OT/ICS Security Assessment for Aviation: A Practical Evaluation Framework

Phase 1: OT Asset Discovery and Inventory

Before any security assessment, a complete OT asset inventory must be established:

• Passive network monitoring: Deploy passive OT asset discovery tools (not active scanners) to identify all devices communicating on OT network segments
• Documentation review: Review existing network diagrams, OT system documentation, and vendor records against discovered assets
• Physical walkdown: Physical inspection of OT environments — server rooms, control rooms, remote equipment locations — to identify assets not visible on the network
• Vendor consultation: Engage OT system vendors to identify assets they maintain and any network connections their systems use
• Shadow OT identification: Identify devices connected to OT networks without formal approval — common findings include engineer laptops, personal devices, and unauthorised remote access equipment

Phase 2: Network Architecture Review

OT network architecture assessment identifies segmentation failures and unintended connectivity:

• IT/OT boundary review: Verify that documented IT/OT segmentation is implemented as designed — common gap between network diagrams and reality
• Internet connectivity check: Identify any OT devices with direct internet connectivity — a critical risk that should not exist in any aviation OT system
• Remote access audit: Identify all remote access paths into OT networks — VPN accounts, vendor connections, maintenance modems — and verify each is actively managed
• Wireless assessment: Identify wireless access points on or near OT networks — unauthorised wireless can bridge segmentation boundaries
• Firewall rule review: Examine firewall rules at IT/OT boundaries — overly permissive rules that allow excessive IT-to-OT traffic undermine segmentation

Phase 3: Vulnerability and Patch Status Assessment

OT vulnerability assessment requires careful, non-disruptive approaches:

• Passive vulnerability identification: Use network traffic analysis to identify OT device types and known vulnerabilities from traffic signatures — not active scanning
• Vendor patch status review: Query OT vendors for available firmware and software updates for assessed assets — many OT systems have known vulnerabilities with available patches
• EOL system identification: Identify systems running end-of-life operating systems (Windows XP, Windows 7) or firmware no longer receiving security updates
• Known vulnerability database check: Cross-reference identified OT devices and software versions against CISA ICS-CERT advisories and CVE database
• Compensating control assessment: For systems that cannot be patched, assess whether compensating controls (network isolation, monitoring, access restrictions) adequately reduce risk

Phase 4: Access Control and Vendor Management Review

Access control to OT systems is a primary risk area in aviation:

• Privileged account audit: Identify all accounts with administrative access to OT systems — including vendor accounts, default accounts, and service accounts
• Default credential check: Identify any OT systems using default manufacturer credentials — an immediate remediation priority
• Vendor account review: Review all active vendor remote access accounts — verify each is still required, has appropriate access scope, and is MFA-protected
• Session recording review: Verify that all privileged and vendor OT sessions are recorded and that recordings are accessible for review
• Access review process: Assess whether a formal access review process exists for OT systems, and when it was last performed

Frequently Asked Questions