Skip to main content
The Dragos Blog

01.18.23 | 4 min read

OT Cybersecurity Best Practices for SMBs: How to Remediate External OT Network Connections to the Internet

This is our monthly blog detailing best practices for OT cybersecurity for under-resourced organizations by Dragos OT-CERT (Operational Technology – Cyber Emergency Readiness Team), which provides free resources to help small and medium businesses (SMBs) create or enhance their OT cybersecurity program. The Category and Practice from the “OT-CERT OT Cybersecurity Fundamentals Self-Assessment Survey” is noted for each SMB cybersecurity best practice. Hopefully, you filled out the survey and identified your gaps – these best practices can be implemented to begin to address those gaps. If not, there’s no time like the present – join OT-CERT and get started today!

Larger Organizations Take Note

If you have been increasing your security posture and reduced risk of a significant cyber attack in your enterprise, including your OT environment, that’s excellent news! However, does your risk assessment include the possibility of a cyber attack on one of your critical suppliers, and the impact that would have on your company’s operations? Could you still produce your product or provide services to your customers? Read on to ensure that you are quantifying the likelihood and impact of that risk correctly in light of the current threat environment. And strengthen your supply chain security risk posture by promoting OT-CERT to your suppliers!

How Can I Tell if Devices in My OT Network Are Connected to the Internet?

The easiest way for cyber threats – both intruders and malware – to compromise your OT network is through industrial control systems (ICS) / OT assets exposed directly to the internet. Many organizations believe their OT environment is air-gapped from the Internet, but few really are. In fact, direct Internet connections from OT is a common finding when we do risk assessments, even in larger organizations. Internet connections, browsing, and user-based email provide opportunities for adversaries to find and gain access to industrial systems.

We provide you with a quick method for determining if you are exposed in the table below. Do these steps as soon as possible so you are aware of and can remediate the easiest way for attackers to compromise your industrial systems.

The Dragos Academy module, OT-CERT Jump Start: Practical Guide to ICS/OT Internet Connectivity for Small and Medium Sized Businesses, provides a demonstration for Step 1 below. This module is available to all OT-CERT members.

CategoryBest Practice
Network SegmentationSTEP 1: Determine if your devices are connected to the internet

Dragos OT-CERT Recommendation: Sit down at each Human-Machine Interface (HMI), Engineering Workstation (EWS), and other Microsoft Windows assets in your plant and perform the following steps:
  1. Open a command prompt on the asset.

  2. Now perform the first test to see if your asset is connected to the Internet. Run the command:

    ping 8.8.8.8

    8.8.8.8 is the IP address for the primary Google DNS server. This ping command attempts to access that server – if you get a successful reply then your host is connected to the Internet and you should proceed to #3 below. If not then you can move on to your next device and start back at #1 again.

  3. Run the command: netstat -nao

    Hint: you can save the output to a file by modifying the command as follows:
    netstat -nao > filename.txt

    Netstat will provide a listing of all established or listening connections for that asset. If you see any IP addresses listed that are not associated with your internal network this means your asset is connected to the Internet or another external network.

  4. Review the netstat output and note all external IP addresses or IP addresses that were not expected. You can find out information about external IP addresses or URLs for free on websites such as:
    www.robtex.com
    ti.defender.microsoft.com
    www.greynoise.io

    Use these sources to assess what the external IP addresses are. For example, is it Microsoft or is it something that gets a bad score on greynoise.io? Based on this assessment, set the priority of remediation.

    If either netstat or ping show exposure to the Internet, then proceed with Step 2, Remediation, below. Prioritize remediation activities as described above – begin with assets connected to “bad” IP addresses.
Network SegmentationSTEP 2: Remediation

  1. Restrict internet browsing and user-based email from the ICS/OT/SCADA environment.

  2. Limit all external connectivity to only those ports, services, addresses, and applications explicitly required for business purposes.

    — Conduct interviews with operations, maintenance, and management personnel to identify the external connectivity requirements and compare them against those observed connections.

    — Many organizations have firewalls installed that aren’t doing what they think they are. In fact, many use “any<->any” rules – even in large utilities and private companies. Others protect outside -> in but leave inside -> out as “allow all”.

    Work with your IT team or service provider to use both your external firewall (if you have one), and the Windows firewall to limit connectivity to only what is explicitly required for business purposes as discovered in your interviews above. Be extremely careful to avoid interrupting required connectivity for the control system or SCADA applications.

Stay Up to Date with SMB Cybersecurity Resources: Join Dragos OT-CERT today!

Dragos OT-CERT offers FREE resources to help SMBs build their own manufacturing / OT / industrial control systems (ICS) cybersecurity program without hiring any cybersecurity experts. OT-CERT membership is free and globally available to OT asset owners and operators. Resources are oriented toward small and medium businesses and resource-challenged organizations with OT environments that lack in-house security expertise. Members have access to a growing library of resources such as reports, webinars, training, best practices blogs, assessments, toolkits, tabletop exercises, and more.

Currently available resources include:

  • OT Cybersecurity Fundamentals Self-Assessment Survey
  • OT Asset Management Toolkit
  • Self-Service OT Ransomware Tabletop Exercise Toolkit
  • Collection Management Framework for Incident Response
  • OT Cybersecurity Incident Response Toolkit
  • OT Data Backups Guidance
  • Access to an introductory ICS/OT cybersecurity module in Dragos Academy

If you haven’t joined Dragos OT-CERT don’t delay! Membership is open to organizations that own or operate a manufacturing / ICS / OT environment. Please join and spread the word to your community and supply chain so we can all work together to raise the security posture of the entire ecosystem – we are only as strong as our weakest link.

We look forward to working with you to safeguard civilization!

Apply for Dragos OT-CERT Membership
Join Today

Ready to put your insights into action?

Take the next steps and contact our team today.