Most OT security programs focus inward. They deploy sensors inside the plant network, monitor traffic between PLCs and HMIs, and build asset inventories from passive packet capture. That’s valuable work. It tells you what’s talking to what inside your control system boundary.

It doesn’t tell you what the internet can see.

The scale of what’s visible from the outside is striking. Censys identified over 145,000 internet-exposed ICS services across 175 countries in late 2024. [Source: Censys/SecurityWeek, November 2024] Dragos found 46,000+ Modbus devices reachable from the public internet during their FrostyGoop investigation. [Source: Dragos Year in Review, 2025] Our own scan data from May 2026 adds another layer: over 57,000 OT devices responding to protocol-specific queries across seven industrial protocols.

None of these devices are hidden. They answer anyone who sends the right query. And the tools monitoring the inside of the network don’t flag them, because from the plant floor’s perspective, everything looks normal.

OT exposure management is the practice of continuously discovering, classifying, and reducing internet-facing OT assets. It works from the attacker’s perspective: scanning external IP space for industrial protocol responses, fingerprinting devices by protocol behavior, and mapping them back to organizations.

It’s the outside-in half of OT visibility.

Why OT Needs Its Own Approach

There are two tools that partially cover this space. Neither fully solves it.

IT EASM tools (Censys, Tenable ASM, CrowdStrike Falcon Surface, and similar) scan the internet for exposed services. They’re good at finding web applications, DNS misconfigurations, expired certificates, and shadow IT. But they don’t understand Modbus function codes, BACnet object names, or S7 firmware strings. They’ll tell you port 502 is open. They won’t tell you it’s a Schneider Electric Modicon M340 running firmware v2.5 with a project last modified three weeks ago.

OT NDR tools (Dragos, Claroty, Nozomi) monitor traffic inside the OT network. They understand industrial protocols deeply. They can identify every device on the plant floor, detect anomalous commands, and track firmware changes. But they require sensors deployed inside the network perimeter. They see internal traffic, not external exposure. A PLC that’s reachable from the internet but behaving normally on the plant network won’t trigger an alert.

OT exposure management fills the gap between these two. It combines the external scanning approach of IT EASM with the protocol-specific knowledge of OT NDR.

Capability	IT EASM	OT NDR	OT Exposure Management
———–	———	——–	———————-
Discovers internet-facing assets	Yes	No	Yes
Understands OT protocols	No	Yes	Yes
Requires internal deployment	No	Yes	No
Identifies device vendor/model	Limited	Yes	Yes
Maps to OT compliance (NERC CIP, IEC 62443)	No	Partial	Yes
Detects exposure drift over time	Yes	No	Yes
Sees what attackers see	Yes	No	Yes

The SANS 2025 State of ICS/OT Security survey noted that “traditional IT discovery tools fall short in OT environments as they often require active scanning that can disrupt industrial processes, lack the protocol-specific knowledge to identify ICS devices accurately, and don’t provide the depth needed to understand PLC configurations, firmware versions, or backplane-level details.” [Source: SANS 2025]

This isn’t a theoretical gap. Claroty’s 2025 analysis of roughly 1 million OT devices found that 40% of organizations had devices with known exploited vulnerabilities (KEVs) that were insecurely connected to the internet. [Source: Claroty State of CPS Security: OT Exposures 2025] Those aren’t just vulnerable devices. They’re vulnerable devices that are reachable from the outside.

How OT Devices End Up on the Internet

The ISA Global Cybersecurity Alliance has a blunt assessment: when organizations claim their OT systems are air-gapped, “in almost all instances, such claims are found to be incorrect.” [Source: ISA GCA]

Our scan data tells the same story from a different angle. The top ISPs hosting exposed Modbus devices aren’t enterprise networks. They’re mobile carriers: Korea Telecom (2,970 devices), Verizon Business (2,247), Turkcell (1,341), Telefonica (1,059). These are cellular-connected industrial devices with public IP addresses and no inbound traffic filtering.

The paths from “air-gapped” to “internet-facing” are predictable:

Cellular modems at remote sites. A water utility installs a 4G router at a pump station for telemetry. The carrier assigns a public IP. The router’s default configuration allows inbound connections. The Modbus service on the PLC behind it is now reachable from anywhere.

