Addressing Cybersecurity Threats in SCADA Systems through Enhanced Surveillance

By Jason Chiu

Cybersecure AXIS C3546-LVE

In the energy sector, Supervisory Control and Data Acquisition (SCADA) is the nerve center. It picks up the first hints of equipment stress, follows pressure and flow across vast pipeline networks, and coordinates the signals that keep plants and grids stable. As operational technology (OT) and information technology (IT) have become more interconnected, that centrality has created vulnerabilities on multiple fronts. Cyber threats can manipulate setpoints or suppress alarms, while physical intrusions – often the first step in a breach – can give attackers a foothold inside critical systems.

Cybersecurity programs have matured across the sector, yet many compromises still hinge on a physical step, such as a cabinet opened, a device swapped, or a laptop connected after hours. Modern surveillance addresses that seam. Rather than functioning as a record-and-review tool, it operates as a network-aware (integrated with site networks and security systems, not standalone) and secure-by-design (built with protections like encrypted comms, signed firmware, and secure boot) layer that supplies verifiable, time-stamped signals into a shared operational view spanning both the security operations center (SOC) and control rooms.

Across generation plants, compressor stations, and substations, surveillance functions as part of a digital-physical sensor grid – hardened at the edge, encrypted in transit, and tied to access control and telemetry – so incidents surface quickly with the context need for timely, coordinated action.

The Evolving Threat Picture

Two shifts appear to be shaping the risk environment. First, convergence: SCADA environments no longer function as fully isolated islands. Remote maintenance, converged networks, and analytics that feed multiple systems can link OT and IT more tightly than in the past. That connectivity may improve efficiency but also widen the potential attack surface.

For example, a turbine vendor may connect remotely to check performance, while pipeline flow and compressor data stream to a cloud dashboard. Those links speed maintenance and reporting, but they also introduce paths that, if misused, could mute alarms or change setpoints.

Second, attacker tactics are often subtle. Rather than launching noisy, easily detected attacks, bad actors may use valid credentials, move laterally through connected IT and OT systems, and make small configuration changes that blend in with normal activity. These quiet intrusions can resemble operator error, delaying detection and response.

For example, a compromised contractor account might be used after hours to disable an alarm on a remote recloser, while a rogue device added inside a switch cabinet at an unmanned substation creates a backdoor into the network.

Together, these two shifts – greater connectivity and quieter, more blended attack methods – highlight the need for defenses that see both the digital and physical dimensions of a breach. Surveillance technologies, when properly secured and integrated, can provide that bridge.

The First Line of Defense: Secure Devices

Building defenses starts at the edge. If the cameras, sensors, and access control devices connected to SCADA networks are not inherently trustworthy, they can become entry points rather than safeguards. Secure-by-design endpoints provide a hardened baseline, ensuring that the surveillance layer strengthens, rather than weakens, overall defenses.

To serve that role, endpoints should meet these baseline characteristics:

Hardware root of trust & secure boot. The device verifies its own software at startup and refuses to run if the code has been altered, preventing tampered firmware from running in the field.
Unique device identities (certificates, TPM-backed keys). Each device presents a cryptographic identity stored in secure hardware so legitimacy can be proven before granting access.
Signed, encrypted updates. The device installs only verified firmware, enabling safe, timely patching.
Hardened defaults (strong credentials, minimal services, role-based access, logging). Devices are shipped locked down: unique passwords, only necessary functions active, clear “who can do what” roles, and built-in activity logs.

Together, these characteristics create a trusted foundation at the edge, reducing the chances that surveillance devices become weak links in SCADA networks while serving their primary function of detecting and alerting on intrusions.

Data Center Monitored for Threats

Protecting Data in Motion and Limiting Blast Radius

With trustworthy devices at the edge, the next layer is protecting what those devices send and controlling how that traffic moves. Surveillance devices generate high-value data, so protecting that traffic – and constraining its blast radius if something goes wrong – is essential.

To help prevent interception and tampering, securely configured surveillance systems use encryption in transit – Transport Layer Security (TLS) for management and control channels and Secure Real-Time Transport Protocol (SRTP) for media streams. In practical terms, commands, configurations, and video remain confidential and intact between field devices and trusted systems.

In energy operations, this keeps live feeds (and configuration changes) from switchyards, control buildings or compressor halls protected as they traverse shared links back to control rooms or the SOC.

Limiting exposure also depends on network segmentation, which involves using virtual local area networks (VLANs) security zones, firewalls, and precise access rules. Placing cameras, intercoms, audio analytics, and access control on defined segments with tightly governed pathways reduces the chance that an issue in the surveillance layer can move laterally into SCADA controls.

