Founding partner program — applications close 30 June 2026. Read the brief →
Back to InsightsRisk Intelligence

Ransomware in power utilities: why OT incident response is not IT incident response

Norrsent Editor5 min read
Power utility control room screens showing operational technology systems under ransomware threat

The threat

Ransomware in operational technology is a different animal. When attackers encrypt file servers, you lose data. When they encrypt or corrupt programmable logic controllers in a substation, you lose the ability to control physical equipment. The blast radius includes grid stability, public safety, and regulatory penalty under NIS2.

In December 2023, a ransomware group compromised a European distribution system operator through a third-party IT vendor. The attack migrated laterally into SCADA historian databases before operators isolated the OT network. Generation capacity was unaffected, but the operator lost visibility into load distribution for 11 hours. In February 2021, a US municipal utility suffered a similar attack that encrypted backup systems for its water treatment SCADA network. Operators reverted to manual control for 72 hours while forensic teams rebuilt controller configurations from paper records.

These incidents share a pattern: the threat moved from IT into OT through inadequately segmented networks or vendor access paths. Once inside the OT perimeter, standard IT recovery playbooks failed. You cannot restore a PLC from last night's backup if the backup itself was network-accessible and encrypted. You cannot roll back firmware on a substation relay without physical access and vendor-specific tools.

Risks it creates for the enterprise

The operational risk is loss of control. If ransomware corrupts the logic in a breaker controller or a transformer protection relay, operators cannot safely energise or de-energise circuits. Manual override exists, but it is slower and error-prone under time pressure. The 2021 incident in the US required operators to calculate chlorine dosing by hand because the SCADA system that automated those calculations was offline.

Financial risk scales with duration. Every hour of reduced generation or distribution capacity is lost revenue. More significant is the regulatory exposure. Under NIS2, essential entities must report significant incidents within 24 hours and provide detailed assessments within 72 hours. Failure to demonstrate adequate preventive measures or timely notification can trigger penalties up to €10 million or 2% of global turnover. For a mid-sized distribution operator, that is not a rounding error.

Reputational damage compounds when the public loses power. A ransomware attack that forces load shedding or rolling blackouts becomes a front-page story. Customers do not distinguish between "IT ransomware that spread to OT" and "we failed to secure critical infrastructure." The distinction matters to you; it does not matter to them.

Regulatory consequences extend beyond fines. NIS2 mandates that national authorities can impose binding instructions on operators who demonstrate insufficient cyber hygiene. In practice, this means external audits, mandatory remediation plans, and oversight that persists long after the incident is resolved.

Likelihood-reducing controls

Network segmentation is the first barrier. OT networks must be physically or cryptographically isolated from IT networks. This is not a VLAN. This is a unidirectional gateway or a demilitarised zone with strict firewall rules that permit only specific historian data flows from OT to IT. No reverse traffic. No exceptions for "just this one vendor tool."

Remote access to OT systems requires multi-factor authentication and session logging. Every vendor, every contractor, every remote diagnostic session is logged with timestamp, user identity, and actions taken. If a third party needs access to a substation controller, that access is time-limited, monitored, and revoked immediately after the session ends.

IEC 62443 provides a structured framework for industrial control system security. Compliance with 62443-3-3 (system security requirements) and 62443-4-2 (component security requirements) reduces the likelihood that an attacker can exploit known vulnerabilities in OT devices. This means patching where possible, compensating controls where patching is not possible, and lifecycle management that retires unsupportable equipment.

Third-party access is the most common ingress vector. Vendor remote support tools, contractor laptops, and cloud-based monitoring platforms all create pathways from the internet into OT environments. Each pathway must be inventoried, justified, and secured. If a vendor insists on persistent remote access, the answer is no. Scheduled access windows with operator oversight are the compromise.

Impact-reducing mitigations

An OT-specific incident response playbook is not optional. The playbook must include decision trees for isolating compromised segments, procedures for manual operation of critical equipment, and contact lists for equipment vendors who can provide emergency support. This playbook is tested annually in tabletop exercises that involve operations staff, not just IT security.

Offline backup integrity is the difference between a three-day recovery and a three-week recovery. Controller configurations, relay settings, and SCADA application databases must be backed up to offline media that is physically disconnected from the network. These backups are tested quarterly by restoring them to a non-production environment and verifying that the restored configuration matches the current production state.

Communication trees must include the transmission system operator and the national regulatory authority. Under NIS2, you have 24 hours to notify. That notification is not an email to a generic inbox. It is a phone call to a named contact, followed by written confirmation. The communication tree also includes internal stakeholders: the board, the CEO, the legal team, and the public relations function. Everyone knows their role before the incident occurs.

Recovery from an OT ransomware incident assumes that some equipment will need to be replaced, not restored. If an attacker has had access to a PLC for an unknown duration, you cannot trust that device even after re-flashing firmware. The cost of replacement is lower than the cost of operating compromised equipment. Budget for this.

---

For a Head of Risk at a power utility, the implication is that OT ransomware is a board-level risk that requires board-level investment in segmentation, access control, and recovery capability. The question is not whether an attack will occur, but whether your organisation can maintain safe operations when it does.

Sectors:Energy