Back to blog
Industrial Security

Engineering workstations and HMIs: the OT control point that carries the most risk

Engineering workstations and HMI servers combine high privileges, legacy software, and direct access to PLC and SCADA systems. If they are not hardened, the rest of the OT security stack loses force.

Roger
#OT#HMI#engineering workstation#PLC#IEC 62443#SCADA

Engineering workstations and HMIs: the OT control point that carries the most risk

In many plants, OT security discussions revolve around segmentation or remote access. But one asset often decides how far an attacker can go: the engineering workstation. This is where teams load PLC logic, change parameters, and supervise operations.

Why they are such valuable targets

An engineering workstation is not just a maintenance PC. It usually holds vendor programming suites, privileged credentials, access to several network segments, and direct connectivity to PLCs, RTUs, or safety controllers. It also often keeps email, web browsing, or remote support. That is too much power in one machine.

Stuxnet exposed that problem more than a decade ago. It did not reach centrifuges straight from the internet. It spread through Windows engineering stations and altered Siemens PLC logic from there. Triton, in 2017, hit the same weak point by compromising the workstation used to interact with the safety instrumented system. If an attacker controls the machine used to program or supervise the process, they are already close to the physical process.

How they get compromised in real environments

The path is usually much less dramatic than people expect. An integrator plugs a laptop into the plant network to make an urgent change. An engineer uses a USB drive with a project copied from another site. An HMI server depends on an old Windows version that cannot be patched on the schedule expected by IT. It is also common to find workstations joined to the corporate domain, local accounts shared across shifts, and antivirus tuned to stay quiet.

That makes the engineering station a bridge. Ransomware that would only encrypt files in IT can end up affecting SCADA servers, historians, or project repositories. An attacker with stolen credentials can change parameters, interrupt communications, or load unauthorized logic. You do not need a nation-state operation to create a serious OT incident. A weak chain of decisions is often enough.

Controls that actually reduce the risk

This is where discipline matters.

  1. Real separation of functions: the engineering workstation should not be used for email, unrestricted browsing, or office work. If possible, it should not have direct internet access at all.
  2. Application control and USB restrictions: allowlisting, default USB blocking, and scanning on an intermediate station remove a large part of the entry surface.
  3. Named accounts and least privilege: no generic users like "engineering" or "maintenance". Every change should map to a specific person and, if a vendor is involved, to an approved time window.
  4. Useful backups and golden images: copying folders is not enough. You need to rebuild a compromised workstation quickly and verify that the PLC project matches the approved version.
  5. Access through a jump server: if a third party needs to connect, route it through an intermediate zone with MFA, session recording, and destination restrictions.

What IEC 62443, NIS2, and NERC CIP expect

IEC 62443 does not treat these systems as a footnote. IEC 62443-3-3 and 62443-2-1 push for access control, hardening, account management, event logging, and segmentation through zones and conduits. The logic is simple: assets that can change the process deserve tighter control than systems that only consume information.

NIS2 pushes in the same direction from the regulatory side. It calls for risk management, access control, incident handling, and supply chain security. If your engineering station depends on integrator software, vendor remote access, and an unsupported operating system, the problem is no longer just technical. It is also a governance and compliance issue. NERC CIP has followed similar thinking for years in the power sector.

The test worth doing before the next change window

Before the next outage or logic change, ask a blunt question: if an engineering workstation were compromised today, could you detect the change, rebuild the system, and prove which PLCs or HMIs were touched?

If the answer is shaky, you already know where your OT security bottleneck sits.

Do you want a technical review of your engineering workstation and HMI exposure? Contact us and we will look at it properly.

Want to talk about your industrial security?

Free initial assessment, no commitment.

Contact us
See all articles