Updated: Feb 5, 2021
One question Systems and Cyber Security Engineers get asked is if the companies assets are secure. It sounds like a straight forward question right?
There are several ways to check and know but one way to check is by hacking your own devices - but this is not always allowed. The technical reason it may not be allowed is you don't want to risk causing problems on the system and a legal reason why is because you actually need permission to access the system.
While it may seem silly to be stopped by a "rule" while potential hackers are allowed to break that rule, it is a reality that companies have to deal with. The preferred case is to use passive means of checking. This could be documentation based, observations any tools you have available. For IT environments, this is less of an issue but in an OT environment there are differences to IT environments that make passive means of checking a need.
Is there another way?
Well you may not be able to actively scan your systems at this point in time but if someone had already? Can we check their results?
Online databases as a passive check of your system
There are many online databases with internet accessible devices already scanned for you. They will typically scan for devices on the internet and store what information they could find readily available.
While this may not mean anything bad, you should at least investigate if any of your devices on your systems come up on these sites. You might think that all of your systems are isolated and it is likely true, but sometimes a development system is on there or you find a temporary commissioning link was setup in the past that never got removed.
Whatever the case may be you are hoping not to appear on one of these lists.
The beauty of some of these websites are they are mostly free or low cost and you can even get a nice map showing where these devices are.
OT Engineers can Check their Assets
A superficial check is still a nice peace of mind thing you can do for free with 0 impacts on your operational technology. The general process I will outline for each of these websites is how I have used them just to get a brief idea of what PLC or other Critical Infrastructure technologies that are exposed on the Internet - and confirm they aren't any in my care.
You may not know there are these databases are available for Operational Technology but here are our top 3 sites that you should check out.
Attack Surface management using a data driven approach. While they have many awesome products that may be relevant to your business I'll only be mentioning the search capability you can use right on their website. Once you land on the homepage you can click on the Search IPv4 under Search Censys Data, here's a direct link for your convenience.
Then what you do is you type in the vendor of some of the equipment you have. For all the examples we will use "rockwell automation". The fastest is to then switch to "map" view and scroll to an area where you know you have equipment. Go through each device shown as their associated IP address will be shown as well as what ports were found to be internet facing.
In this example I check for equipment in NSW, Australia.