East-West Traffic Blind Spots Leave Electric Grids Vulnerable to Lateral Attacks, Trend Micro Warns
Trend Micro Research warns that electric grid operators must monitor east-west traffic inside operational networks to detect lateral movement attacks that bypass traditional perimeter defenses.
Electric power infrastructure is becoming more connected than ever before. Organizations responsible for operating the Bulk Electric System (BES) are increasingly integrating operational technology (OT), industrial control systems (ICS), and enterprise IT environments to support automation, remote operations, and grid modernization. While this connectivity enables greater operational efficiency, it also introduces new cybersecurity risks. Attackers targeting critical infrastructure rarely stop at the initial breach. Instead, they move laterally across internal systems, quietly mapping networks, escalating privileges, and searching for high-value operational assets.
For security leaders responsible for protecting electric grid operations, the challenge is no longer just preventing attackers from entering the network. It is stopping them from moving once they are inside while supporting the organization’s broader regulatory and compliance obligations. This is why visibility into east-west traffic — the internal communications between systems inside the Electronic Security Perimeter (ESP) — has become essential for protecting modern electric grid environments. At the same time, regulatory developments such as NERC CIP-015 are reinforcing the need for stronger monitoring within operational networks supporting the Bulk Electric System.
Attackers increasingly take advantage of interconnected conditions. Rather than launching immediate disruptive attacks, adversaries often pivot methodically through environments, identifying high-value systems before executing their objectives. Without strong internal monitoring, these movements can remain undetected. In electric power environments, a security breach can have consequences far beyond IT systems. Attackers who gain access to enterprise networks may attempt to move laterally toward operational systems that control generation or transmission infrastructure. Once inside OT environments, adversaries could potentially disrupt operations, manipulate control systems, or impact the delivery of essential services.
Inside operational environments, systems constantly communicate with one another. These internal communications are known as east-west traffic. Examples include communications between industrial control systems, data exchanges between OT devices and monitoring platforms, interactions between operational systems and enterprise applications, and connections between vendor systems and infrastructure environments. While these communications are necessary for operations, they can also provide pathways for attackers. Once inside a network, adversaries frequently use east-west communication to move laterally between systems, identify high-value operational assets, escalate privileges, and access control systems.
Traditional security architectures often focus primarily on monitoring north-south traffic — data entering or leaving the network. As a result, suspicious activity occurring inside operational networks may remain difficult to detect. In addition, many traditional IT security tools only skim the surface in OT environments, identifying IP traffic but lacking the context needed to interpret industrial communications. Operational environments rely on specialized protocols and communications such as DNP3, IEC 61850, OPC, and Modbus, along with numerous ports and service interactions between SCADA systems, engineering workstations, controllers, and monitoring platforms. Improving visibility across these protocols, ports, and internal system interactions allows security teams to detect abnormal behavior earlier and stop threats before they reach critical operational systems.
The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) standards are designed to strengthen cybersecurity for organizations responsible for operating and securing the Bulk Electric System (BES). As threats evolve, regulatory expectations are increasingly emphasizing the need for stronger monitoring and visibility within operational environments. Developments such as NERC CIP-015 reinforce the need for stronger visibility into communications inside operational networks, recognizing that threats often move laterally after gaining initial access. For owners and operators of BES, this includes the ability to monitor communications within Electronic Security Perimeters (ESPs), detect anomalous network behavior, identify unauthorized devices or connections, and investigate potential threats quickly.
Trend Micro's analysis underscores a critical gap in grid security: while perimeter defenses have improved, internal network visibility remains underinvested. As adversaries become more sophisticated in their lateral movement techniques, the ability to detect east-west traffic anomalies will be a key differentiator between a contained incident and a catastrophic operational disruption. The report serves as a call to action for CISOs, OT security leaders, and plant operators to prioritize internal monitoring as a core component of their cybersecurity strategy, especially as regulatory frameworks like NERC CIP-015 begin to mandate such capabilities.