Securing the Electric Power Sector through Wireless Threat Detection

Overview

Electric power utilities rely on complex Industrial Control Systems (ICS) across all areas of power generation, transmission, and distribution to maintain grid stability and reliability. These systems form the foundation of modern energy delivery, supporting seamless interconnectivity across Supervisory Control and Data Acquisition (SCADA) systems and enabling the resilience of the North American power grid with complex Energy Management Systems (EMS).  

In recent years, wireless technologies have appeared in utility operations, some of which are not authorized to be present. They now support a wide range of applications, including substation communications, remote telemetry, mobile field operations, and renewable energy generation. Yet every wireless signal, authorized or otherwise, introduces potential vulnerabilities that expand the risk surface of the Bulk Electric System (BES).

Traditional NERC Critical Infrastructure Protection (CIP) programs focus primarily on wired networks and IT assets. The radio frequency (RF) domain, however, often remains unmonitored and unmanaged. This gap creates an unresolved blind spot for operators responsible for protecting critical assets, particularly those classified as high-impact on the BES. 

Bastille delivers Wireless Threat Detection, providing utilities with continuous visibility across the 100 MHz to 7.125 GHz frequency range. By detecting, locating, and classifying all wireless activity, Bastille enables operators to reduce operational risk, strengthen compliance with NERC CIP standards, and improve situational awareness across the grid.

Industry Challenge: The Unseen Threat

For decades, electric utilities have relied on NERC CIP programs to secure their wired networks and IT infrastructure. These standards have helped define cyber perimeters, protect critical systems, and formalize compliance practices. Yet as grid operations increasingly encounter wireless technologies, a new layer of risk has emerged that traditional monitoring tools cannot see.

In some cases, wireless protocols such as IEEE 802.15.4 (Zigbee) have appeared in facilities and equipment, enabling facility operators to connect sensors, controllers, and mobile workforces, keeping operations efficient and responsive. This connectivity introduces convenience and flexibility, but it also expands the potential attack surface in ways that are invisible to most security systems.

A personal hotspot left active in a control room, a rogue access point in a substation, or an unapproved IIoT transmitter near sensitive equipment can all disrupt or compromise critical operations. These threats often go undetected because each site has its own distinct RF environment shaped by location, equipment, and activity. Signals overlap, devices move, and emissions change throughout the day, creating a dynamic and unpredictable spectrum that is difficult to manage without specialized visibility.

At the same time, NERC CIP standards continue to evolve, requiring utilities to identify, protect, and monitor all critical cyber assets, including those communicating wirelessly. For operators safeguarding the grid, the airwaves themselves have become part of the critical infrastructure domain.

Without the ability to detect and understand what’s happening across the RF spectrum, utilities face a growing challenge: securing their operations against threats they cannot see.

Bastille Wireless Threat Detection for Electric Utilities

Bastille provides a 100% passive platform for continuous Wireless Threat Detection. The system continuously monitors the RF environment across all critical assets, providing real-time visibility and actionable intelligence to reduce operational risk and support regulatory compliance.

Continuous RF Monitoring: Bastille continuously monitors the full wireless spectrum to detect signals from Wi-Fi, Bluetooth/BLE, cellular (LTE and 5G), and other wireless protocols. Operators gain real-time insight into all transmissions occurring within or near high-impact cyber assets.

Comprehensive Device Visibility: Bastille automatically identifies and classifies every wireless emitter, whether authorized, unauthorized, transient, or mobile, enabling seamless integration and enhanced security. Security and compliance teams can document and track all devices interacting with operational networks, achieving complete wireless situational awareness.

Threat Detection and Localization: When rogue, interfering, or suspicious devices appear, Bastille detects and pinpoints their precise physical location within a facility. Field and security teams can respond quickly to remove threats, maintain compliance, and reduce downtime.

Alignment with NERC CIP Standards

Bastille’s Wireless Threat Detection enhances compliance across multiple NERC CIP standards by providing continuous monitoring and documentation within the wireless domain.

