OT Security Assessment Checklist
For owners and operators of critical infrastructure, a security assessment must look beyond IT network policies and address the safety-critical components of the physical world. This guide outlines the key stages and checkpoints UTSI uses to provide a comprehensive, actionable review of your Operational Technology (OT) defences.
This checklist helps you assess the maturity of your current security stance, spot hidden risks, and develop a clear plan for improving operational resilience.
Stage 1: Governance and Risk Alignment (The Foundation)
Effective OT security requires alignment between IT, engineering, and operations. This stage verifies that your security strategy supports operational goals and compliance.
|
Checklist Item |
Description & Goal |
|
Formal OT Security Policy |
Verify that a dedicated OT security policy exists. This policy should clearly define the roles and responsibilities of OT security. It should keep them separate from those of the IT department. |
|
Regulatory Compliance Status |
Determine if critical assets meet required sector-specific standards, such as NERC CIP for power or specific pipeline guidelines. Focus on evidence demonstrating the effectiveness of control measures. |
|
Documented Network Architecture |
Confirm that all network diagrams are current and logically match accepted industry frameworks like the Purdue Model. |
|
Cyber-Physical Incident Response |
Verify that the Incident Response Plan (IRP) specifically addresses cyber-physical scenarios. This includes safely shutting down and restoring compromised PLCs or SCADA systems. |
|
Personnel Training & Awareness |
Confirm that operators and field engineers receive training on OT-specific threats. This includes issues like unsecured USB drives, safe remote access, and recognizing industrial phishing. |
Stage 2: Deep Asset Inventory and Visibility (Know Your World)
You can’t protect what you don’t know exists. A precise asset inventory is the most crucial step, identifying all hardware and software interacting with the physical process.
|
Checklist Item |
Description & Goal |
|
Visibility is Fundamental |
Confirm that all industrial assets, including PLCs, RTUs, sensors, and SCADA servers, are recorded and categorized by their criticality. |
|
Capture Detailed Device Information |
Record all security-related details. This includes the manufacturer, the exact model number, the firmware revision, the Operating System (OS), and known vulnerabilities (CVEs). |
|
Map All Communication Flows |
Document every data path. Identify which assets communicate with the corporate network. List all industrial protocols, including Modbus, DNP3, and OPC, to find unauthorized traffic. |
|
Identify Legacy Systems |
Document all older equipment that runs unpatchable or unsupported OS versions. This inventory shows where compensating controls are needed. |
|
Monitor Temporary Connections |
Establish strict logging and access controls for temporary access points, such as contractor laptops or portable diagnostic tools. |
Stage 3: Network Security and Segmentation (The Digital Moat)
The IT-OT air gap is nearly gone. Segmentation serves as the new perimeter; it ensures that any intrusion is quickly contained.
|
Checklist Item |
Description & Goal |
|
Verify Segmentation Enforcement |
Test that firewalls strictly enforce boundary control between different layers, for example, between the enterprise IT network and the production control network. |
|
Validate Critical Zone Isolation |
Ensure critical zones, like safety systems, are divided into smaller segments for each device or cell. Test barriers for lateral movement. |
|
Audit Protocol Filters |
Check the firewall rules to make sure they only allow the minimum OT protocols and ports needed for the industrial process. Too many permissions lead to unnecessary risks. |
|
Secure Remote Access Gateway |
Confirm that all remote connections from staff and vendors go through a dedicated, secure gateway. Access should only allow land users in the minimum necessary segment. |
Stage 4: Access Control and System Hardening (The Device Level)
This final stage checks that individual assets are secured. It ensures that only authorized and verified users can execute control commands. This follows Zero Trust principles.
|
Checklist Item |
Description & Goal |
|
Enforce Strong Identity Management |
Verify that shared or default credentials have been removed from all ICS components. Every human user must use unique credentials. |
|
Multi-Factor Authentication (MFA) |
Confirm that MFA is required for all remote access, key internal logins, and privileged accounts, including those of operators and engineers. |
|
Implement Least Privilege Access |
Audit user roles to ensure that staff have only the minimum privileges needed for their job. For example, an operator should not be able to modify PLC code. |
|
Manage Legacy Vulnerabilities |
Confirm that compensating controls, such as network intrusion detection systems or host-based firewalls, are in place to protect known vulnerable devices that cannot be patched. |
|
Verify Configuration Management |
Ensure that configuration backups for all PLCs and control devices are up to date, stored safely, and regularly tested to ensure they can be restored reliably after an incident. |
Next Steps: Achieving Resilience with UTSI
Implementing an effective OT security strategy requires specialized knowledge of industrial process control, not just IT network theory.
At UTSI, we use this structured checklist as the basis for a thorough assessment. It helps you move from uncertain risk to a clear plan for fixing problems. We build defences that focus on maintaining the safety and ongoing flow of your physical operations.
Are you ready to gain visibility and control over your most critical assets? Contact UTSI today to schedule your assessment.