Performing OT Network Security Assessment

When to Use

• When conducting an initial security baseline of an OT/ICS environment for a new client
• When evaluating the security posture of a facility after an IT/OT convergence initiative
• When preparing for IEC 62443 or NERC CIP compliance audits
• When assessing risk following a merger or acquisition involving industrial facilities
• When investigating whether an OT network has been compromised or has unmonitored pathways to corporate IT

Do not use for IT-only network assessments without OT components, for application-layer vulnerability scanning of IT web applications (see performing-web-app-penetration-test), or for active exploitation of live OT systems without explicit authorization and safety controls in place.

Prerequisites

• Written authorization from the asset owner and operations management for all assessment activities
• Understanding of the Purdue Reference Model and IEC 62443 zone/conduit architecture
• Passive network monitoring tools (Nozomi Guardian, Dragos Platform, or Wireshark with industrial protocol dissectors)
• Access to network diagrams, firewall rule sets, and asset inventories (or the ability to perform passive discovery)
• Safety briefing on the physical processes controlled by the OT systems under assessment