OT and ICS Security Checklist for Energy Operators

Step 1: Build a Complete Asset Inventory

You cannot defend or segment what you have not catalogued, so the checklist begins with a full inventory of every OT and ICS asset. Use passive discovery first to avoid disturbing fragile devices, then reconcile against engineering records. Capture firmware versions and end-of-life status, because that data drives almost every later decision about patching and risk.

• Passively discover every PLC, RTU, HMI and SCADA server
• Record make, model, firmware version and support status
• Map each asset to its Purdue level and physical location
• Flag legacy and end-of-life devices for compensating controls

Step 2: Segment OT From IT

Segmentation is the single highest-value control, so it comes early. Establish an industrial DMZ so no enterprise system talks directly to a control device, then enforce default-deny rules between Purdue zones and micro-segment between sites. The goal is that an IT compromise stays in IT and a single breached site cannot spread laterally across the estate.

• Stand up an industrial DMZ between OT and corporate IT
• Apply default-deny firewall rules between Purdue zones
• Micro-segment between substations, sites or generation units
• Use data diodes where only outbound monitoring data is needed

Step 3: Lock Down Remote Access

Remote access is the most common foothold, so every path in must be controlled. Remove direct internet exposure of control systems, route engineers and vendors through MFA-protected, session-recorded jump hosts, and grant access on a time-bound, least-privilege basis. Vendor maintenance windows should be opened deliberately and closed again, never left standing.

• Eliminate any direct internet exposure of OT devices
• Force all remote access through MFA jump hosts with session recording
• Grant time-bound, least-privilege access to engineers and vendors
• Audit and close standing vendor connections

Step 4: Manage Patching and Vulnerabilities

OT cannot follow IT patch cadences, so the checklist treats vulnerability management as a risk-prioritised exercise. Subscribe to vendor and ICS-CERT advisories, prioritise patches by exploitability and exposure, and apply them in planned maintenance windows after testing. Where a device cannot be patched, document a compensating control such as tighter segmentation or virtual patching at the firewall.

• Track ICS-CERT and vendor advisories for your asset base
• Prioritise by exploitability and network exposure, not just CVSS
• Test and apply patches in planned maintenance windows
• Use virtual patching and segmentation where devices cannot be updated

Step 5: Monitor and Prepare to Respond

Detection closes the loop. Deploy monitoring that understands industrial protocols so anomalous commands and unexpected connections are visible, and feed that telemetry to a team that can act on it around the clock. Pair monitoring with an OT-specific incident-response plan that has been rehearsed, because a generic IT runbook will not tell an operator how to recover a control system safely.

• Deploy protocol-aware OT monitoring for anomalous commands
• Route telemetry to a 24/7 detection and response capability
• Maintain an OT-specific, rehearsed incident-response plan
• Keep offline, tested backups of control configurations and logic

How Kyanite Blue and Sophos Deliver the Checklist

Kyanite Blue works through this checklist with energy operators as a programme, not a one-off audit. We run passive discovery, design and deploy Purdue-aligned segmentation on Sophos firewalls, harden remote access with MFA jump hosts, and run managed monitoring that watches OT traffic for anomalies. Sophos deep-learning detection and our 24/7 response team turn the final two steps from intentions into an operating capability, with the evidence trail your competent authority expects.

Frequently Asked Questions