Vendor remote access. An equipment vendor sets up a VPN concentrator or remote desktop connection for maintenance. The connection persists after the maintenance window closes. Or the VPN terminates inside the OT network, creating a routable path from the internet to the control system. The SANS 2025 survey found only 13% of organizations have fully implemented OT-aware remote access controls with session recording. [Source: SANS 2025]

Cloud and IIoT gateways. The push for predictive maintenance and real-time dashboards creates persistent connections from OT to cloud. Our scans found 1,006 internet-facing Ignition SCADA gateways, 155 eWON remote access devices, and 302 Sierra Wireless AirLink routers, all with web management interfaces reachable from the public internet. Beyond dedicated OT gateways, we identified 1,416 web pages with “SCADA” in the title and 2,047 with “HMI.” Some of these are intentional and secured. Many aren’t.

Misconfigured NAT and firewall rules. An IT team adds a NAT rule for a business application and inadvertently exposes a port range that includes an OT protocol. The OT team doesn’t know because they don’t manage the firewall.

Equipment with built-in connectivity. Newer PLCs, inverters, and building controllers ship with Ethernet ports and web interfaces enabled by default. A building automation controller gets plugged into the same VLAN as the office network. An inverter at a solar site connects to the facility LAN for monitoring. Nobody intends for these to be internet-facing, but nobody checks, either.

Each of these paths is mundane. None of them require a sophisticated attacker or a novel exploit. And the result is the same: organizations that believe they’re air-gapped often have dozens of internet-facing OT assets they don’t know about.

The Five Stages of OT Exposure Management

Gartner introduced the Continuous Threat Exposure Management (CTEM) framework in 2022, predicting that organizations with CTEM programs would be “three times less likely to suffer a breach” by 2026. [Source: Gartner, July 2022] The framework was designed for IT, but its structure maps directly to OT exposure management with some adaptation.

1. Scope

Define what matters. For OT, this means identifying which industrial protocols, network ranges, remote sites, and third-party connections should be in scope for external monitoring.

Most organizations start with Modbus (port 502) and expand to DNP3, BACnet, OPC UA, S7, EtherNet/IP, and Fox. Cellular-connected sites, vendor VPN endpoints, and cloud-hosted OT services should all be in scope.

The mistake is scoping too narrowly. If you only monitor your known IP ranges, you miss the cellular modem that a field technician installed at a remote site.

2. Discover

Once you know what to look for, the next step is finding it. And OT discovery is different from port scanning. A port scan tells you 502 is open. OT discovery sends protocol-specific queries and interprets the responses.

For Modbus, that means sending Read Device Identification (FC 43) and Report Slave ID (FC 17) requests. For BACnet, it’s a Who-Is broadcast. For EtherNet/IP, it’s a List Identity request. Each protocol has its own discovery method.

The output is a list of confirmed OT endpoints with protocol, port, location, ISP, and whatever device metadata the protocol response contains.

Our May 2026 scan shows what this looks like at scale. BACnet led with 11,903 exposed services, mostly building automation controllers leaking floor plans and equipment names. EtherNet/IP followed at 5,395, predominantly Rockwell Automation environments. Siemens S7 PLCs accounted for 4,884, Niagara Fox building systems for 4,169. Even DNP3, which is concentrated in utilities, had 616 outstations reachable from the internet. Modbus topped the list at 30,434.

But protocol ports are only one layer of what’s discoverable. Certificate analysis adds another. We found 47,644 TLS certificates issued to major industrial vendors: GE (13,443), Schneider Electric (10,311), Honeywell (10,260), Siemens (7,183), ABB (2,460), and Rockwell (2,002). A Honeywell certificate on a web interface tells you there’s industrial infrastructure behind that IP address, even when the protocol port itself is filtered.

3. Classify

Discovery gives you a list. Classification turns it into a priority queue, because not all exposed OT services carry the same risk. A Schneider Electric Modicon M340 PLC on a cellular connection at a water treatment plant is a different problem than a Conpot honeypot on Alibaba Cloud.

Classification involves:

• Device fingerprinting: Matching protocol responses to known vendor/model signatures
• Environment inference: Using ISP data, geolocation, and co-located services to infer whether the device is production industrial equipment, a test environment, or a honeypot
• Compliance mapping: Flagging devices that fall under NERC CIP, IEC 62443, or NIS2 scope based on protocol type and geography

4. Prioritize and Remediate

A classified list of exposures is useful. But most organizations can’t fix everything at once, so the next step is deciding what to fix first. Three factors tend to drive the order.

Protocol risk matters most. Modbus and DNP3 have no authentication at all. OPC UA supports TLS but is frequently misconfigured. BACnet doesn’t authenticate and leaks building metadata in its object names. A no-auth protocol on a cellular IP is a higher priority than a misconfigured TLS endpoint behind a corporate firewall.

