How Threat Actors Target Energy TransmissionControl Centers - And How to Stop Them
Transmission control centers are the nerve centers of the electric grid. They house the Energy Management Systems that grid operators use to monitor generation output, manage transmission flows, balance load across the interconnection, and coordinate responses to equipment failures and disturbances. A loss of control center visibility does not just affect the utility that operates it - it affects every utility, generator, and large industrial customer on the interconnected grid.
This makes transmission control centers the highest-value target in the electric sector. Threat actors who achieve persistent access to a control center EMS have real-time visibility into grid operations, the ability to observe operator responses to disturbances, and in some scenarios the ability to influence control actions. Nation-state actors who have pre-positioned in control center environments have effectively achieved what military planners call intelligence preparation of the battlefield for grid operations.
This post explains exactly how threat actors target transmission control centers - the specific techniques they use to gain access, move through control center environments, and maintain persistence without detection. For each technique, it identifies the specific detection and response controls that stop them.
|
ELECTRUM - the threat group responsible for the 2016 Ukraine grid attacks - has been observed conducting reconnaissance against North American and European transmission control centers since 2022 ELECTRUM is assessed by Dragos with high confidence to have nation-state sponsorship and has demonstrated both the capability and intent to cause physical grid impacts through control center compromise. Their 2016 operations against Ukrainian control centers left 230,000 customers without power and demonstrated a repeatable methodology that has been refined through subsequent operations. Source: Dragos 2025 OT/ICS Cybersecurity Year in Review |
1. The Transmission Control Center Attack Surface
Transmission control centers concentrate the highest-impact OT assets in the electric sector in a single location. Understanding what an adversary finds when they reach a control center environment is the starting point for understanding how to defend it.
|
System |
Function |
Why Adversaries Target It |
|---|---|---|
|
Energy Management System (EMS) |
Real-time grid monitoring and control - load flow analysis, contingency analysis, automatic generation control |
Direct visibility into grid operations; control capabilities that could be used to trigger instability |
|
SCADA master station |
Supervisory control of transmission substations and remote terminal units |
Commands to field devices; ability to open/close breakers and change relay settings remotely |
|
Wide-area monitoring (WAMS) |
Synchrophasor data from PMUs across the interconnection |
Intelligence on grid stability; early warning of planned operations |
|
Backup control center |
Standby facility providing continuity if primary control center is unavailable |
Often lower security maturity than primary; compromise provides fallback capability if primary is hardened |
|
Operator workstations |
HMI providing operator interface to EMS and SCADA |
Entry point for malware deployment; session hijacking for control actions |
|
Engineering workstations |
Configuration and maintenance access to EMS and SCADA platforms |
Highest-privilege access in the control center environment; PLC programming capability |
|
ICCP links |
Inter-utility data exchange for neighboring grid operations |
Cross-utility data access; potential pivot to neighboring utility environments |
2. Initial Access: How Threat Actors Enter Control Center Environments
2.1 Spear-Phishing Targeting Control Center Staff
Transmission control center staff - operators, EMS engineers, and system planners - receive targeted spear-phishing emails that are specifically crafted to appear credible to someone in their role. Emails referencing NERC CIP compliance deadlines, grid reliability assessments, or equipment vendor communications are consistently used because they match the professional concerns of control center personnel.
The objective of the initial phishing is typically credential harvesting or remote access tool installation on a workstation with OT network access. Control center staff frequently use workstations that have access to both the corporate IT network and the control center OT environment - making a successful phish against a control center employee more valuable than a phish against a corporate IT user.
2.2 Remote Access Exploitation
Control centers require remote access for engineering maintenance, vendor support, and off-site operator access during emergencies. The remote access infrastructure for a transmission control center - VPNs, jump servers, and vendor portal connections - is the second most common initial access vector after phishing. Credentials harvested from control center staff are tested against remote access systems. Unpatched vulnerabilities in VPN concentrators and remote desktop gateways are actively exploited against utility environments.
2.3 Supply Chain Compromise via EMS Platform Updates
Energy Management Systems are commercial software platforms maintained by a small number of specialized vendors. The concentration of the EMS vendor market means that a supply chain compromise targeting a major EMS vendor would create simultaneous access to the control center environments of multiple utilities. Nation-state actors targeting the electric sector have specifically researched the software supply chains of major EMS and SCADA platform vendors as a scalable access vector.
