CUSTOMER STORIES
Real Results from Real OT Environments
See how organizations across energy, water, and building automation discovered and remediated their external OT exposure.
Due to the sensitive nature of OT security, all case studies are anonymized to protect our customers’ operational environments. The data and findings are real.
Renewable Energy Operator — BESS & Solar
Challenge
A large renewable energy operator with 40+ solar and battery storage sites across three states had no visibility into their internet-exposed OT assets. Internal monitoring tools covered the control center but not the distributed site infrastructure.
Discovery
ShiftSix’s passive outside-in scan discovered 23 internet-exposed Modbus devices and 8 exposed DNP3 endpoints across their distributed sites—including battery management systems with unauthenticated access and inverter controllers reachable from the public internet.
Results
Within 24 hours of the initial scan, the operator had a complete inventory of their external OT exposure mapped to specific sites, device types, and compliance gaps (NERC CIP-005, CIP-007). Three critical findings matched active VOLT TYPHOON targeting patterns.
Outcome
All critical exposures remediated within 72 hours. Ongoing continuous monitoring established to detect new exposure as sites expand.
Regional Water Utility
Challenge
A mid-sized water utility serving 500,000+ residents relied on internal network monitoring from a leading OT security vendor. They believed their SCADA systems were fully air-gapped from the internet.
Discovery
ShiftSix identified 7 internet-exposed PLCs running Modbus/TCP on port 502 and 3 DNP3 outstation endpoints directly reachable from the internet. Two devices were legacy Schneider M340 PLCs with known CISA KEV vulnerabilities. The utility’s internal tools had no visibility into these exposures because the devices were connected through a misconfigured cellular gateway.
Results
The utility’s “air-gapped” assumption was proven false. Exposed assets matched targeting patterns from the Cyber Av3ngers campaign against water utilities. Findings mapped directly to EPA cybersecurity assessment gaps.
Outcome
Cellular gateway access controls hardened within 48 hours. Continuous external monitoring added to complement existing internal OT security tools.
Commercial Real Estate — Building Automation
Challenge
A facilities management company operating 15 commercial buildings suspected that some of their building automation systems (BAS) might be internet-accessible, but had no way to verify the scope.
Discovery
ShiftSix discovered 12 exposed BACnet devices across 8 buildings, including Tridium Niagara controllers with default credentials and Johnson Controls BAS gateways with self-signed certificates. Several devices exposed HVAC control points that could be manipulated remotely.
Results
The scan revealed that 53% of their BAS infrastructure had some form of internet exposure. Most exposures traced to improperly configured IT/OT convergence points and third-party vendor remote access connections left in default states.
Outcome
Default credentials rotated and unauthorized remote access paths closed within one week. Building automation network architecture reviewed with segmentation improvements planned.