Rules and Guidelines
Want to participate in the discussions? Please read our Community Rules and Guidelines. Need some help? Visit Support and Answers.

  • Replies 4 replies
  • Subscribers 20 subscribers
  • Views 801 views
  • Users 0 members are here
Options
You may also be interested in

Retrofitting Legacy Control Systems to Tackle Evolving OT Cyber Threats

Taimur

Hi everyone,

I’m new to the EngX community and looking forward to learning from you all. I’d like to start a conversation about something I think many of us face and that is updating legacy control systems in power plants and other critical infrastructure, especially when it comes to growing OT cyber threats.

Lot of these systems were designed decades ago, with reliability in mind but little thought given to cybersecurity. Today, they’re exposed to new risks that weren’t imagined back then. The challenge is finding a way to retrofit these systems efficiently and without tearing everything apart or causing long periods of downtime.

In the UK, where our energy and infrastructure systems are heavily relied upon, even a small disruption can create big problems. So how do we make these updates both secure and practical?

I’m particularly interested in hearing how others have approached efficient retrofitting and what worked, what didn’t, and how you balanced the iron triangle of cost, time, quality and scope. Are there certain strategies or tools that helped modernize your systems without overhauling them completely.

Would love to hear your thoughts and experiences.

Thanks,

Taimur | MIET 

Parents

  • Hi everyone,


    I’ve worked on retrofitting a power plant originally commissioned in 1991, which we upgraded in 2023 to include remote monitoring and control from a central control room. The project involved integrating two different vendor control systems, and I’d like to share some high-level lessons learned that may help others facing similar challenges:

    1. Early Stakeholder Engagement & Site Surveys
    Engaging stakeholders early, especially OT and cybersecurity teams and conducting multiple site surveys proved invaluable. These steps helped us gain technical understanding of the legacy systems and identify potential risks upfront. Setting expectations early with all parties helped streamline decision.

    2. Structured Engineering Approach Using IEC 61508
    We followed a gated verification and validation model inspired by IEC 61508, even for OT systems. This included:

    -Getting architecture drawings and Functional Design Specifications (FDS) approved early.
    -Progressing through detailed design and testing stages in a structured manner.

    This approach helped manage risks and ensured clarity in networking and system integration.

    3. Safety Systems: Keep It Simple and Isolated
    For safety-critical systems, simplicity and isolation are key. We avoided complex or “smart” relays and emphasized regular proof testing to maintain reliability and reduce cybersecurity exposure.

    4. Pre-Outage Testing
    Conducting the majority of tests before the outage is always a success factor. This included:

    Network compatibility testing.
    -Installing network interfaces outside the control system scope early.
    -Using virtual machines to simulate and validate connectivity.
    This allowed the customer to perform penetration testing well in advance, reducing surprises during commissioning.

    5. Contractor Engagement
    If third-party contractors are involved, include them in site surveys. This improves their understanding of the project scope and helps in obtaining more accurate and competitive quotes.

    Most of the key OT considerations have already been well covered in this thread, but I hope these additional insights help others planning similar upgrades. Happy to discuss further if anyone has questions.

Reply

  • Hi everyone,


    I’ve worked on retrofitting a power plant originally commissioned in 1991, which we upgraded in 2023 to include remote monitoring and control from a central control room. The project involved integrating two different vendor control systems, and I’d like to share some high-level lessons learned that may help others facing similar challenges:

    1. Early Stakeholder Engagement & Site Surveys
    Engaging stakeholders early, especially OT and cybersecurity teams and conducting multiple site surveys proved invaluable. These steps helped us gain technical understanding of the legacy systems and identify potential risks upfront. Setting expectations early with all parties helped streamline decision.

    2. Structured Engineering Approach Using IEC 61508
    We followed a gated verification and validation model inspired by IEC 61508, even for OT systems. This included:

    -Getting architecture drawings and Functional Design Specifications (FDS) approved early.
    -Progressing through detailed design and testing stages in a structured manner.

    This approach helped manage risks and ensured clarity in networking and system integration.

    3. Safety Systems: Keep It Simple and Isolated
    For safety-critical systems, simplicity and isolation are key. We avoided complex or “smart” relays and emphasized regular proof testing to maintain reliability and reduce cybersecurity exposure.

    4. Pre-Outage Testing
    Conducting the majority of tests before the outage is always a success factor. This included:

    Network compatibility testing.
    -Installing network interfaces outside the control system scope early.
    -Using virtual machines to simulate and validate connectivity.
    This allowed the customer to perform penetration testing well in advance, reducing surprises during commissioning.

    5. Contractor Engagement
    If third-party contractors are involved, include them in site surveys. This improves their understanding of the project scope and helps in obtaining more accurate and competitive quotes.

    Most of the key OT considerations have already been well covered in this thread, but I hope these additional insights help others planning similar upgrades. Happy to discuss further if anyone has questions.

Children
No Data

Community Rules & Guidelines