Proactive Modernization of OT Network Backbone through Replacement of Legacy Cisco Switches in a Thermal Power Plant

Abstract

Modern thermal power plants are increasingly integrating Operational Technology (OT) networks with higher-level analytics platforms such as OSI PI and cloud-based systems to support digital transformation initiatives. However, such integrations significantly increase cybersecurity exposure, particularly when legacy and unsupported network infrastructure is retained. This paper presents a lifecycle-driven and cyber-aware modernization of an OT network backbone involving the replacement of legacy Cisco Catalyst 2960 Series switches with Cisco Catalyst 1300 Series and Catalyst 9200L switches. The upgrade was necessitated by End-of-Sale (EOS) and End-of-Support (EoS) declarations, coupled with the introduction of OSI PI data flow from DCS through Kepware servers to cloud platforms. In addition to infrastructure upgrade, a SCADA-based network health monitoring system was developed to visualize the availability of redundant networks (NET-A and NET-B), enabling early detection of network degradation or failure. All switch configuration, testing, and commissioning were performed in-house through self-learning, without reliance on external vendors. Enhanced network segmentation, and security policies were implemented to mitigate cybersecurity risks while ensuring performance and scalability. The results demonstrate improved reliability, security posture, and internal capability development, providing a repeatable framework for OT network modernization.

Introduction

The text describes a network modernization initiative in a thermal power plant’s OT (Operational Technology) environment, aimed at improving reliability, cybersecurity, and operational sustainability. Traditionally isolated, the OT network has become increasingly interconnected due to the adoption of digital platforms such as OSI PI historians, Kepware OPC servers, and cloud analytics, significantly increasing cybersecurity exposure.

The existing OT backbone relied on Cisco Catalyst 2960 switches, which had reached End of Sale (EoS) and End of Support (EoS), creating operational, security, and business continuity risks—especially with active DCS-to-cloud data exchange. The root cause was the continued use of unsupported legacy infrastructure in an evolved OT–IT converged environment, compounded by inadequate lifecycle planning, weak cybersecurity controls, and heavy vendor dependence.

To address these issues, a structured modernization program was implemented, replacing legacy switches with Cisco Catalyst 1300 and 9200L series. The approach followed formal Management of Change (MOC) processes, cybersecurity risk assessments aligned with IEC 62443 and NIST SP 800-82, detailed network architecture reviews, and phased migration. All configurations, commissioning, and validation were performed internally, supported by quality control tools such as risk matrices, fishbone analysis, Pareto analysis, and checklists. Additionally, dedicated SCADA pages were developed to monitor real-time network health of NET-A and NET-B.

The implementation resulted in the successful replacement of approximately 60 switches across six units, with zero unplanned outages. Key outcomes included improved network performance, enhanced cybersecurity through segmentation and supported firmware, stable DCS–cloud data flow, real-time network visibility, reduced vendor dependency, and strengthened internal OT networking capability.

The project highlights key lessons: OT networks must evolve with digitalization, legacy hardware increases cyber risk, formal MOC is essential, and self-reliant execution builds sustainable capability. Overall, the upgrade delivered improved performance, security, scalability, and user experience, while avoiding significant business and operational risks associated with not modernizing the OT network.

Conclusion

This project demonstrates that secure and reliable OT network modernization is essential when integrating DCS systems with historians and cloud platforms. By replacing legacy, unsupported switches with modern, secure alternatives and executing the project entirely in-house, the organization significantly improved its cybersecurity posture, reliability, and scalability.The structured, MOC-driven and self-executed approach presented in this paper provides a practical and repeatable framework for industrial facilities undertaking OT network upgrades in the era of digital transformation. Additionally, the integration of SCADA-based network health monitoring for redundant networks (NET-A and NET-B) enhanced operational visibility and accelerated fault detection. By providing intuitive graphical dashboards within the control room environment, operators gained real-time insight into network availability, further strengthening system resilience.

References

[1] Cisco Systems – Product Lifecycle and Security Advisory Documentation (End-of-Sale and End-of-Life Announcement for the Cisco IOS Software and DWP dot1x Licenses for Catalyst 2960 Series Switches - Cisco) [2] IEC 62443 – Industrial Automation and Control Systems Security. [3] NIST SP 800-82 – Guide to Industrial Control System Security. [4] OSIsoft PI System Architecture and Security Guidelines.

Copyright

Copyright © 2026 Anupam Patnaik. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.