100

CISA’s ICS exposure-control checklist: cut reachability first

If your ICS can be reached from the Internet, it is already too exposed. CISA’s recurring advice is to reduce reachability first, then layer in segmentation, firewalls, and controlled remote access[[cite:1]][[cite:2]].

  • High-voltage power plant monitoring control room with operators tracking SCADA data and live grid maps on a large video wall
🧵 1/5

Step 1: review the advisory’s affected software or firmware versions and confirm whether the asset is in scope. CISA advises following the vendor’s mitigation or support guidance for those versions[[cite:3]][[cite:4]].

🧵 2/5

Step 2: for legacy or unpatchable assets, treat direct Internet access as a risk condition and remove Internet reachability wherever possible. Do not leave control systems exposed just because patching is hard[[cite:5]][[cite:6]].

🧵 3/5

Step 3: put control system networks and remote devices behind firewalls, and isolate ICS and OT from business networks. CISA repeats that placement and separation as core exposure controls[[cite:7]][[cite:8]].

🧵 4/5

Step 4: if remote access is required, use a secure VPN, keep it updated, and remember it is only as secure as the devices it connects to. The safer close is simple: shrink exposure, then keep reviewing affected versions[[cite:9]][[cite:10]][[cite:11]].

🧵 5/5