BLOG

Author
Denrich Sananda

Date
15-05-2026

OT Cybersecurity

OT Hardening: A Step-by-Step Checklist for Industrial Control Systems

The phrase "security hardening" means something very different in a steel mill than it does in a corporate data center. In IT, hardening typically means disabling unused services, applying patches, and enforcing password policies. In an OT environment, applying the same actions without understanding the process can stop production, trigger safety shutdowns, or corrupt control logic.

This is why many industrial facilities either skip hardening entirely or apply generic IT hardening guides that cause more problems than they solve. According to CISA's Industrial Control Systems advisories, the three most common OT attack vectors are default credentials, unpatched software, and excessive remote access permissions. None of those requires expensive technology to fix. All of them are directly addressed by a proper hardening program.

 

What OT Hardening Actually Means

OT hardening is the process of reducing the attack surface of industrial control systems by eliminating unnecessary access pathways, disabling unused functionality, strengthening authentication, and enforcing network boundaries. It is configuration-based security. The goal is not to make OT systems identical to IT systems. It is to make them as difficult as possible to compromise while preserving the deterministic, reliable operation that industrial processes depend on.

OT hardening applies across every layer of the industrial network: from field devices at Level 0 and Level 1 of the Purdue Model, through the control network at Level 2, to the SCADA and historian servers at Level 3.

 

Before You Start: Build Your Asset Inventory

No hardening program can succeed without a complete inventory of the assets being hardened. A 2024 report from Claroty found that 38% of OT environments contained assets unknown to their own security teams. You cannot apply a hardening baseline to a device you do not know exists.

Your inventory needs to capture, for each asset:

  • Device type, manufacturer, and model
  • Firmware version and operating system version, where applicable
  • Network addresses and communication paths
  • Open ports and active services
  • Vendor maintenance access requirements

 

Network Hardening

Zone and Conduit Architecture

The foundation of OT network hardening is segmentation. Flat OT networks, where every device can communicate with every other device, have no defensible perimeter. IEC 62443 defines zones as groups of assets with common security requirements, and conduits as controlled communication paths between zones. This architecture limits lateral movement if any device is compromised.

At a minimum, your OT network should have:

  • A defined and enforced separation between the IT network and the OT network, implemented through a firewall or data diode
  • A DMZ between IT and OT for historian replication and remote access functions
  • Separate network segments for Level 1 control devices, Level 2 SCADA systems, and Level 3 site operations

Firewall Rule Review

Most OT firewalls are configured once during commissioning and never reviewed again. Audit every firewall rule between OT zones and remove any rule that cannot be justified by a current operational requirement. Common findings include: "any-any" rules permitting unrestricted IT-to-OT traffic, persistent remote access rules for vendors whose projects were completed years ago, and legacy rules for systems that no longer exist.

Disable Unused Ports and Protocols

On OT network devices, disable any port or protocol not actively required for process operation. Common hardening actions include disabling FTP where SFTP is available, disabling Telnet where SSH is available, blocking outbound internet access from control network segments, and replacing SNMP v1/v2 with v3 where the device supports it.

 

Device Hardening

PLCs and Controllers

PLC hardening is constrained by what the vendor's firmware supports. Common hardening actions include:

  • Changing default passwords on the PLC's web interface and programming port
  • Enabling write protection or run/stop key switch protection where available
  • Disabling the built-in web server if it is not required for operations
  • Restricting which IP addresses can access the programming port, where the device supports access control lists
  • Documenting firmware versions and subscribing to vendor security advisories for each PLC family in use

HMIs and Operator Workstations

HMIs running Windows or Linux have a larger hardening surface than PLCs. Key actions include:

  • Removing or disabling unnecessary Windows features and services not required for SCADA operations
  • Disabling USB autorun and restricting which USB devices can be connected
  • Removing software not required for operations, including browsers, media applications, and general productivity tools
  • Enabling application whitelisting to restrict execution to approved programs
  • Enforcing screen lock after a defined inactivity period

Engineering Workstations

Engineering workstations are high-value targets because they hold the tools and credentials needed to reprogram control devices. Hardening priorities include:

  • Full disk encryption on the workstation
  • Restricting network access to only the specific control devices that the workstation is authorized to reach
  • Maintaining separate user accounts for engineering access versus general IT functions.
  • Logging and alerting on all connections from the engineering workstation to the OT network

 

Remote Access Hardening

Remote access is one of the most consistently exploited vectors in OT incidents. The 2021 Colonial Pipeline incident began with a compromised VPN credential. The 2021 Oldsmar water treatment incident involved an unsecured remote desktop session accessible from the internet. Hardening remote access to OT systems means:

  • Requiring multi-factor authentication for all remote access to OT networks without exception
  • Using a dedicated OT remote access solution separate from the VPN used for general IT access
  • Enforcing least-privilege access so vendors can only reach the specific devices they are authorized to maintain
  • Recording all remote sessions for audit purposes and retaining recordings for a defined period
  • Revoking remote access credentials promptly when a maintenance activity is complete

 

Account and Authentication Hardening

Eliminate Default Credentials

Default vendor credentials are the most common initial access vector in OT incidents. CISA has published multiple advisories identifying specific OT products shipped with hardcoded or predictable default credentials. Audit every device in your inventory against known default credential lists for each vendor and model, and change them before any device is connected to a network.

Enforce Least-Privilege Access

Operators running HMI workstations do not need administrator rights. Vendors performing remote maintenance do not need access to every PLC on the network. Define access roles for each type of OT user and restrict network and system access to what each role operationally requires.

Shared and Service Accounts

OT environments frequently use shared accounts, where one login is used by multiple operators or multiple vendors. Eliminate shared accounts where possible. Where process requirements make individual accounts impractical, implement a check-out system with audit logging so that every access event is attributable to a specific individual.

 

Maintaining Hardening Over Time

Hardening is not a one-time project. Changes to OT environments happen continuously: new devices are commissioned, vendors install software, firmware is updated, and configuration drift accumulates. A hardening program requires ongoing processes to remain effective.

Change Management Integration

Every change to an OT system should trigger a review of the relevant hardening baseline. Adding a vendor VPN connection, installing a new HMI application, or updating PLC firmware can all introduce new attack surfaces. Build this review into your management of change process so that hardening is maintained as the environment evolves.

Regular Configuration Audits

Schedule quarterly or bi-annual audits to compare current device configurations against your documented hardening baseline. Passive OT security monitoring tools can detect configuration changes between scheduled audits, providing continuous visibility into drift.

Vulnerability and Patch Management

OT vendor advisories for PLCs, DCS systems, and SCADA software are published continuously. Subscribe to CISA ICS-CERT advisories and vendor-specific notification programs. For each advisory, assess exploitability against your network architecture and define a remediation timeline based on operational constraints. Not every advisory requires an emergency patch, but every advisory requires a documented decision.

 

OT Hardening Checklist Summary

 

Category

Action

Priority

Network

Implement zone and conduit segmentation per IEC 62443

Critical

Network

Audit and remove unjustified firewall rules

Critical

Network

Disable unused ports and protocols on network devices

High

PLC/Controller

Change all default credentials

Critical

PLC/Controller

Disable unused web servers and programming interfaces

High

HMI

Apply application whitelisting

High

HMI

Disable USB autorun and restrict removable media

High

Engineering WS

Enable full disk encryption

High

Engineering WS

Restrict network access to required devices only

Critical

Remote Access

Enforce MFA for all OT remote access

Critical

Remote Access

Revoke vendor credentials after each maintenance activity

High

Accounts

Audit all devices for default vendor credentials

Critical

Accounts

Eliminate or log all shared accounts

High

Ongoing

Integrate hardening review into the management of change

High

Ongoing

Subscribe to CISA ICS-CERT advisories

Medium

 

Frequently Asked Questions

How is OT hardening different from IT hardening?

IT hardening prioritizes confidentiality and applies broadly using automated tools. OT hardening prioritizes availability and safety, and must be applied carefully because standard IT hardening actions (automated scanning, patch agents, disabling services) can disrupt control systems or trigger process shutdowns. Every hardening action in OT requires validation against operational requirements before implementation.

Can OT systems be patched during production?

In most cases, OT patches cannot be applied during live production. Patching typically requires a planned shutdown window, a staging environment test, vendor validation, and a formal management of change approval. The timeline between a patch release and its application in a live OT environment is often measured in months.

What is the risk of applying generic IT hardening guides to OT environments?

Generic IT hardening guides do not account for the operational requirements of industrial control systems. Disabling a service that appears unused may stop a control process. Applying a scan-based hardening tool can crash legacy PLCs. The risk is not just a failed hardening exercise. It is an unplanned production outage or a process safety event.

How do we harden a PLC that has no user authentication feature?

Many legacy PLCs do not support user authentication at the device level. In these cases, hardening is applied at the network level: restricting which devices can reach the PLC's programming port through firewall rules or unmanaged switch port restrictions, disabling network access to the programming port entirely when maintenance is not in progress, and implementing physical security controls such as run/stop key switches and locked control panel doors.