73%
OT environments share Active Directory with IT
56
ICS-CERT advisories per month average
12×
Median PLC lifespan exceeds Windows support
31%
HMIs found running default credentials

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Most OT security programs start with sticker shock: a Claroty or Dragos deployment for a mid-sized manufacturer can run six to seven figures before professional services. For security leaders who own OT risk but don't own the OT budget, that means the first assessment has to happen with open-source tooling, careful network taps, and a deep respect for equipment that will crash if you breathe on it wrong with an Nmap scan.

This guide assumes you have IT security skills but limited ICS exposure. The goal is not to replace a purpose-built OT platform; it is to produce a defensible baseline assessment that maps assets, identifies the worst exposures, and gives leadership a credible roadmap. The methodology borrows from NIST SP 800-82 Rev 3 and ISA/IEC 62443 but trims them to what a two-person team can execute in 60 to 90 days.

Expect resistance from plant engineers. They have watched IT teams brick PLCs with credentialed vulnerability scans, and their trust budget with security is usually zero. The single most important deliverable from your first week is not a finding; it is a written assessment plan that the operations team signed off on.

Mapping the Purdue Model to Your Actual Network

The Purdue Enterprise Reference Architecture defines six logical levels: Level 0 (physical process, sensors), Level 1 (basic control, PLCs and RTUs), Level 2 (supervisory, HMIs and SCADA servers), Level 3 (site operations, historians and MES), Level 3.5 (the IDMZ), Level 4 (site business planning), and Level 5 (enterprise). Your assessment must produce a diagram that shows where each asset actually sits versus where Purdue says it should sit. In nearly every shop you will find Level 2 HMIs joined to the corporate Active Directory domain, historians at Level 3 dual-homed to corporate networks, and engineering workstations that have full internet access. Document each violation. The IDMZ at Level 3.5 is the critical control: it should terminate all sessions, with no protocol passing straight through. Look for firewall rules that allow OPC, RDP, or SMB from corporate to Level 2; those are your worst findings. Use ISA/IEC 62443-3-2 zones and conduits as the documentation framework. Each zone gets a Security Level Target (SL-T) from 1 to 4 based on threat actor capability. Most plants should target SL-T 2 for Level 2 zones and SL-T 3 for Level 1.

Passive Discovery That Won't Crash a PLC

Active scanning is the fastest way to lose your assessment privileges. A Siemens S7-300 from 2008 can fault on a TCP SYN scan with default timing; older Allen-Bradley ControlLogix units have been documented faulting on SNMP polls. Default to passive discovery. Request a SPAN or mirror port from the network team covering the uplinks between Level 2 and Level 3, plus any inter-cell links at Level 1 and 2. Run Zeek on a dedicated capture box with a 1 TB SSD and tune the protocols.log, conn.log, and dns.log outputs. Add the ICS protocol parsers: Zeek's modbus, dnp3, and bacnet analyzers ship in-tree, and the community ENIP and S7comm parsers are available on GitHub. Pair Zeek with Arkime for full-packet retention over a two-week window. For asset attribution, use GRASSMARLIN from the NSA (still maintained on GitHub) to render Layer 2 and Layer 3 topology from pcap. When you must actively probe, use Nmap with --scan-delay 1s, -T1 timing, --max-parallelism 1, and restrict to a known-safe host. Never run -sV against an L1 device. Never.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Cataloging the Vulnerabilities You Already Know About

OT vulnerability management is mostly about three classes of finding that you can identify without a single scan. First: HMI default credentials. Walk the plant floor with the engineering team and visually inspect each HMI login. Wonderware, FactoryTalk, WinCC, and iFIX all ship with documented defaults; the operators usually never changed them. Second: Windows embedded versions that are out of support. Windows XP Embedded, Windows 7 Embedded, and Windows Server 2008 are common on HMI and historian hosts because the control vendor never certified a newer version. Inventory the OS version of every Level 2 and Level 3 Windows host via WMI query from a jump host (with operations approval) or by reading the boot screens. Third: unauthenticated protocols. Modbus TCP, DNP3 without Secure Authentication, EtherNet/IP, and S7comm all transmit control commands in cleartext with no authentication. Anyone on the same broadcast domain can issue write commands. Document the protocol per zone. The remediation isn't to patch the protocol; it is to enforce zone boundaries so the attack surface shrinks.

Building a Compensating Control Framework

Most OT vulnerabilities cannot be patched on a normal cadence. A Windows 7 Embedded HMI cannot be upgraded without re-validation of the entire control application, which may require a plant shutdown costing six figures per day. Your compensating control framework needs five layers. First, network monitoring: deploy a Zeek sensor per zone and feed alerts into your SIEM with detections tuned for ICS protocol anomalies (unexpected Modbus function codes, DNP3 commands from unknown masters, new MAC addresses appearing on a control VLAN). Second, application allowlisting on fixed-function hosts: Microsoft AppLocker or WDAC works well on HMIs because the software inventory never changes. Build the allowlist from a known-good golden image, test in audit mode for two weeks, then enforce. Third, removable media controls: physically epoxy or disable USB ports on HMIs where possible; for the rest, use a kiosk-based scanning workflow before any USB enters the plant. Fourth, jump host enforcement: all remote access into Levels 1 to 3 goes through a dedicated jump host with session recording (Apache Guacamole or Teleport work). Fifth, backup and recovery testing: PLC program backups stored offline, restored quarterly to verify they actually work.

