Map Your OT Attack Surface Before the Next Audit
Contributors
Most operational technology (OT) security audits produce findings that surprise the teams being audited. Not because the auditors are unusually thorough, but because the organizations being audited do not have a current picture of their own environment. An attack surface map fixes that. It gives you visibility into what you actually have before someone else tells you what you missed. The someone else is not always an auditor: Censys counts over 145,000 exposed industrial control system (ICS) services worldwide, more than 48,000 of them in the United States.
What an Attack Surface Map Actually Is
An OT attack surface map is a documented, current picture of every way an attacker could reach your operational technology environment. That includes every device on the network, every remote access path, every point where IT and OT traffic can cross and every external connection to vendors, cloud platforms or partner systems. It is not the same as a network diagram, which typically shows intended architecture. An attack surface map shows reality, including the things that were added for convenience and never formally reviewed. Those unreviewed paths carry real cost. In May 2021, attackers reached Colonial Pipeline through a legacy virtual private network (VPN) profile that was not intended to be in use. The company shut down fuel delivery for the East Coast and paid a $4.4 million ransom.
Auditors build a version of this picture during their assessment. The difference is that they build it looking for problems, and they share what they find in a report you receive after the audit is complete. Building your own map before the audit means you find those problems first, on your own timeline, with time to address them.
How to Build the Inventory You Actually Need
Passive discovery is the right starting point for OT environments. Monitoring network traffic at span ports or taps reveals what is actually communicating on the network, which is often different from what the documentation says. Devices that were installed temporarily and never removed. Legacy systems that were supposed to be decommissioned. Wireless access points that the OT vendor installed during commissioning and that nobody in the security team knows about.
The goal is not a perfect inventory built in a single effort. It is a living document that reflects the current state of the environment. For most manufacturers, getting to that state requires combining passive discovery with interviews with the operations team, review of vendor contracts and access agreements, and a physical walkthrough of the plant floor.
Mapping Topology and Exposure
Once you have the asset inventory, the next step is understanding how those assets connect to each other and to the outside world. Zone and conduit mapping based on IEC 62443 is the right framework for this. It identifies where traffic should be allowed to flow, where it should be blocked and where the current state deviates from the intended architecture.
The most common finding at this stage is a network that is segmented on paper but flat in practice. Virtual local area networks (VLANs) that were configured without enforcing communication restrictions. Firewall rules that allow broad traffic between IT and OT zones because they were set up during a project deadline and never tightened. A demilitarized zone (DMZ) that exists in the architecture diagram but is not actually enforced in the network configuration. The pattern is widespread: Dragos found improper network segmentation in 50% of its 2022 service engagements.
Prioritizing What You Find
Not every exposure in your attack surface carries the same risk. A vendor remote access path with default credentials that connects directly to a distributed control system (DCS) controller is a different category of problem from an unpatched human-machine interface (HMI) that can only be reached from inside the plant network. Prioritization has to reflect both the likelihood of exploitation and the consequence if an attacker gets there.
For manufacturers under compliance requirements, whether NIST, IEC 62443 or sector-specific frameworks, the prioritization also needs to map to the controls those frameworks require. Auditors are not just looking for vulnerabilities. They are looking for evidence that you understand your exposure and are managing it systematically.
A risk-based attack surface assessment gives you both things. It identifies what is exposed, ranks it by real-world risk and maps it to the compliance requirements your auditors will check. That is a much stronger position to be in than receiving those findings in an audit report for the first time.
An audit will map your attack surface eventually, on the auditor’s timeline. Map it first. Request an OT attack surface assessment and walk into the next audit with the findings already in hand.
Frequently Asked Questions
An OT attack surface map is a documented, current picture of every way an attacker could reach your operational technology environment. It includes every device on the network, every remote access path, every point where IT and OT traffic can cross, and every external connection to vendors, cloud platforms, or partner systems. Unlike a network diagram, which shows intended architecture, an attack surface map shows reality, including paths added for convenience and never formally reviewed.
A network diagram shows intended architecture, meaning how the environment was designed to work. An attack surface map shows the actual state, including the connections, devices, and access paths that were added over time and never documented. This difference matters because attackers exploit reality, not the diagram. Colonial Pipeline was breached in May 2021 through a legacy VPN profile that was not meant to be in use, which a current attack surface map would have flagged.
Because an auditor will map it eventually, on their timeline, and share the findings in a report only after the assessment is complete. Building your own map first means you find the problems on your own schedule, with time to fix them before they become audit findings. It also demonstrates to auditors that you understand and actively manage your exposure, which is what compliance frameworks are designed to verify.
Passive discovery means monitoring network traffic at span ports or taps to reveal what is actually communicating on the network, without sending any traffic to live devices. It is the right starting point for OT because it carries zero risk to production while surfacing what documentation misses: temporary devices never removed, systems that were supposed to be decommissioned, and wireless access points an OT vendor installed during commissioning that the security team never knew about.
Treat the inventory as a living document that reflects the current state, not a one-time project. For most manufacturers, reaching that state means combining passive discovery with interviews with the operations team, a review of vendor contracts and access agreements, and a physical walkthrough of the plant floor. The goal is not a perfect inventory built in a single effort, but one that is kept current as the environment changes.
Zone and conduit mapping based on IEC 62443 is the right framework. It identifies where traffic should be allowed to flow, where it should be blocked, and where the current state deviates from the intended architecture. Applying it turns a raw asset inventory into a picture of how assets connect to each other and to the outside world, which is where most real exposure lives.
It describes an OT network that looks segmented in the architecture diagram but does not enforce those boundaries in practice. Common examples include VLANs configured without communication restrictions, firewall rules that allow broad IT-to-OT traffic because they were set during a deadline and never tightened, and a DMZ that exists in the diagram but is not enforced in the actual configuration. Dragos found improper network segmentation in 50% of its 2022 service engagements.
Prioritization must reflect both the likelihood of exploitation and the consequence if an attacker succeeds. A vendor remote access path with default credentials connecting directly to a DCS controller is a far higher priority than an unpatched HMI reachable only from inside the plant network. For organizations under compliance obligations, the ranking should also map to the specific controls that NIST, IEC 62443, or sector frameworks require.
Exposure is widespread. Censys counts more than 145,000 exposed industrial control system services worldwide, with over 48,000 of them in the United States alone. This is why mapping matters: many organizations have internet-reachable OT assets they are not fully aware of, and those assets are visible to attackers scanning for them long before any audit takes place.
It showed how a single unreviewed access path can cause major operational impact. In May 2021, attackers reached Colonial Pipeline through a legacy VPN profile that was not intended to be in use. The company shut down fuel delivery for the East Coast and paid a $4.4 million ransom. A current attack surface map is designed to surface exactly this kind of forgotten path before an attacker finds it.
Other Popular Articles
In the digital age, businesses must adopt an ad
GRC is the capability, or integrated collection