3. Post-Access Techniques: How Threat Actors Move Through Control Center Environments
3.1 Living-Off-the-Land Techniques in OT Environments
The most sophisticated threat actors targeting control centers - particularly nation-state groups like VOLTZITE and ELECTRUM - use living-off-the-land techniques that rely on legitimate system tools and administrative processes rather than custom malware. In a control center OT environment, this means using the EMS platform's own administrative interfaces, legitimate remote access tools already present in the environment, and standard Windows administrative utilities to move laterally and maintain access.
This approach makes detection extremely difficult for signature-based security tools. An adversary using PsExec to move between control center workstations, or using the EMS vendor's own engineering interface to enumerate system configurations, generates activity that is indistinguishable from legitimate administrative operations unless there is a behavioral baseline against which the activity can be compared.
3.2 Credential Harvesting and Privilege Escalation
Once inside the control center network, adversaries systematically harvest credentials from memory, credential stores, and configuration files. Control center environments frequently have service accounts with broad privileges that were configured for operational convenience and never reviewed. EMS platforms often store database credentials in configuration files that are accessible to any user with file system access. Active Directory service accounts used for EMS data collection may have domain-wide privileges that provide lateral movement capability across the entire control center environment.
3.3 ICCP Link Traversal to Neighboring Utilities
Inter-Control Center Communications Protocol (ICCP) links connect neighboring utilities for operational data exchange. A threat actor with access to one utility's EMS environment can potentially traverse ICCP links to access neighboring utility systems - depending on the access controls on the ICCP connection at each end. This cross-utility pivot capability is what makes control center compromise a systemic grid security risk rather than an isolated utility incident.
|
Living-Off-the-Land in OT The detection failure that allows nation-state actors to maintain persistent access in control center environments for months is not a technology gap - it is a visibility gap. If the security team does not have a behavioral baseline for what normal administrative activity looks like in the EMS environment, they cannot distinguish a legitimate administrator from an adversary using the same tools. OT network monitoring that baselines communication patterns and user behavior in the control center environment is the primary technical control that addresses this gap. |
4. Persistence Mechanisms in Control Center Environments
4.1 Scheduled Tasks and Service Account Abuse
Threat actors maintain persistence in control center environments by creating scheduled tasks that execute implants or reconnection tools at regular intervals, and by compromising service accounts that have persistent access to EMS and SCADA systems. Service account credentials, once compromised, provide reliable persistent access that survives workstation reimaging because the account exists in Active Directory rather than on any specific endpoint.
4.2 Firmware and Configuration Implants
The most sophisticated control center attacks include implants at the firmware or configuration level of network infrastructure - routers, switches, and remote access devices within the control center environment. Firmware-level implants survive complete system reinstallation and are extremely difficult to detect without firmware integrity verification processes that most utilities do not currently have in place.
4.3 Backup Control Center as a Persistence Fallback
Utilities with backup control centers that have lower security maturity than the primary facility provide adversaries with a persistence fallback. If the adversary's access to the primary control center is detected and eradicated, pre-positioned access to the backup control center may survive the eradication effort. Security controls at backup control centers must match those at the primary facility - not be treated as lower-priority because normal operations do not run from them.
5. Detection and Response Controls for Control Center Threats
|
Threat Technique |
Detection Control |
Response Action |
|---|---|---|
|
Spear-phishing initial access |
Email security with OT-context-aware phishing detection; anomaly detection for new processes executing on OT-connected workstations |
Isolate affected workstation; credential reset for compromised accounts; review OT network access logs for lateral movement |
|
Remote access exploitation |
MFA enforcement; session recording; anomaly detection for off-hours remote sessions; source IP monitoring against approved access list |
Terminate session; revoke credentials; review session recording for actions taken; assess scope of access |
|
Living-off-the-land lateral movement |
OT network behavioral monitoring; user and entity behavior analytics for EMS administrative accounts; anomaly detection for new service-to-service connections |
Isolate affected systems; preserve forensic evidence; engage incident response for full scope assessment |
|
Credential harvesting |
Privileged account monitoring; detection of LSASS memory access; monitoring for access to EMS configuration files containing credentials |
Force credential rotation for all potentially exposed accounts; review privileged access logs; assess Active Directory for unauthorized account changes |
|
ICCP link traversal |
Monitoring of ICCP connection authentication and data volume anomalies; alerting on new data requests from ICCP-connected peers |
Notify affected neighboring utility; suspend ICCP connection pending investigation; engage E-ISAC for cross-utility coordination |
|
Persistence via scheduled tasks |
Endpoint monitoring for new scheduled task creation; integrity monitoring for EMS startup scripts and configuration files |
Remove unauthorized scheduled tasks; audit service accounts for unauthorized changes; verify EMS configuration integrity against documented baseline |
6. NERC CIP Requirements Specific to Control Center Security
Transmission control centers operating BES assets are subject to the highest NERC CIP impact classification requirements. The CIP standards with the most direct relevance to control center threat defense are:
- CIP-005 Electronic Security Perimeters: All external routable connectivity into the control center EMS and SCADA environment must be documented, controlled, and monitored. Every vendor remote access connection, ICCP link, and data exchange interface must be within a defined ESP with documented firewall rules.
