Recurring OT Security Gaps: Unauthorized Devices & Insecure PLCs

Observation Summary

Across multiple client environments monitored, we observed recurring recommendations that indicate a consistent pattern of security configuration weaknesses within Operational Technology (OT) networks.

These issues primarily relate to unauthorized devices connected to industrial networks and Programmable Logic Controllers (PLCs) operating in insecure modes. Such misconfigurations increase the risk of unauthorized access, malicious code modification, and potential disruption of industrial processes.

What’s Causing These Recurring OT Security Issues?

Unauthorized Devices Detected in OT Networks

During MDIoT assessments, several environments showed the presence of unauthorized or unmanaged devices connected to the network. These devices were not part of the established asset inventory or network baseline.

Unidentified endpoints pose a serious risk as they could be rogue devices, compromised assets, or unauthorized connections introduced by users or third-party vendors. Such devices may act as entry points for attackers, allowing them to infiltrate the network, move laterally, or exfiltrate sensitive data without detection.

Remediation: How to Fix This

• Verify whether each newly discovered device is known and documented within the network asset inventory.
• If the device is legitimate, update the OT Device Inventory and mark it as Authorized.
• If the device is unknown, consult the Control Systems Engineer or relevant asset owner to determine its origin and purpose.
• If the device remains unidentified after verification, disconnect it immediately to prevent potential compromise.

Implementing continuous asset discovery and network segmentation will further help detect and isolate unauthorized connections in real time.

PLCs Operating in Insecure Modes

Several environments were also found with PLCs operating in unsecure states, such as Program or Remote, rather than in the recommended Run mode.

When a PLC is left in an insecure mode, it allows unrestricted access to device logic, enabling an attacker or unauthorized user to modify process parameters or upload malicious code. This could result in process interruptions, equipment malfunction, or even physical safety hazards.

Remediation: How to Fix This

• Check each PLC to determine whether it must remain in an unsecure state (e.g., during active maintenance or programming).
• If the PLC has a physical key switch, ensure it is turned to the Run position after configuration activities are complete.
• For PLCs without a physical key switch, use the Engineering Station software to set the operating mode to Run.
• Ensure all PLCs remain locked in Run mode when engineering or configuration access is no longer required.
• Regularly review PLC access logs and enforce strict user permissions to minimize unauthorized programming attempts.

Proper PLC hardening not only reduces the risk of malicious modifications but also strengthens operational reliability and safety.

Risk: Why These OT Gaps Matter

These recurring weaknesses reflect systemic OT security gaps that attackers can exploit to gain control over critical industrial systems. Unauthorized or unmanaged devices expand the network attack surface, while insecure PLC configurations allow potential manipulation of operational processes.

If exploited, these vulnerabilities could lead to production downtime, process disruption, data exfiltration, and even physical damage to industrial assets. Furthermore, they may result in regulatory non-compliance and erode stakeholder trust.

The repeated occurrence of these findings underscores the need for consistent asset management, configuration control, and access governance within OT networks.

Recommendations / What to Do

• Authorize and inventory devices: Maintain a verified, up-to-date inventory of all network-connected assets. Immediately isolate or remove any unidentified devices until verified.
• Harden PLC configurations: Keep all PLCs in Run mode when not under active engineering or maintenance. Restrict programming access to authorized personnel only.
• Implement continuous OT monitoring: Use MDIoT alerts and network visibility tools to detect unauthorized devices, configuration changes, and new asset connections in real time.
• Enforce operational discipline: Establish clear change control and approval workflows for any device addition, removal, or PLC reconfiguration within the OT network.
• Review periodically: Conduct routine OT security audits to ensure compliance with baseline configurations and detect deviations early.