Hopefully you believe the answer to this question is no. If any person or device on the Internet can access any of your OT environments you need to take immediate action.
Note: “any person or device on the Internet” doesn’t include an employee or partner with authorized and secured remote access or an approved secured connection.
Even if you believe the answer is no you should perform a periodic test to verify no OT is Internet accessible.
There are a few ways to go about this task:
- Use a service, such as Shodan, to search a database of your company’s public IP subnets for control system protocols.
Note: this may identify OT that you have not considered such as building management systems, power management, emissions monitoring, or a PLC maintenance network.
- Use a scanner or scanning service to do your own scan for ICS protocols across your company’s public IP subnets.
- In the United States, use the Government’s free service to periodically scan your public IP space, see cisa.gov/cyber-hygiene-services.
Also verify that there is no Internet access to OT through interview and inspection. The most common reason for a “shadow OT” Internet connection is a well-meaning employee, consultant, or third party service provider installing Internet access so they can do work remotely. These shadow OT connections should go through the normal process of approval and implement a secure remote connection if approved.
Think about any projects that might require remote access from the Internet that don’t have approved secure remote access. Ask the team how they are accessing OT from the Internet.
If you find Internet accessible OT cyber assets, a prioritized action should be taken to remove or secure this access.
What method did you use to verify there is no unauthorized Internet access to OT?
List of unauthorized Internet access to OT and plan to remove or secure this access.
1.
2.
3.