Protecting Power & Cooling Systems from Cyber Threats: A Guide for Critical Infrastructure Operators
Network‑connected power and cooling systems—UPSs, BESS, PDUs, rectifiers, ATS/generators, CRAH/CRAC/HVAC controls, and building‑automation components—are now integral to uptime, energy efficiency, and safety across data centers, telecom sites, utilities, public safety radio, healthcare, and industrial facilities. But this connectivity also expands the OT (operational technology) attack surface. Recent advisories and standards underscore that internet‑exposed OT and poorly segmented vendor access continue to be exploited, sometimes with “elementary” techniques like default passwords and open ports.
In May 2025, the CISA/FBI/EPA/DOE joint alert urged critical‑infrastructure operators to immediately remove OT from the public internet, replace default credentials, and secure remote access with private connectivity and phishing‑resistant MFA, because attackers are routinely scanning for exposed devices and weak authentication. Over the last few years, threat actors have visibly targeted internet‑facing building controls and industrial equipment—including HVAC/BAS—to pivot deeper into organizations, proving that “physical” infrastructure is a cyber pathway.
Regulators are responding. In the North American power sector, NERC CIP‑015‑1 now mandates Internal Network Security Monitoring (INSM)—east‑west traffic visibility inside Electronic Security Perimeters—with enforcement timelines extending into 2028/2030, reflecting a shift from perimeter‑only defenses to continuous internal detection. In parallel, CIP‑003‑11 focuses on low‑impact facilities and coordinated attack risk, recognizing that many small OT assets—like distributed power and cooling nodes—can create system‑level impact in aggregate.
For operators, the message is clear: power & cooling systems are cyber‑physical systems. A compromise can shut down cooling, trip power, corrupt setpoints, or disable alarms—degrading uptime and safety. This guide synthesizes current guidance and standards into an actionable plan.
The Threat Landscape for Power & Cooling OT
- Internet‑exposed devices. Microsoft threat intelligence observed a rise in attacks against internet‑exposed OT, often leveraging default/weak passwords and outdated software. HVAC/BAS and energy management systems are frequent targets.
- Third‑party/vendor access. The 2013 Target breach—originating from an HVAC vendor credential—remains a canonical lesson on segmentation and least privilege; lateral movement from a low‑trust connection impacted critical systems.
- Insufficient internal visibility. The Ukraine grid attacks showed that standard IT controls aren’t enough; adversaries abused intended OT functionality while internal detection lagged—fueling today’s push for INSM.
- Baseline security gaps. CISA’s Cross‑Sector Cybersecurity Performance Goals (CPGs) continue to highlight persistent gaps across critical infrastructure, including asset inventory, segmentation, and OT governance. Version 2.0 (Dec 2025) prioritizes leadership accountability, third‑party risk, and zero‑trust adoption.
How to Protect Power & Cooling Systems from Cyber Threats (Step by Step)
1) Discover and inventory every connected power/cooling asset
Create a living inventory: UPS, BESS, PDUs, meters, ATS/gensets, CRAH/CRAC, chillers, VFDs, BAS controllers, gateways, and sensors. CISA’s CPGs list asset inventory as a high‑impact goal for both IT and OT—updated at least monthly.
2) Remove direct internet exposure and harden remote access
Per the CISA/FBI/EPA/DOE guidance: eliminate internet‑exposed OT services; if remote access is essential, require private connectivity + VPN with phishing‑resistant MFA, and immediately change all default credentials.
3) Segment OT using zones & conduits; isolate vendor access
Implement defense‑in‑depth and zone‑and‑conduit design per IEC 62443, ensuring vendor/BMS maintenance paths cannot reach critical control planes for power or cooling. Enforce least privilege, separate jump hosts, and strong authentication.
4) Deploy Internal Network Security Monitoring (INSM) for east west traffic
Even in non‑electric sectors, emulate NERC CIP‑015‑1: baseline normal OT communications (Modbus, BACnet, DNP3, SNMP, proprietary protocols), detect anomalies, retain and protect INSM data for investigations. Utilities subject to CIP‑015‑1 must meet staged deadlines beginning Sept 2, 2025 effective date and Oct 1, 2028 enforcement milestones.
