ICT Architecture in Offshore Substations: Designing for Redundancy, Resilience and Cyber Separation

Offshore substations are no longer purely electrical assets. They are data-driven operational platforms where protection systems, SCADA, condition monitoring, CCTV, access control and remote diagnostics depend on a resilient ICT backbone.

In many projects, ICT architecture is defined late — after electrical layouts freeze and vendor packages are partially locked. The result is a network that functions but lacks true redundancy, physical resilience or clear cyber separation between IT and OT domains.

Across offshore wind developments, these gaps have repeatedly surfaced as single-point failures during commissioning, reduced availability in operations, or heightened cyber exposure. Treating ICT as auxiliary rather than mission-critical infrastructure increases risk in a remote, high-consequence environment.

The Technical Nature of the Problem

Modern offshore substations support data-intensive functions:

• SCADA and protection relays (IEC 61850 GOOSE/SV)

• Redundant fibre backbones for control and monitoring

• PoE-powered field devices (CCTV, sensors, access readers)

• Cybersecurity segmentation (OT vs IT zones)

• Time synchronisation (PTP/NTP) across systems

Key architectural challenges include:

• Redundancy philosophy — ring vs star vs mesh topologies, diverse routing

• Physical resilience — cable routing to avoid single-point damage (e.g., fire, mechanical impact)

• Cyber separation — logical/physical isolation between enterprise IT (office, remote access) and operational technology (protection, SCADA)

• PoE load management — thermal and power budgeting in confined racks

• Network topology — top-of-rack switching, leaf-spine or hierarchical

Standards like IEC 62439 (redundancy), IEC 62443 (cybersecurity), and IEEE 802.3bt (PoE++) provide guidance, but implementation is often inconsistent across vendors.

Common pitfalls:

• Single fibre path for critical links

• Inadequate OT/IT segmentation allowing lateral movement

• Overloaded PoE switches causing device dropouts

• No diverse routing for A/B networks

These vulnerabilities manifest as loss of visibility, delayed alarms, or cyber entry points.

Where It Breaks Down in Practice

ICT architecture gaps emerge when packages converge without unified philosophy.

During FEED, high-level SCADA and telecomms requirements are noted, but topology and redundancy are deferred.

In detailed design:

• Protection vendors specify GOOSE networks

• Telecomms teams design fibre backbones

• ICT integrators add PoE and CCTV

Each complies locally, but overall resilience suffers.

Repeatedly observed issues include:

1. Single-path fibre routing for SCADA links

2. Blurred OT/IT boundaries in shared switches

3. Insufficient PoE budget leading to device instability

4. No physical diversity for redundant networks

A typical example from recent offshore substation projects involved a fibre backbone designed as a single ring for SCADA and protection data. Redundancy was assumed via protocol-level failover (e.g., PRP/HSR), but physical routing followed the same cable tray system without diverse paths. The design referenced IEC 62439 but did not enforce spatial separation.

During commissioning, a mechanical incident (tray damage during final fit-out) severed the ring, causing loss of multiple SCADA links and delayed protection signalling. Root cause required temporary bypass cabling and partial re-routing — adding 2–3 weeks to handover and significant engineering costs. Offshore occurrence would have risked extended downtime.

The gap stemmed from deferred physical redundancy planning before routing freeze; an earlier topology review with diverse path requirements would have mitigated it at low cost.

The Commercial and Programme Consequence

ICT failures rarely cause immediate shutdowns — substations have fallback modes. Yet they accumulate exposure through:

• Extended commissioning for redundancy verification

• Additional cabling or switch upgrades

• Vendor claims for scope creep

• Reduced operational reliability (e.g., delayed remote diagnostics)

• Heightened cyber risk surface leading to compliance rework

Intermittent dropouts or single failures erode confidence and divert resources.

The impact is programme delay, increased variation, and compromised long-term availability.

A Structured Prevention Approach

Resilient ICT requires treating it as critical infrastructure from early design.

Practical measures that consistently reduce risk:

1. Define Redundancy Philosophy Early Establish topology (e.g., dual rings with diverse routing) and protocol (PRP/HSR) at FEED. Document physical diversity requirements.

2. Enforce OT/IT Segmentation Design clear zones with firewalls, VLANs, and physical separation. Align with IEC 62443 levels.

3. Validate PoE and Thermal Loads Model power budgets and heat dissipation in racks. Specify industrial-grade PoE switches with margin.

4. Integrate Topology Reviews Conduct cross-discipline reviews of fibre routing and switching before layout freeze. Verify diversity and resilience.

5. Document and Test Maintain a traceable ICT architecture matrix (link ID → redundancy → cyber zone). Validate through simulations and FAT.

These steps focus on early coordination — shifting risk to design phases.

Engineering-Led Risk Reduction

In offshore substations, ICT is the nervous system enabling visibility, control and protection. Malfunctions rarely stem from device quality; they result from underestimated resilience and segmentation.

Early, structured architecture design — supported by redundancy philosophy, OT/IT separation, and physical diversity — eliminates most single-point failures. It ensures availability, limits cyber exposure, and protects operational schedules.

Offshore assets operate remotely in harsh conditions. Treating ICT as engineered critical infrastructure rather than auxiliary is a proportionate response to modern substation demands.

This article is part of Renova's Offshore Substation Auxiliary Systems Risk Series, that comprises:

• Preventing Costly LV and ICT Rework in Offshore Substations

• Cable Segregation in Offshore Substations: Where IEC 60533 Is Commonly Misapplied

• Designing LV Distribution for Offshore Substations: Avoiding Load Growth Risks

• Lightning Protection Zoning in Steel Offshore Substations

• Interface Risk: Why LV and ICT Fail Between Packages

• ICT Architecture in Offshore Substations: Designing for Redundancy, Resilience and Cyber Separation