Device criticality comes next. A PLC controlling a physical process at a water treatment plant is a different urgency than a power meter reporting energy usage data at an office building.

Then consider what the device is telling the world. A Modbus endpoint returning full firmware versions, project names, and engineer workstation identifiers is more exposed than one returning only a basic error response.

Remediation itself is usually network-level: add a firewall rule to the cellular router, reconfigure the VPN, segment the OT network, or disable the internet-facing service. The hard part is finding what’s exposed. The fix is usually straightforward.

5. Monitor Continuously

Fixing an exposure is not the end of the story. OT exposure isn’t static. A device that wasn’t exposed yesterday can appear on the internet today when a router reboots, a carrier re-provisions a SIM, or a firewall rule changes during maintenance.

Point-in-time assessments catch the current state. Continuous monitoring catches the drift. Dragos noted in their 2026 report that the industry-wide average ransomware dwell time in OT environments is 42 days, compared to 5 days for organizations with comprehensive OT visibility. That same report tracked 119 ransomware groups targeting industrial organizations, up from 80 in 2024, collectively impacting 3,300 organizations. [Source: Dragos Year in Review, 2026; verified via Dragos press release and BusinessWire, February 17, 2026] External monitoring contributes to that visibility by catching new exposures before they become entry points.

What CISA Says About OT Exposure

Federal guidance has moved steadily toward treating OT internet exposure as a distinct risk category, and the timelines are getting shorter.

The most pointed directive is BOD 23-02, issued in June 2023, which requires federal agencies to remove networked management interfaces from the public internet, or implement Zero Trust controls, within 14 days of discovery. The language is specific: it explicitly calls out “internet-accessible assets including IIoT, SCADA, ICS, and remote access technologies.” [Source: CISA BOD 23-02] An earlier directive, BOD 23-01, set the discovery cadence: automated asset discovery every 7 days and vulnerability enumeration every 14 days, including OT assets where technically feasible. [Source: CISA BOD 23-01]

The guidance keeps expanding. In 2025, CISA published joint guidance with the FBI and NCSC on “Secure Connectivity Principles for OT,” laying out 8 principles including limiting connectivity exposure and hardening OT boundaries. [Source: CISA/FBI/NCSC, 2025] CISA’s own Internet Exposure Reduction resource page acknowledges the scale of the problem: “the range and number of internet-accessible assets, including IIoT, SCADA, ICS, and remote access technologies, continues to grow.” [Source: CISA Exposure Reduction Guidance]

For federal agencies, these are binding. For everyone else in critical infrastructure, they signal where regulation is heading.

How ShiftSix Approaches OT Exposure Management

ShiftSix Security works from the outside in. Our platform scans for industrial protocol responses across the public internet, fingerprints devices by protocol behavior, and maps them to organizations using IP ownership data.

The approach is passive. We query existing internet scanning indexes and conduct protocol-level analysis. No packets are sent to customer OT devices. No sensors need to be deployed inside the network.

This means an organization can see its external OT exposure before buying hardware, scheduling a deployment window, or getting plant management approval. The data in our 2026 OT/ICS Internet Exposure Briefing, covering 57,930 exposed devices across 7 protocols, was collected using this methodology.

The value is closing the gap between what internal tools see and what the internet sees. Internal monitoring tells you what’s on your network. External monitoring tells you what’s on everyone else’s network that happens to be yours.

For organizations already using Dragos, Claroty, or Nozomi for internal OT visibility, ShiftSix provides the external complement. For those earlier in their OT security program, external exposure data is often the fastest way to identify which assets need attention first.

Where This Is Heading

The number of internet-facing OT devices isn’t shrinking. Cellular M2M connections, cloud-hosted SCADA, and IIoT gateways continue to expand the industrial internet surface. Fortinet’s 2024 report found 73% of OT organizations experienced intrusions, up from prior years. [Source: Fortinet State of OT, 2024] Ransomware groups targeting industrial organizations surged 49% year-over-year according to Dragos. [Source: Dragos Year in Review, 2026]

The organizations that manage this well will be the ones that treat OT exposure as its own discipline, not an afterthought of IT security or a secondary output of internal OT monitoring. They’ll scope it, discover it, classify it, prioritize it, and monitor it continuously.

That’s what OT exposure management is.

For a detailed breakdown of internet-exposed OT devices across 7 protocols, download the 2026 OT/ICS Internet Exposure Briefing.

See your exposure. ShiftSix Security discovers internet-facing OT devices mapped to your organization. No deployment, no disruption, no sensors required. Request a free OT exposure report or schedule a platform demo.