Using ICS-CERT Advisories to Prioritize

CISA publishes ICS advisories at a rate of roughly 50 to 60 per month. Subscribe to the ICS-CERT mailing list and build a workflow that filters advisories by your inventory. The advisories include CVE, CVSS, affected vendor, affected product line, and a remediation section that is often vague ("contact vendor"). What matters more than CVSS is the exploitation context: is the vulnerability remotely exploitable across a network, or does it require local access to the engineering workstation? A CVSS 9.8 that requires physical access to a PLC in a locked cabinet is lower priority than a CVSS 7.5 that allows unauthenticated Modbus writes across a network. Cross-reference each advisory against CISA's KEV catalog; ICS entries in KEV are rare but should drive emergency change windows. Track vendor PSIRT feeds directly for Siemens ProductCERT, Rockwell PSIRT, Schneider Electric CPCERT, and ABB advisories; these often publish ahead of CISA by days or weeks. Build a simple spreadsheet: advisory ID, affected asset, exploitability context, compensating control in place, planned remediation window.

Documenting Asset Inventory When You Cannot Scan

When vendors prohibit scanning under warranty (this is common with medical devices, building management systems, and some PLC platforms), inventory becomes a manual exercise built from four sources. First, configuration backups: the engineering workstation that programs the PLCs holds the project files. RSLogix, TIA Portal, Studio 5000, and Unity Pro project files contain the IP address, firmware version, and module list of every device in the system. Get a copy of every project file, store them offline, and parse them quarterly. Second, network captures: Zeek's known_hosts.log will surface every IP that talks, and protocol-specific logs reveal device identity via S7comm CPU identification or EtherNet/IP List Identity responses. Third, switch CAM tables and DHCP logs: pull these monthly and reconcile against your master inventory. Fourth, walkdowns: physical inspection of control cabinets with the plant electrician, photographing nameplates. Capture manufacturer, model number, firmware version (visible on most HMI status screens), and physical location. The inventory should live in a database you can query, not a spreadsheet that gets stale. CMDBuild and Ralph are free options that work for under 500 assets.

The bottom line

An OT assessment without a six-figure platform is achievable but requires patience and operational trust. The deliverables that matter are a defensible asset inventory, a Purdue-aligned network diagram showing every segmentation violation, a compensating control matrix tied to specific exposures, and a prioritization workflow keyed to CISA advisories rather than raw CVSS.

Start with passive monitoring and walkdowns; earn the right to do anything active by demonstrating you understand what will and won't break the plant. The platforms can come later when you have evidence of value and a clear gap that only commercial tooling can close.

Frequently asked questions

Can I use a normal vulnerability scanner like Nessus on OT networks?

Only with extreme care and explicit operations approval. Nessus has ICS-specific audit policies that throttle aggressively, but even those can fault older PLCs. The safer pattern is to scan only Windows-based HMIs and historians (Level 2 and 3) with credentialed scans during planned maintenance windows, and never scan Level 1 devices actively. Most assessments rely on passive discovery for Levels 0 to 1 and credentialed config audits for Levels 2 to 3.

What's the minimum Zeek hardware to monitor a plant network?

For a single 1 Gbps SPAN feed with full pcap retention, a server with 8 cores, 32 GB RAM, and a 2 TB NVMe SSD handles two weeks of capture for a moderate-traffic plant. If you only need Zeek logs (no full pcap), 4 cores and 16 GB is sufficient. Tap aggregation matters more than CPU; an Ixia or Garland network tap aggregator avoids the dropped packets that come from cheap SPAN port configurations on production switches.

How do I justify the cost of OT segmentation to leadership?

Translate it into business impact. A flat network where corporate ransomware can pivot to plant operations means a ransomware incident becomes a production outage. Quote the operations team's per-day shutdown cost (this number is usually well-known internally) and multiply by the likely recovery window for a plant-wide infection (5 to 14 days). The Colonial Pipeline, Norsk Hydro, and JBS incidents are well-documented case studies where IT-to-OT pivot turned a contained IT incident into a national event.

Should I prioritize Modbus or DNP3 hardening first?

Neither protocol can be hardened in place on legacy equipment. Prioritize the segmentation that prevents unauthorized devices from speaking the protocol at all. If you have newer DNP3 deployments, DNP3 Secure Authentication (DNP3-SA) is available and worth pursuing; Modbus has no real authentication option short of replacing the gear. Zone boundary enforcement and protocol-aware firewalls (Tofino, Belden, or even iptables with custom modules) are the practical controls.

How often should we re-run the OT assessment?

Full assessments every 24 months are typical for stable environments. Asset inventory reconciliation and ICS advisory triage should be continuous, with monthly reviews. After any major project (new line, control system upgrade, vendor remote access change), run a delta assessment focused on the changed scope. Penetration testing of OT environments should be done by specialists no more than every 3 years and only in non-production replica environments or during planned outages.

Sources & references

  1. CISA ICS Advisories
  2. NIST SP 800-82 Rev 3 Guide to OT Security
  3. ISA/IEC 62443 Series Overview
  4. Zeek Network Security Monitor

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.