For example, a compromise on a yard camera should not provide a path to programmable logic controllers (PLCs) managing generator protection, gas compression, or substation breakers. Clear separation makes abnormal traffic easier to detect and contain, especially at unmanned gates and remote substations.

Finally, integrations should be constrained through authenticated, least-privileged access, using tokens or certificates and scoped permissions. Systems exchanging data with surveillance, such as SCADA alarms, security information and event management (SIEM) platforms, incident tools, should prove identity and operate only with the permissions necessary for their role.

For example, an external analytics service might receive event metadata for condition monitoring without any ability to change camera settings. When a vendor needs to troubleshoot a control-room intercom, access can be limited to a specific device group and time window, reducing the risk if credentials are misused.

Taken together, encryption, segmentation, and disciplined integration make surveillance data both trustworthy and contained – creating the conditions for effective monitoring and coordinated response.

Turning Surveillance into a Cyber Defense Sensor Layer

Modern surveillance acts as an active sensor layer. Beyond recording video, they analyze activity and device behavior in real time, generating signals that strengthen cybersecurity and operational awareness.

Through device-behavior monitoring, cameras and related devices raise early indicators when behavior is abnormal, such as unusual outbound connections or attempts to disable protections. At a compressor station, a field camera suddenly contacting an unknown address after hours is a clear signal to investigate.

Analytics also add scene awareness, detecting conditions and behaviors in the physical environment that warrant attention, like a cabinet door left open or a vehicle crossing a restricted line. In practice, a door reopening after a maintenance window closes at a substation, or a truck entering a no-go zone, prompts follow up.

With integrity signaling, devices report on their own trust and timekeeping state, including failed firmware validation and certificate expiration. Routed to SIEM and the control room, these signals become earlier, corroborated warnings and enable faster, evidence-based response.

When those signals automatically pull relevant video or escalate access events into the SIEM system, early cues become coordinated action.

A Lean Checklist for Energy Sites

A concise set of controls cover devices, networks, identities, telemetry, and assurance – and holds up at remote, lightly staffed facilities.

Co-design with cybersecurity requirements. Write encryption, certificate handling, time synchronization, password policy, and log formats into procurement and design. Do not deploy devices that cannot meet these basics.
Harden before installation. Set unique passwords, update firmware, disable unneeded services, and lock management ports before gear arrives on site.
Control access. Use role-based access control (RBAC) with multi-factor authentication (MFA), manage credentials centrally, and avoid shared admin accounts.
Practice structured logging to SIEM. Send searchable records (e.g., firmware events, authentication attempts, network anomalies) to the SIEM. Define retention and export stems so video and logs hold up as evidence.
Maintain and validate continuously. Conduct penetration tests at remote sites, rotate keys, remove unused certificates, update device OS’s regularly, confirm revocations block access, and tune analytics to minimize false positives while preserving sensitivity.
Manage evidence consistently. Define retention periods, enforce encryption at rest, document export procedures with hashing, and maintain chain-of-custody workflows so video and logs serve as trusted forensic artifacts.
Run joint exercises. Tabletop scenarios where a physical alert drives a cyber control decision to clarify roles, rehearse hand-offs, and set success criteria for physical security, OT, and SOC teams.

Applied consistently, this checklist turns surveillance and SCADA into a cohesive defense rather than separate systems.

A Shared Operational Picture

Energy operations face blended risk: interconnected SCADA environments, quiet intrusion tactics, and geographically distributed assets that include remote and lightly staffed sites. A resilient posture begins at the edge with secure-by-design devices, protects data in motion through encryption and segmentation, and uses surveillance as an active sensor layer that feeds verifiable signals to the control room and the SOC.

When those signals drive coordinated workflows – linking video, access control, network telemetry, and incident playbooks – teams gain earlier, corroborated warnings and a faster path from detection to action. Sustaining that advantage depends on discipline: hardening and patching on schedule, role- and time-bound access, structured logging that stands up as evidence, continuous validation, and regular joint drills.

Taken together, these practices transform surveillance from a passive witness into a reliable part of cyber defense – supporting safe, stable operations across plants, pipelines, compressor stations, and substations.

BIO

Jason Chiu is the Professional Services Group Manager with Axis Canada. He has a background in IT and networking and has spent over 18 years in the security industry, from being an integrator, consultant and manufacturer. Jason is an ASIS board certified Physical Security Professional (PSP), is trained in Critical Infrastructure Protection (CIP), Crime Prevention Through Environmental Design (CPTED Levels 1 & 2), and (ISC)2 Certified in Cybersecurity.