Map Your OT Attack Surface Before the Next Audit

Most operational technology (OT) security audits produce findings that surprise the teams being audited. Not because the auditors are unusually thorough, but because the organizations being audited do not have a current picture of their own environment. An attack surface map fixes that. It gives you visibility into what you actually have before someone else tells you what you missed. The someone else is not always an auditor: Censys counts over 145,000 exposed industrial control system (ICS) services worldwide, more than 48,000 of them in the United States.

What an Attack Surface Map Actually Is

An OT attack surface map is a documented, current picture of every way an attacker could reach your operational technology environment. That includes every device on the network, every remote access path, every point where IT and OT traffic can cross and every external connection to vendors, cloud platforms or partner systems. It is not the same as a network diagram, which typically shows intended architecture. An attack surface map shows reality, including the things that were added for convenience and never formally reviewed. Those unreviewed paths carry real cost. In May 2021, attackers reached Colonial Pipeline through a legacy virtual private network (VPN) profile that was not intended to be in use. The company shut down fuel delivery for the East Coast and paid a $4.4 million ransom.

Auditors build a version of this picture during their assessment. The difference is that they build it looking for problems, and they share what they find in a report you receive after the audit is complete. Building your own map before the audit means you find those problems first, on your own timeline, with time to address them.

How to Build the Inventory You Actually Need

Passive discovery is the right starting point for OT environments. Monitoring network traffic at span ports or taps reveals what is actually communicating on the network, which is often different from what the documentation says. Devices that were installed temporarily and never removed. Legacy systems that were supposed to be decommissioned. Wireless access points that the OT vendor installed during commissioning and that nobody in the security team knows about.

The goal is not a perfect inventory built in a single effort. It is a living document that reflects the current state of the environment. For most manufacturers, getting to that state requires combining passive discovery with interviews with the operations team, review of vendor contracts and access agreements, and a physical walkthrough of the plant floor. 

Mapping Topology and Exposure

Once you have the asset inventory, the next step is understanding how those assets connect to each other and to the outside world. Zone and conduit mapping based on IEC 62443 is the right framework for this. It identifies where traffic should be allowed to flow, where it should be blocked and where the current state deviates from the intended architecture.

The most common finding at this stage is a network that is segmented on paper but flat in practice. Virtual local area networks (VLANs) that were configured without enforcing communication restrictions. Firewall rules that allow broad traffic between IT and OT zones because they were set up during a project deadline and never tightened. A demilitarized zone (DMZ) that exists in the architecture diagram but is not actually enforced in the network configuration. The pattern is widespread: Dragos found improper network segmentation in 50% of its 2022 service engagements.

Prioritizing What You Find

Not every exposure in your attack surface carries the same risk. A vendor remote access path with default credentials that connects directly to a distributed control system (DCS) controller is a different category of problem from an unpatched human-machine interface (HMI) that can only be reached from inside the plant network. Prioritization has to reflect both the likelihood of exploitation and the consequence if an attacker gets there.

For manufacturers under compliance requirements, whether NIST, IEC 62443 or sector-specific frameworks, the prioritization also needs to map to the controls those frameworks require. Auditors are not just looking for vulnerabilities. They are looking for evidence that you understand your exposure and are managing it systematically.

A risk-based attack surface assessment gives you both things. It identifies what is exposed, ranks it by real-world risk and maps it to the compliance requirements your auditors will check. That is a much stronger position to be in than receiving those findings in an audit report for the first time.

An audit will map your attack surface eventually, on the auditor’s timeline. Map it first. Request an OT attack surface assessment and walk into the next audit with the findings already in hand.