BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

Critical Infrastructure IR: SCADA Compromise and NERC CIP Obligations

Cybersecurity

SCADA compromise in energy and utility sectors triggers NERC CIP reporting obligations and can affect the bulk electric system. This playbook covers IEC 62351, anomaly detection, and regulated incident response.

By Arjun Raghavan, Security & Systems Lead, BIPI · October 8, 2024 · 11 min read

#incident-response#critical-infrastructure#scada#nerc-cip#energy#iec-62351

Volt Typhoon's pre-positioning in US electric utility networks, reported by CISA and NSA in 2023, represents the most significant known threat to bulk electric system security in recent years. The campaign focused on living-off-the-land techniques that bypassed signature-based detection and established persistent access to OT-adjacent systems. For energy and utility IR teams, the question is no longer if a nation-state actor is in the network, but where and for how long.

NERC CIP: The Regulatory Framework You Are Already Obligated To Follow

NERC CIP (Critical Infrastructure Protection) standards apply to all owners and operators of bulk electric system (BES) assets. CIP-008 specifically governs incident response: it requires a documented incident response plan, annual testing (at least one test must involve an actual incident or drill that exercises the notification process), and reporting to NERC's Electricity Information Sharing and Analysis Center (E-ISAC) for significant incidents.

CIP-008-6 defines a Cyber Security Incident as any malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of a BES Cyber System.
Reportable Cyber Security Incidents (those that compromise or attempt to compromise a BES Cyber System) must be reported to E-ISAC and ICS-CERT within one hour of confirmation.
CIP-010 governs configuration change management. Any unauthorized change to a BES Cyber System must be detected and logged.
CIP-007 requires ports and services management. SCADA systems should have only the minimum necessary listening ports.

IEC 62351: Security for Power System Communications

IEC 62351 provides security standards for power system communication protocols including IEC 60870-5 (SCADA), IEC 60870-6 (ICCP), IEC 61850 (substation automation), and DNP3. Violations of IEC 62351 controls (missing TLS, unauthenticated DNP3 commands, unencrypted ICCP sessions) are key indicators during incident investigation that an attacker has been able to interact with control protocol traffic without detection.

SCADA Anomaly Detection: What to Look For

Most energy utility OT networks have limited security monitoring. The primary data sources for anomaly detection are: SCADA historian data, energy management system (EMS) event logs, firewall logs at the IT/OT boundary, and serial tap data if available. Behavioral anomalies in SCADA data are often the first indicator of compromise.

Unexpected polling frequency changes: A compromised SCADA master may poll RTUs at unusual intervals as an attacker maps the environment.
Control commands outside normal operational windows: Breaker operations or setpoint changes at 2 AM that do not correlate with a scheduled maintenance window.
New SCADA client connections: Any new source IP making ICCP or DNP3 connections that is not in the approved system baseline.
Authentication failures on historian or EMS servers: Credential-based attacks on IT-adjacent OT systems are often the precursor to deeper OT access.
Data exfiltration from the historian: Bulk queries against the historian for process data across multiple substations or generation units simultaneously.

Incident Response Steps for SCADA Compromise

Convene the crisis team: CISO, VP Operations, Control Room Manager, Legal (NERC CIP compliance counsel), and the account manager for your SCADA vendor.
Notify E-ISAC and ICS-CERT within one hour of confirming a BES Cyber System is involved. Early notification is required and also gets you access to government threat intelligence.
Do not isolate the SCADA master from RTUs without explicit authorization from the Control Room Manager. Loss of supervisory control during certain grid conditions can cause cascading failures.
Preserve SCADA server memory images and application logs before any remediation. SCADA historians often contain the clearest record of attacker activity.
Contact your SCADA vendor's emergency support. Most major vendors (GE, ABB, Siemens, Schneider Electric) have 24-hour emergency lines for utility clients.

undefined

NERC CIP violations carry fines up to 1 million USD per violation per day. An inadequate incident response plan is itself a CIP-008 violation, independent of the underlying incident.

Forensic Challenges Specific to Energy OT

Energy sector SCADA systems often run on proprietary operating systems or hardened embedded Linux with minimal logging capability. Standard DFIR tools may not be compatible. Engage a DFIR firm with specific OT/ICS experience and NERC CIP regulatory knowledge. The forensic report will be scrutinized by NERC auditors, and gaps in the investigation will generate additional compliance questions.

Post-Incident Hardening for BES Environments

Implement authenticated DNP3 (IEEE 1815-2012 Secure Authentication v5) for all master-RTU communications.
Deploy a dedicated OT security monitoring platform (Claroty, Dragos, Nozomi) that passively captures and analyzes SCADA protocol traffic without active scanning.
Establish a formal change management process for all SCADA system changes under CIP-010. Every configuration change must be logged against an approved baseline.
Conduct red team exercises specifically targeting the IT/OT boundary at least annually. Test whether an attacker with IT network access can reach the SCADA DMZ.
Review and enforce the Electronic Security Perimeter (ESP) requirements under CIP-005. Every access point into the ESP must be documented and monitored.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.