Taking collaborative actions to reduce cyber risks on exposed OT devices

Companies in critical infrastructure industries – such as oil and gas, utilities, healthcare, and manufacturing – have rapidly taken advantage of innovative digital transformations to improve the productivity, efficiency, and competitiveness of their operational technology (OT) environments. As part of this digitalization, companies have interconnected their industrial control systems (ICS) from multiple geographies through the use of the internet.  

However, as important as this internet connectivity is, critical infrastructure companies are now facing an evolving risk that malicious threat actors are capitalizing on because of it. These actors are discovering vulnerabilities on OT networks such as insecure protocols in internet-connected ICS devices or other OT assets that have no or limited internal cybersecurity features. Without proper cybersecurity measures, these unprotected exposed devices are providing potential gateways for threat actors to infiltrate and compromise a company’s network and beyond. 

Bringing awareness to the hidden threat of exposed devices  

Recent research suggests there are nearly 150,000 exposed ICS systems or devices across the globe, leading to an increasing volume of cyberattacks on OT environments. Threats on ICS are so prevalent today that in early May of 2025, several U.S. agencies issued a joint alert through the Cybersecurity & Infrastructure Security Agency (CISA) regarding cyber incidents affecting OT and ICS of critical infrastructure entities.  

The CISA alert included mitigation recommendations, one of which was to remove OT connections to the internet. The recommendation stated: “OT devices lack authentication and authorization methods that are resistant to modern threats and are quickly found by searching for open ports on public IP ranges with search engine tools to target victims with OT components.”  

Extending cybersecurity to unprotected deployed technologies  

Schneider Electric strives to ensure that our products are resilient against potential threats throughout their lifecycle. This includes the usage of processes such as Secure by Design and Secure by Operations as described in our Securing critical infrastructure: Building upon Secure by Design to Secure by Operations paper. We incorporate the concept of Secure by Design at the product development stage, following secure deployment guidelines and configurations when integrating the technology into end-user operating environments. We then promote Secure by Operations for the ongoing infrastructure operations, maintenance, and oversight of deployed technologies throughout their lifecycles. 

Despite the mature product security practices we embody, cyber incidents on critical infrastructures always remain a significant concern for us. That’s why, as part of our Secure by Operations, we developed a strategic initiative called the Installed Base Security Program that focuses on Schneider Electric-branded internet-exposed devices.  

Implementing a step-by-step process for reducing internet-exposed risks  

Schneider Electric’s program is unique in the industry and relies on defined responsibility and collaboration between our company, asset owners, and authorities as we help our customers maintain secure operational environments.  

Working together, the program is aimed at detecting and mitigating the risk associated with internet-exposed devices that may be part of our building management systems, programable logic controllers, automation systems, power monitoring systems, and other offerings. 

To achieve this goal, the program includes these three key steps:   

• Exposure detection and identification: We collect exposed OT device information through our OT Threat Intelligence capability, which gathers exposure data from various third parties. We identify, enrich, and contextualize the data, which helps us to evaluate the risk and prioritize the highest-risk exposures. The exposures are then remediated through our exposure case management process as described in the next two steps.  
• Direct risk mitigation: We take a direct approach when we can identify asset owners on the exposed OT devices we have found. We collaborate with our customers to manage the cybersecurity risks linked to these exposures by locating and removing the direct exposure of these devices to the internet before they can be exploited. 
• Indirect risk mitigation: When we are unable to identify exposed OT asset owners, we take an indirect approach. We engage with national authorities for exposures that are attributed to telecommunications and internet service providers to identify and locate the asset owners.  

Ongoing efforts to continue to reduce exposed devices and future risks  

In addition to the Installed Base program, Schneider Electric continually encourages our customers to ensure their connected environments are secure and that they avoid connecting unsecured devices directly to the internet. We recommend that they implement the following practices so they can scale their efforts and promote secure operations in their infrastructures:   

• Establish appropriate procedures to ensure cybersecurity controls are in place throughout a system’s lifecycle. 
• Comply with cybersecurity regulations, policies, export control, and other rules. 
• Provide training and certification on system secure guidelines for proper commissioning and operation. 
• Ensure system integrators and operators are qualified and follow security instructions from manufacturers. 
• Perform routine patching and implement access management, data classification, and network segmentation controls. 
• Continuously monitor and maintain a secure environment through network monitoring and OT threat detection capabilities. 

Strengthening operational security today – and in the future  

By addressing vulnerabilities and embedding cybersecurity throughout the lifecycle of our offers, Schneider Electric aims to create resilient and secure environments. 

As we collaborate with our customers, national authorities, and other entities to reduce high-risk internet-exposed devices, we are taking significant steps to build a safer, more secure future for industrial and operational sites worldwide. 

Learn more about our security by operations and other security:  

• Read our newly released Secure by Operations positioning paper: Securing critical infrastructure: Building upon Secure by Design to Secure by Operations 
• Listen to this ITI Tech podcast on secure by operations: Exploring Secure-by-Operations with Schneider Electric’s Trevor Rudolph 
• View this webinar: Webinar: Securing Operations and Building Resilience in Critical Infrastructure 
• Read these blogs and articles:  
  • Maintaining long-term security for critical electrical installations 
  • SDL: Using a secure-by-design approach to build customer trust