Power utilities have spent the last decade digitizing substations, folding SCADA systems, industrial sensors, and a growing mix of distributed energy resources into a single operational network. That progress has a cost. Every new communication path into a substation is also a new way in for an attacker, and the protocols running the grid were never designed with security as a first principle. Below are the five gaps that show up most often in substation automation reviews, along with the design choices that are actually closing them in the field today.
1. Protocols That Were Never Built to Authenticate
IEC 104, MODBUS, and DNP3 remain the backbone of substation control traffic, moving commands between protection relays, circuit breakers, and voltage regulators. These protocols predate modern cybersecurity requirements and generally were not built with native encryption or device authentication in mind. In practice, that means anyone who can reach the wire can potentially observe or issue commands to substation equipment. Closing this gap does not mean rewriting the protocols. It means wrapping that traffic in encrypted tunnels and routing it through dedicated security gateways before it ever reaches an open network, and restricting communication at the firewall to the specific protocols the substation is supposed to run.
2. A Single Gateway as the Only Way In or Out
Many substation deployments still route all SCADA and IoT traffic through one gateway and one path to the central control site. That single device becomes the single point of failure: if it goes down, drops its link, or is compromised, the substation loses visibility and control at the same time. The more resilient pattern seen in current substation automation solutions pairs duplicate gateway units at the substation with two separate security gateways at the central SCADA site, so no single device failure takes down the connection.
3. Flat Networks Where Every Device Can Reach Every Other Device
A common finding in substation network reviews is a flat, unsegmented topology where any device on the network can, in principle, talk to any other device, including protection relays and breakers. Built-in firewalls that block traffic by IP and MAC address, and restrict communication to designated protocols such as IEC 104, MODBUS, or DNP3, close off most of this exposure without requiring a redesign of the underlying control system.
4. Distributed Energy Resources Bolted On Without a Security Plan
Wind farms, solar arrays, hydroelectric installations, and biomass generators are being added to the grid faster than security planning can keep pace in many utilities. These distributed energy resources rely on the same SCADA and industrial IoT sensors used elsewhere in the substation to monitor performance and stay synchronized with the grid, which means every new resource is also a new endpoint that needs to sit behind the same encryption and access controls as the rest of the network, not a separate, informally managed add-on.
5. Backup Cellular Links That Bypass the Main Security Perimeter
LTE and private 5G are increasingly used as backup links when the fixed optical network fails, and as primary links for new or remote substations that fiber has not reached yet. If those cellular links are treated as an afterthought, they can end up bypassing the encryption and access controls applied to the main fiber path. The more defensible approach configures each ruggedized IoT security gateway with two IPsec tunnels, one over the fixed operational WAN and one over the cellular link, terminating on separate security gateways so both paths carry the same level of protection.
Closing the Gaps: What a Resilient Design Looks Like
Taken together, the fixes for these five gaps point toward the same underlying design pattern: redundancy and containment, applied consistently rather than as one-off patches.
- Duplicate gateway units at the substation, paired with two security gateways at the central site, so no single device is a point of failure.
- Two IPsec tunnels per site, one over fixed infrastructure and one over cellular, terminating on separate gateways.
- Built-in firewalls and 802.1x support to restrict access to authorized devices and designated protocols only.
- Edge computing containers that host anomaly detection for operational technology traffic, flagging unusual patterns before they become incidents.
- Centralized, standards-compliant management with zero-touch provisioning, so new sites inherit the same security posture automatically.

Why This Matters Now
None of this is theoretical. As power grids become more interconnected and more dependent on digital communication, the attack surface grows with every new sensor, relay, and distributed energy resource added to the network. The utilities managing this transition well are the ones treating utility communication network design as a security exercise from the start, not something layered on after a deployment is already in the ground. SCADA is not going anywhere, and neither are the protocols it depends on. What is changing is the discipline around how that traffic is tunneled, segmented, and monitored, and that discipline is what separates a substation that can absorb a failed link or an attempted intrusion from one that cannot.
For network planners auditing an existing substation footprint, the fastest way to find these gaps is usually to ask three questions: is there more than one path in, is that traffic segmented by protocol, and is every new endpoint, including newly added distributed energy resources, subject to the same access controls as the equipment that was there on day one. Where the answer is no, that is where the next investment should go.