OT Network Security Assessment

Understanding OT Network Risk

Operational technology networks have a fundamentally different risk profile than enterprise IT networks. Where IT security prioritizes confidentiality and integrity, OT security prioritizes availability and safety: a SCADA server that reboots unexpectedly, a PLC that misses a polling cycle, or a historian that loses connectivity can translate directly into production downtime, product quality failures, regulatory violations, or physical safety incidents. This priority inversion means that IT security tools and practices that are routine in enterprise environments can be actively harmful when applied to OT networks without modification.

The convergence of IT and OT networks has dramatically expanded the attack surface for industrial organizations. Modern manufacturing execution systems (MES), enterprise resource planning (ERP) integrations, cloud-based SCADA platforms, vendor remote access connections, and industrial Internet of Things (IIoT) deployments all create pathways between the corporate IT network and the OT environment. Each of these connections, if inadequately secured, becomes a potential lateral movement path from an adversary who initially compromises a corporate workstation or phishing victim to the industrial systems that operate the facility.

Specific OT network risk factors that GDF regularly identifies in assessments include:

• Flat or inadequately segmented OT networks where a single compromised device has unrestricted lateral movement across the control environment
• IT/OT boundary controls that exist on paper but are not enforced technically: firewall rules that allow broad traffic from IT to OT, unmonitored data tunnels established by operational staff for convenience, and IT management tools with agents installed on OT servers
• Uncontrolled vendor remote access: shared credentials, always-on VPN connections, and remote access tools that bypass the primary firewall
• Legacy devices running end-of-life operating systems that cannot be patched and that communicate using cleartext, unauthenticated industrial protocols
• Wireless access points deployed in operational areas without adequate authentication or segmentation, including cellular modems on PLCs for direct remote access
• Lack of OT-specific monitoring: enterprise SIEM tools rarely ingest industrial protocol traffic, creating visibility gaps where attacker activity in the OT environment generates no alerts in the SOC
• Inadequate backup and recovery capabilities for OT configurations: PLC programs, HMI configurations, and historian databases that are not backed up in recoverable form, creating a single-point-of-failure for recovery from a ransomware or destructive attack

GDF's OT Network Assessment Process

GDF's OT network assessment follows a structured process designed to produce accurate, complete findings while protecting the availability and safety of production operations throughout the engagement. The process begins with engagement scoping and pre-assessment preparation, which are more extensive in OT environments than in standard IT security assessments. GDF's analysts work with both OT engineering staff and IT security personnel to understand the production environment, identify systems that require additional care during testing, and agree on assessment windows for any active testing activities.

The architecture and documentation review is conducted before any technical testing begins. GDF reviews all available network diagrams, asset inventories, firewall rule sets, and remote access policies. This review frequently reveals configuration inconsistencies, undocumented connections, and security gaps that do not require active testing to identify. Analysts compare documented architecture against configuration backups from key network devices to identify where the actual network deviates from the documented design.

Passive network monitoring forms the core of GDF's OT assessment. Using network taps or SPAN ports placed at key OT network locations, GDF analysts collect and analyze traffic without generating any probe packets. Using specialized OT monitoring tools including Dragos, Claroty, Nozomi Networks Guardian, and custom Zeek and Suricata rule sets for industrial protocols, the assessment team builds a complete picture of:

• All communicating devices and their roles: controllers, engineering workstations, historians, HMIs, and network infrastructure
• Communication patterns: which devices talk to which, using which protocols, at what frequency
• Protocol security: use of unauthenticated protocols (Modbus, legacy DNP3 without secure authentication), cleartext credentials, and insecure protocol configurations
• Boundary traffic: connections crossing from OT to IT, OT to internet, or between OT zones that should be isolated
• Anomalous activity: scanning traffic, unexpected connections, unusual command patterns, or communications from unauthorized sources

The active assessment phase addresses the IT/OT boundary controls, engineering workstations, SCADA servers, and network infrastructure using techniques calibrated for OT environments. Active scanning of PLCs and RTUs is avoided unless specifically requested and approved by operations staff, as even lightweight scanning can disrupt some legacy devices. Instead, GDF assesses controller security through protocol analysis, configuration review, and vendor documentation.

The assessment concludes with a technical findings briefing to operations and security staff, followed by delivery of the written assessment report. The report presents findings in risk-prioritized order, with separate sections for immediate actions, short-term improvements, and strategic architecture recommendations. For organizations subject to IEC 62443, NERC CIP, or NIST SP 800-82, the report includes a compliance mapping section that cross-references each finding to applicable standard requirements.

OT Assessment Deliverables

GDF's OT network assessment produces a set of deliverables tailored to the different audiences who need to act on the findings. The technical findings report is the primary deliverable, presenting every identified vulnerability and security gap with full technical detail: affected asset, risk description, supporting evidence, CVSS score adapted for OT context, and remediation guidance. The report is structured to be usable by OT engineering staff, IT security personnel, and operations management, with technical depth available in appendices and executive summaries at the front of each section.

The network architecture findings section documents the current-state network architecture as observed during the assessment, identifying deviations from the documented design and presenting a gap analysis against the zone-and-conduit architecture model recommended by IEC 62443. This section is particularly valuable for organizations planning OT network redesigns or preparing for compliance audits, as it establishes an accurate baseline from which improvement projects can be scoped and tracked.

The compliance mapping appendix cross-references assessment findings to applicable regulatory and standards frameworks. For electric utilities, this means NERC CIP reliability standards. For manufacturers seeking IEC 62443 certification or ISO/IEC 27001 scope extension to OT, GDF's mapping identifies which findings must be resolved to satisfy specific control requirements. For organizations following NIST SP 800-82 or the NIST Cybersecurity Framework, GDF maps findings to relevant function, category, and subcategory identifiers. This mapping allows compliance teams to demonstrate assessment coverage to auditors and to track remediation progress against specific control obligations.

For organizations that have experienced OT security incidents, GDF provides post-incident forensic analysis deliverables alongside or in place of standard assessment outputs. Where connected IoT devices are involved in an incident, our IoT security assessment team handles device-level evidence collection. These include a forensic timeline of the incident as reconstructed from available logs and artifacts, an attacker methodology characterization, an affected asset inventory, and a technical expert declaration suitable for submission to regulators, insurers, or courts. GDF's analysts have supported OT incident forensic analysis across the energy, water, manufacturing, and chemical sectors, working under attorney-client privilege arrangements where litigation or regulatory enforcement is anticipated.

GDF serves OT environments nationwide and internationally, with availability for both scheduled assessments and urgent incident response. Our analysts hold relevant certifications including GIAC Global Industrial Cyber Security Professional (GICSP) and maintain current knowledge of ICS-specific threat intelligence through sector-specific information sharing organizations. Contact us at 1-800-868-8189 to discuss your OT assessment needs.