environments. Talk to our OT security team and get a clear picture of your exposure within days, not months.

Book a Free Assessment+91 98259 94220
IEC/ISA 62443 Aligned
NIST 800-82 Compliant
OTCC Ready
ECC Aligned
Zero Operational Disruption