- CIP-007 System Security Management: Ports and services must be limited to those operationally required. Security patches must be applied within 35 days for applicable systems. Malicious code prevention and security event logging are mandatory.
- CIP-008 Incident Reporting: Significant cyber incidents must be reported to E-ISAC and CISA within defined timeframes. Control centers with active nation-state intrusions should engage E-ISAC immediately - the E-ISAC has specific programs for providing technical assistance to utilities facing sophisticated threat actors.
- CIP-010 Configuration Management: Documented baseline configurations for all BES cyber systems must be maintained and compared against actual configurations at defined intervals. Unauthorized configuration changes - the primary persistence mechanism for sophisticated threat actors - should be detected through this process.
|
Bottom Line Transmission control centers face the most capable threat actors in the OT security landscape. The nation-state groups targeting these facilities have demonstrated the capability to cause physical grid impacts and are actively pre-positioning in control center environments today. The controls that detect and stop these threats are not exotic - they are OT network behavioral monitoring, privileged access management, credential hygiene, and the NERC CIP compliance baseline. The gap is not the availability of these controls. It is their consistent implementation in an operational environment where grid reliability has historically taken precedence over security investment. |
Frequently Asked Questions
What is the difference between ELECTRUM and VOLTZITE as threats to transmission control centers?
ELECTRUM and VOLTZITE are distinct threat groups tracked by Dragos with different sponsorship assessments and different operational objectives. ELECTRUM - assessed with overlap to the Russian state-sponsored group Sandworm - has demonstrated both the capability and willingness to cause physical grid impacts, as evidenced by the 2016 and 2022 Ukraine grid attacks. Their targeting of North American and European control centers is assessed as preparation for potential disruptive operations. VOLTZITE - assessed with overlap to the Chinese state-sponsored group Volt Typhoon - has focused on persistent access and intelligence collection rather than immediate disruption, conducting extended reconnaissance operations against US electric, water, and energy infrastructure. Both represent serious threats to transmission control centers but with different likely use cases: VOLTZITE for espionage and pre-positioning, ELECTRUM for potential operational disruption.
How do we detect if a nation-state actor is already present in our control center environment?
The most effective detection approach for nation-state pre-positioning in control center environments is OT network behavioral monitoring combined with threat hunting. Passive OT monitoring that has established baselines for normal EMS and SCADA communication patterns can identify the subtle anomalies associated with pre-positioning: administrative account access at unusual times, systematic enumeration of network topology from internal systems, new connections between systems that do not normally communicate, and low-volume data exfiltration that matches documented configuration and process data. Threat hunting - proactively searching for indicators associated with known threat group techniques - is a complementary approach that leverages threat intelligence specific to groups targeting control centers. Utilities that have deployed OT monitoring and have not conducted a threat hunt against nation-state indicators of compromise should consider doing so.
Are backup control centers subject to the same NERC CIP requirements as primary control centers?
Yes. Backup control centers that are classified as BES cyber systems - which includes backup control centers that can perform the real-time monitoring and control functions of a primary control center - are subject to the same NERC CIP requirements as the primary facility at the same impact level. This is a common area of non-compliance: organizations that have invested heavily in primary control center security sometimes treat backup facilities as lower priority and allow security controls to lag behind the primary. From both a compliance and a security perspective, backup control center security must be equivalent to the primary - particularly because sophisticated threat actors specifically look for backup facilities as persistence fallback positions.
What should we do if we receive a CISA alert about a threat actor targeting our sector?
CISA alerts and joint advisories about nation-state activity targeting the energy sector should be treated as actionable intelligence, not informational notices. The immediate actions are: review the indicators of compromise provided in the alert against your OT network monitoring logs and endpoint telemetry; assess whether the TTPs described in the alert match any anomalies that were observed but not investigated in your environment; confirm that the defensive measures recommended in the alert are in place; and notify your E-ISAC member contact that you have reviewed the alert and report any potential matches to the described activity. CISA and E-ISAC operate 24/7 assistance programs for utilities facing active intrusions or suspected pre-positioning - do not attempt to investigate a potential nation-state intrusion without engaging these resources.
Share via
