The Unknown Risk: Are Your OT Devices Unintentionally Visible to Malicious People?

Imagine leaving the control room of a power plant, water treatment facility or manufacturing floor with the door wide open — not just unlocked, but visibly open to anyone walking past. On a digital landscape, this is the kind of risk that internet-exposed operational technology (OT) devices pose in today's hyper-connected industrial landscape.

Why internet exposure in OT matters more than most companies realize

When an OT device becomes internet-exposed — directly or indirectly — it can shift from “hard-to-reach” to “continuously discoverable” for threat actors. They don’t need to start inside an enterprise network; they can begin with what’s already visible and easily accessible to them. 

While OT devices are a fundamental part of systems that are critical to societies, operational processes and human safety, the number of exposed devices has been growing over the years. In fact, according to research from Bitsight Technologies, Inc, the number has increased from 100,000 in 2023 to 180,000 in 2025.

Risk rises with legacy systems and innovation adoption

OT systems, especially in critical infrastructures, are highly complex environments with both legacy and newly designed equipment. The legacy systems were designed with functionality as the top priority, with security being lower on the checklist. Today, while security is a priority for newer equipment, the challenges that arise from integration and backward compatibility with legacy systems cannot be ignored.

It is often because of the convergence and interoperability of new and legacy systems that many of the internet exposures occur. Based on research that is part of Schneider Electric’s Installed Base Security initiative, the most common factors contributing to exposed OT devices are:

• Security lapses: Even with highly mature cybersecurity in place, there will most likely be oversights that can arise at some point during the lifecycle of a solution. These kinds of lapses could occur in the design and development of the solutions, during the deployment, within day-to-day operations or in the maintenance and decommissioning stages.
• Cybersecurity compliance: The exposure of devices to the internet can also come from noncompliance with industry standards, such as ISA/IEC 62443, or a lack of due diligence. For instance, if the best practices recommended by the vendors, integrators and solution providers throughout their lifecycle are not followed, vulnerabilities can arise.
• Security control issues: Because of the complexity of OT systems, it’s not uncommon for there to be misconfigurations or improper implementations of security controls on devices, network infrastructure or other related systems. These kinds of scenarios are especially common when it comes to the legacy systems that don’t have today’s built-in cybersecurity measures. Equally prevalent is the circumvention or disabling security controls on the devices due to the lack of proper adherence to change management protocols. 
• Other factors: Exposed device risk can also be amplified through issues related to device type, device functionality, exposed ports and protocols, pivoting or lateral movement possibilities or other associated vulnerabilities.

The RISE framework

Awareness to action Proactive action is an important step toward risk reduction. The guidance presented in the RISE Framework is based on four strategic pillars: Reduce, Implement, Secure and Enhance, with the intention to simplify and make it easy to remember.

Each pillar in the RISE Framework includes a focus area, an objective and a wide array of actions designed to harden OT systems against unintended internet exposure and reduce risk. Here is a quick overview of the pillars and a summary of the actions companies can take.

1. Reduce the attack surface: The goal here is containment. Any equipment, when configured in a network, exhibits certain characteristics that allow for its detection and identification. We recommend that these characteristics be contained within the network they are required to function. There are a wide variety of security controls that can help ensure that the devices minimize an attack surface.

2. Implement stricter identity and access management. Secondly, additional security can be applied in the areas of managing users and identities, credentials, configurations and backups. As an example, a device should only communicate with authorized and authenticated users and other devices in the network. The security controls in this area allow for the traceability of activities and the limitation of communication attempts by unknown personnel and unauthorized accounts.

3. Secure internet-facing connections: Internet connections including remote access. Remote access user management and cloud connectivity can benefit from additional security controls as well. Many platforms require connectivity to public networks and hence, it is essential to secure all outward-facing connections through various measures. 

4. Enhance visibility of connected devices and monitor their dataflow. Visibility is critical for asset management, data flow, logging and event management. Complete visibility of the systems within a critical infrastructure, which includes OT equipment and networking devices, will allow the asset owner to visualize the dataflow and monitor the activities in the environment.

The RISE Framework can also be applied to environments with legacy systems, where companies can update their practices based upon the above pillars to collectively reduce the risk of devices being exposed to the internet.

A call to action: Risk reduction of exposed OT assets is continuous process — not a one-off fix

The progression from "Secure by Design" to "Secure by Operations” recognizes that security is not a one-time setup, but a continuous commitment. As connectivity continues to grow, security practices must evolve at the same pace to protect the critical systems our society relies upon. The protection of critical infrastructure requires collective action across the entire value chain. Readers are invited to refer to this white paper from Schneider Electric on the RISE framework, Insights on Internet-Exposed OT Devices and Guidance for Proactive Risk Mitigation. 

The paper provides detailed information about the pillars in the RISE framework and aims to help companies start on a continuous path to mitigate the vulnerabilities associated with undetected devices in their OT and ICS environments.

This article represents the views of the author alone and does not imply an endorsement from the ISA Global Cybersecurity Alliance.