Beacon Security
Oil and GasSecurity Assessment

SCADA Security Assessment for a Pipeline Operator

January 15, 2025

Background

A midstream pipeline operator managing over 800km of natural gas transmission infrastructure discovered during a routine IT audit that a misconfigured firewall rule had exposed their SCADA master station to the internet, potentially for several months. The SCADA system controlled pipeline pressure regulation, flow measurement, compressor stations, and emergency shutdown functions across dozens of remote sites.

The operator's board mandated an immediate security assessment of the entire SCADA environment. Beacon Security was engaged within 48 hours of the discovery to determine what, if any, unauthorized access had occurred and to establish a comprehensive picture of the SCADA security posture.

Note: All identifying details have been removed to protect client confidentiality.

The Challenge

The operator's SCADA environment exhibited conditions common in geographically distributed pipeline operations that have evolved over decades without security as a design consideration:

Internet-Exposed Master Station The SCADA master station had been accessible from the internet through a misconfigured firewall rule. The duration of exposure was uncertain. The master station was running a Windows Server installation that had reached end-of-life, with no security patches applied for over 18 months.

Unencrypted Field Communications Communication between the master station and 23 remote terminal units (RTUs) used a mix of radio and cellular links with no encryption. SCADA protocol traffic including Modbus and DNP3 commands was transmitted in cleartext, meaning anyone with access to the communication path could intercept or modify control commands.

Unmonitored Vendor Remote Access Three equipment vendors maintained persistent 24/7 VPN connections to field sites. Credentials were shared among vendor technicians with no individual accountability. No session recording, monitoring, or time-based access restrictions existed.

No Centralized Logging or Monitoring OT events, alarms, and access logs were stored locally on individual devices with no centralized collection. If unauthorized access had occurred, evidence would exist only in scattered local logs with limited retention.

Our Approach

Beacon Security conducted a phased SCADA security assessment over four weeks, structured to address the immediate exposure concern first while building a comprehensive security picture.

Phase 1: Exposure Analysis (Days 1-5)

The highest priority was understanding whether the internet exposure had been exploited:

  • Forensic review of the SCADA master station for indicators of unauthorized access
  • Analysis of available firewall logs for connection attempts from external sources
  • Review of RTU configuration states for unauthorized modifications
  • Comparison of current SCADA configurations against last known-good backups

Phase 2: Master Station Assessment (Days 6-10)

A thorough assessment of the SCADA master station environment:

  • Operating system vulnerability assessment with CVE correlation
  • Application security configuration review
  • Network exposure analysis from multiple network positions
  • Access control and authentication mechanism evaluation

Phase 3: Communication Link Analysis (Days 11-15)

Working with the operator's communications team, we analyzed every communication path:

  • Radio link encryption capabilities and current configurations
  • Cellular connection security including APN configurations
  • Protocol-level analysis of Modbus and DNP3 traffic for anomalies
  • Identification of any unauthorized devices communicating on the SCADA network

Phase 4: Field Device Assessment (Days 16-22)

A representative sample of 23 RTUs across different site types was assessed:

  • Firmware version audit with CVE correlation
  • Communication configuration and authentication review
  • Physical security assessment of RTU enclosures and communication equipment
  • Local access control and logging capability evaluation

Phase 5: Reporting and Emergency Briefing (Days 23-28)

Given the severity of findings, an emergency briefing was delivered on Day 23.

Key Findings

Critical Finding: Unauthorized Device on SCADA Network During passive traffic analysis, we identified a device on the SCADA network that was not in any inventory or documentation. The device was actively polling RTUs at regular intervals. Investigation determined it was a monitoring device installed by a contractor during a previous project and never decommissioned. While not malicious, its presence proved that unauthorized devices could exist on the network undetected.

Remediation: Device removed. Network access control procedures established.

Critical Finding: Cleartext SCADA Traffic All SCADA communications were transmitted without encryption. An attacker with access to the communication path could intercept operational data and potentially inject control commands.

Remediation: Encrypted communication pilot initiated for the highest-risk links within 60 days.

Critical Finding: End-of-Life Master Station OS The SCADA master station had multiple known vulnerabilities with public exploit code. The internet exposure meant these had been directly exploitable from the internet.

Remediation: Master station upgrade expedited. Compensating controls applied immediately.

High Finding: Persistent Vendor Access with Shared Credentials Three vendor VPN connections were active 24/7. Credentials for one vendor had been shared with seven different technicians over two years, with no password rotation.

Remediation: All vendor VPN connections converted to on-demand model within 30 days. Individual credentials issued with MFA.

Outcome

The assessment confirmed that while the internet exposure was a critical misconfiguration, no evidence of active exploitation was found. However, limited logging meant that a sophisticated attacker could have covered their tracks.

Deliverables Provided:

  • SCADA security assessment report with 18 findings across 4 severity levels
  • Internet exposure forensic analysis report
  • RTU inventory with firmware and vulnerability correlation for all 23 devices
  • Communication security analysis across all master-to-field links
  • Remediation roadmap aligned with API 1164 and IEC 62443

Post-Assessment Actions:

  • Encrypted communication pilot initiated within 60 days for critical links
  • SCADA network segmentation project commenced with a dedicated DMZ
  • All vendor remote access converted to monitored, on-demand model within 30 days
  • Master station OS upgrade scheduled for the next maintenance window
  • Centralized logging and monitoring deployed within 90 days

The operator subsequently engaged Beacon Security to support the SCADA network segmentation and establish ongoing OT security monitoring.

Beacon Security conducts SCADA and OT security assessments for pipeline operators and oil and gas facilities. Contact us to discuss your assessment requirements.

Back to Case Studies
Industrial infrastructure
OT Cybersecurity Experts

Your OT Environment Deserves
Expert Protection

Generic IT security tools fail in industrial environments. Talk to our OT security team and get a clear picture of your exposure within days, not months.

Book a Free Assessment+91 98259 94220
IEC/ISA 62443 Aligned
NIST 800-82 Compliant
OTCC Ready
ECC Aligned
Zero Operational Disruption