CIP-005: Electronic Security Perimeters – Utilities must identify and document all external access points, including those using wireless communications. Bastille supports this function by continuously identifying and monitoring all wireless access points, hotspots, and transmitters operating near or within the Electronic Security Perimeter. This visibility helps prevent unauthorized external connectivity and maintains the integrity of defined perimeters.

CIP-007: System Security Management – Utilities are required to detect unauthorized access attempts and manage vulnerabilities. Bastille supports this requirement by detecting rogue wireless devices and anomalous RF transmissions that may serve as pathways for intrusion or compromise, enabling proactive mitigation.

CIP-010: Configuration Change Management and Vulnerability Assessments – Entities must detect unauthorized system changes or connections. Bastille’s continuous monitoring identifies new or unapproved wireless devices that appear in the environment, providing immediate visibility into deviations from established configurations.

CIP-011: Information Protection – Entities must safeguard BES Cyber System Information (BCSI) from unauthorized access or disclosure. Bastille aids compliance by detecting potential wireless exfiltration or interception devices that attackers could use to capture or transmit sensitive operational data.

CIP-014: Physical Security – Entities must detect potential intrusion attempts at critical substations and control facilities. Bastille’s ability to detect and locate unauthorized wireless transmitters supports this requirement by revealing covert surveillance or intrusion activity that may accompany physical compromise attempts.

By integrating Bastille’s Wireless Threat Detection into existing compliance frameworks, utilities can extend their protective posture beyond the network cable to achieve unified visibility across both wired and wireless domains.

Deployment Recommendations for Comprehensive Coverage

To achieve comprehensive wireless visibility across the electric power ecosystem, utilities should deploy Bastille sensors strategically at the following locations:

1. Energy Management Systems (EMS) and Control Centers: Deploy sensors throughout EMS data halls, operator floors, and network operations centers. Detect and locate unauthorized wireless devices that could bridge air-gapped systems or compromise network integrity. Supports CIP-005 (Electronic Security Perimeter) and CIP-010 (Configuration Management).
2. Data Centers (Primary and Backup): Place sensors within rack rows, aggregation zones, and near physical access points. Detect rogue hotspots, cellular modems, or Bluetooth devices that could compromise BCS networks. Supports CIP-011 (Information Protection) and CIP-014 (Physical Security).
3. Bulk Electric System (BES) High-Impact Sites: Deploy sensors at EMS locations and transmission substations classified as High Impact under CIP-002. Continuously monitor the wireless spectrum for unauthorized emissions within the Electronic and Physical Security Perimeters. Supports CIP-005, CIP-006, and CIP-014.
4. Generation Stations (Thermal, Hydro, and Nuclear): Position sensors near control rooms, plant networks, and maintenance areas. Detect wireless interference that could affect protective relays, PLCs, or safety instrumentation. Supports CIP-007 and CIP-010.
5. Renewable Generation and Solar Inverter Sites: Deploy sensors within inverter fields, control huts, and interconnect substations. Identify unapproved gateways, telemetry links, or remote access points used for maintenance or operations. Supports CIP-005 (Network Boundary Control) and CIP-013 (Supply Chain Risk Management).

Conclusion

Wireless technologies are likely to have an increased presence at modern utilities as the growing need to communicate, monitor, and control critical systems continuously overtakes the ability to deploy humans and wired devices. Yet they also introduce risks that can go unnoticed without dedicated visibility into the RF spectrum.

Bastille’s Wireless Threat Detection platform delivers continuous, passive monitoring across the 100 MHz to 7.125 GHz frequency range, detecting, locating, and classifying every wireless device operating near critical assets. By revealing the hidden layer of risk, Bastille helps utilities detect threats early, maintain compliance, and protect the reliability of the electrical grid.

In an era where wireless signals are indispensable to operations, Bastille empowers utilities to securely modernize, seeing and protecting the signals that matter most.