U.S. Electrical Contractors Texas
Start a Project
Operations · OT Cybersecurity · April 25, 2026

Cybersecurity for industrial electrical infrastructure

Electrical infrastructure used to be air-gapped. Today, EPMS systems, BMS platforms, generator controllers, UPS systems, and protective relays all connect to networks. The cybersecurity exposure that came with that connectivity gets overlooked during construction and discovered during operations — usually after an incident.

Why this matters now

A decade ago, electrical infrastructure was largely isolated. Protective relays talked to nothing. Generator controllers had local displays only. BMS connected to a single building’s HVAC. The attack surface was physical access, and the controls were locks and cameras.

Today, the same infrastructure is networked. Schweitzer relays expose engineering ports for remote configuration. Eaton xPert generator controllers report status to cloud platforms. EPMS systems publish data to corporate dashboards. BMS interfaces with corporate IT for energy reporting. The attack surface has expanded dramatically, and many facilities aren’t configured for the threat model that comes with that connectivity.

The threat model

What attackers actually want from electrical infrastructure:

  • Ransomware coverage expansion. An attacker with ransomware on the corporate network wants every connected system encrypted. EPMS, BMS, and other OT-adjacent systems are valuable targets because they affect operations and increase pressure to pay.
  • Lateral movement. OT systems with weak authentication often serve as lateral movement vectors into other networks. An EPMS with default credentials on a flat network compromises broader infrastructure.
  • Operational disruption. For state-sponsored actors targeting critical infrastructure, the ability to remotely operate generators, change protective relay settings, or disable monitoring is operationally significant. Recent incidents (Triton/Trisis, Industroyer) demonstrate active interest in industrial control systems.
  • Information theft. Energy consumption data, operational schedules, and similar information from EPMS and BMS can support broader reconnaissance.

The connectivity that creates exposure

Protective relays

Modern protective relays (SEL, Schweitzer, GE Multilin, ABB, Siemens) have engineering ports, often exposed via Ethernet for remote configuration. Default passwords, weak authentication, and unsegmented network exposure create real risk. NERC CIP requirements address this for utilities, but commercial and industrial facilities often have similar exposure without similar controls.

Generator and UPS controllers

Cummins PowerCommand, Caterpillar EMCP, Kohler, ASCO, Russelectric, Eaton, Vertiv — all have IP-connected controllers with management interfaces. Default credentials are common. Cloud connectivity is increasingly default-on.

EPMS platforms

Schneider PME, Eaton Power Xpert, ABB Ability, custom SCADA-based EPMS — all expose web interfaces, APIs, and database access. Many also connect to cloud platforms for trending and analytics.

BMS networks

Johnson Controls Metasys, Honeywell EBI, Siemens Desigo, Schneider EcoStruxure — the BMS frequently bridges into corporate IT for energy reporting, scheduling, and remote operations. The bridge creates attack surface in both directions.

Smart meters and submeters

Networked meters from Schneider PowerLogic, Eaton xPert, GE multilin, and others. Often on the BMS network, sometimes on the corporate network.

Lighting control systems

Networked lighting controls (Acuity nLight, Hubbell NX, Lutron Athena) are increasingly cloud-connected. Each connection is a potential entry point.

Standards and frameworks

Several standards apply to OT cybersecurity:

  • NIST SP 800-82 — Guide to ICS (Industrial Control Systems) security. The most comprehensive general framework.
  • NERC CIP — Required for utilities. Sometimes voluntarily adopted by commercial/industrial.
  • IEC 62443 — International standard for industrial automation cybersecurity. Increasingly referenced in specifications.
  • ISA-95 — The Purdue Model for ICS network architecture. Foundation for proper network segmentation.
  • NIST Cybersecurity Framework (CSF) — General cybersecurity framework that organizations use to structure their broader security program. OT systems addressed within the broader framework.

Architecture decisions during design

What should be addressed during construction:

Network segmentation

OT systems on dedicated network segments separated from corporate IT by firewalls. The Purdue Model defines this in detail. Implementations range from simple VLANs to physically separate networks with industrial firewalls (Cisco IE3300, Fortinet FortiGate Rugged, Belden / Tofino).

Default credential elimination

Every device with default credentials gets them changed at commissioning. Documented credential management going forward. Bid documents should explicitly require this.

Authentication and access control

Role-based access control on EPMS and BMS platforms. Active Directory integration where supported. Multi-factor authentication for remote access. Service accounts documented and managed.

Encryption

TLS for web interfaces. Encrypted protocols (Modbus Secure where supported, MQTT over TLS) where the equipment supports them. Many older OT protocols don’t support encryption natively, which is part of why segmentation matters so much.

Logging and monitoring

EPMS, BMS, and OT systems generate security-relevant logs. Forward to a central SIEM or security monitoring platform. Without monitoring, intrusions go unnoticed for months.

Patch management

OT systems require patches. Patches can’t be applied as casually as on IT systems (operations impact, regression testing). Planned patch windows, tested updates, documented procedures.

Vendor remote access

Equipment manufacturers want remote access for support and updates. Each remote access path is exposure. Vendor access should go through a controlled jump host with logging and access approval, not direct VPN.

Common gaps we see

  • Flat network architecture. EPMS, BMS, and corporate IT on the same VLAN. Lateral movement from any compromised system reaches the entire infrastructure.
  • Default credentials everywhere. Equipment commissioned with vendor defaults. Documented in the O&M manual, accessible to anyone with the manual.
  • Vendor backdoors and undocumented accounts. Equipment manufacturers’ service accounts that owners don’t know exist. Hardcoded credentials in some older equipment.
  • No security commissioning. EPMS and BMS commissioning verifies functionality but not security. Security testing of network architecture, authentication, and access control rarely happens.
  • No incident response plan. What happens if EPMS is ransomed? If the generator controller is compromised? Most facilities have no documented response procedure.
  • Patch backlog. OT systems running firmware from years ago because patching feels risky. Risk accumulates over time.

What to require in specifications

For new construction or major retrofits, specifications that protect against current threats:

  • Network segmentation architecture documented in design
  • Default credentials changed at commissioning
  • Documentation of all network-connected devices with IP addresses, protocols, and authentication mechanisms
  • TLS for all web interfaces
  • Vendor remote access through documented controlled paths
  • Security commissioning as part of system acceptance
  • Patch management procedures and initial firmware baseline documentation
  • Coordination with owner IT/security organization during design

Related

Article

EPMS Deployment
Article

BMS Integration
Capability

Controls & Automation

OT cybersecurity scope on your project?

Send us your scope and IT/security requirements. We will engage on architecture and execution planning.

Start a Project (346) 550-9418
Text us