5) Apply secure by design & lifecycle management to OT devices
Adopt secure development lifecycle, verify signed firmware, maintain a documented patch/upgrade plan for UPS controllers, BMS gateways, and HVAC PLCs per IEC 62443 program requirements for asset owners and components.
6) Enforce configuration baselines and continuous vulnerability management
CISA’s CPGs emphasize mitigating known exploited vulnerabilities, logging, and configuration control; for OT, validate changes through maintenance windows and verify device state post‑patch.
7) Strengthen third party and supply chain controls
Require vendors to meet minimum security (MFA, encrypted protocols, timely patching, disclosure policies). The CPGs v2.0 expand third‑party risk goals; Target’s HVAC case remains the segmentation and vendor‑access cautionary tale.
8) Align incident response with OT realities
Blend IT/OT playbooks: define isolation steps for BMS/UPS networks, safe cooling fallback modes, and manual override procedures. INSM data retention requirements in CIP‑015‑1 inform investigations and recovery.
Best Practices Checklist (Power & Cooling OT)
- Zero‑Trust for OT: Authentication everywhere, role‑based access, time‑boxed vendor sessions, and secure jump hosts—per CISA “defense‑in‑depth/zero trust” guidance for power/cooling environments.
- No public endpoints: Validate externally reachable services monthly; take OT off the public internet.
- Strong credential hygiene: Unique, rotated passwords, phishing‑resistant MFA; eliminate shared accounts on BMS/UPS consoles.
- IEC 62443 alignment: Use zone‑and‑conduit segmentation, foundational requirements (FR1‑FR7), and CSMS to raise maturity.
- INSM/East‑West visibility: Passive network sensors or taps for BACnet/Modbus/SNMP; alert on unauthorized writes or unusual broadcast traffic.
- Change control for setpoints: Dual‑control approval for critical temperature/power setpoint changes; continuous configuration monitoring.
- OT/IT collaboration & training: CPGs call for named OT security leadership and improved IT‑OT relationships—make it a program metric.
- Tabletop exercises: Rehearse “cooling outage under attack” and “UPS firmware compromise” scenarios; ensure safe shutdown paths and communication trees.
- Vendor vetting & SBOMs: Assess secure development practices; request attestations/certifications where possible (e.g., 62443 component conformance).
FAQ — Power & Cooling Cybersecurity for Critical Infrastructure
Q1: We aren’t a utility. Do electric sector rules matter to us?
Yes. While NERC CIP‑015‑1 applies to registered utilities, its INSM concept—monitoring internal OT traffic—reflects a broader shift that any operator of power/cooling OT should emulate to catch lateral movement and abnormal device behavior.
Q2: What’s the single biggest risk to reduce first?
Internet exposure of OT endpoints. CISA and partners explicitly warn that publicly reachable devices are rapidly discovered and exploited; remove exposure, change default credentials, and secure remote access with private links + MFA.
Q3: We use a building automation system (BAS) for cooling—how do we secure it?
Adopt IEC 62443 zone‑and‑conduit segmentation, implement role‑based access, patch controllers, and ensure encrypted protocols where supported. ASHRAE’s guidance emphasizes treating HVAC/BAS as prime cyber targets requiring built‑in security practices.
Q4: Why is “east west” monitoring necessary if we already have firewalls?
The Ukraine incidents showed adversaries can operate inside trusted zones using legitimate functions; INSM detects abnormal traffic among OT devices that perimeter tools won’t see.
Q5: How do we prioritize investment with limited resources?
Use CISA CPGs v2.0 to sequence high‑impact controls (asset inventory, segmentation, MFA, incident response) and demonstrate progress to leadership and auditors.
Conclusion
As critical environments modernize, power & cooling systems are no longer “just facilities”—they are connected control systems subject to the same threat landscape as any SCADA network. The path to resilience blends foundational cyber hygiene (no internet exposure, MFA, segmentation) with advanced practices (INSM, secure‑by‑design lifecycle, vendor discipline). Start with a complete asset inventory, remove public exposure, and build toward IEC 62443‑aligned segmentation and CIP‑style internal monitoring. The result is not just regulatory alignment—it’s a measurable reduction in cyber‑physical risk to uptime, safety, and the communities you serve.
