Published: 16 October 2025
About this guidance
National Cyber Security Centre (NCSC) analysis of public-facing infrastructure has identified internet-connected operational technology (OT) devices in New Zealand. It is highly likely the asset owners are unaware of the risk posed by this exposure.
Most OT devices are not designed to be internet-facing and should not have direct access to the internet. They lack the necessary security controls to protect against malicious cyber activity that may opportunistically or systematically target devices in New Zealand.
The NCSC strongly recommends organisations identify any unintentional or nonessential instances of internet-connected operational technology (OT) in their networks and ensure device connectivity configurations are changed to prevent insecure access to, from, or across the internet.
OT systems include:
- industrial control systems (ICS),
- supervisory control and data acquisition systems (SCADA),
- programmable logic controllers (PLCs), and
- building management systems.
Why does it matter?
Internet-exposed OT devices are easily discoverable by malicious cyber actors with help from commonly available tools.
Historically, OT devices were isolated and designed for use in closed networks without external connectivity. As a result, most OT devices have inadequate inherent security functionality.
Over time, OT devices such as industrial control systems or building management systems have shifted from isolated ‘air-gapped’ networks to increasingly complex and inter-connected networks.
The drivers of this shift include:
- the convergence of information technology (IT) and OT networks for business needs,
- an increased desire or requirement to remotely manage, monitor, and support OT equipment, and
- the rise of industrial internet of things (IIoT) devices that need public cloud connectivity to function.
Threats to internet-exposed OT
Malicious cyber actors may opportunistically or systematically target internet-exposed OT devices in New Zealand for financial or political gain.
All types and sizes of organisations can be targeted — malicious cyber actors do not solely focus on large organisations, as smaller organisations can be perceived as softer targets. For example, hacktivists aim to draw attention to their cause, whether political, social, or ideological, through malicious cyber activity. Their choice of target is often opportunistic and may not be linked to their cause, resulting in organisations being targeted unexpectedly.
Malicious adversaries may also target New Zealand OT systems to develop their access for future malicious activity.
Insecure remote access to OT devices and systems can present significant risk. Potential impacts of unauthorised access to OT devices include:
- financial loss,
- loss of asset control,
- environmental impacts, and
- in serious cases, loss of life.
There are several publicly reported incidents involving operational technology, including the U.S. Colonial Pipeline incident in 2021.
Colonial Pipeline cyber security incident External Link
Exposed devices are easily discoverable using publicly available tools due to open ports on public IP ranges. These devices sometimes rely on basic password protection to guard administrative access, which does not sufficiently defend against malicious cyber activity.
Secure remote access to OT devices is possible but it requires defensible architecture and active risk management.
Recommendations
- The NCSC strongly recommends that asset owners and operators identify internet-connected OT devices in their networks. For advice on how to achieve this, review the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Internet Exposure Reduction Guidance:
Internet exposure reduction guidance | CISA External Link - Where internet connectivity is unintentional or not required, asset owners and operators should change configurations for any internet-facing OT devices to prevent or restrict access to, from, or across the internet.
- Organisations should identify what additional security controls can be implemented to reduce the risk of unauthorised access to these systems.
- For device or system-specific guidance or configuration assistance, contact your integrator or the original equipment manufacturer.
- In cases where remote connectivity from outside of your OT network is required, secure remote access requires a layered defence approach.
- Best practice mitigations include:
- Use of unique, non-default credentials, with multi-factor authentication (MFA) enabled and enforced where possible.
- Design of secure remote access as an ephemeral connection through a bastion/jump host (or other secure third-party remote access solution).
- Tight control of both ingress and egress traffic between OT networks and other networks with a default deny policy for traffic.
- Utilising private APNs to have additional control over cellular connected devices.
- Monitor device logs and network traffic for malicious or abnormal activity. Ensure there is appropriate alerting for this monitoring to raise detected issues to the right level of attention and response.
The NCSC also recommends that organisations review our operational technology guidance:
Protect your Organisation – operational technology guidance External Link
Report an incident
If you suspect that your OT systems have been impacted by malicious cyber activity, please report this to NCSC through our online reporting tool:
Request for information
The NCSC aims to provide timely and actionable advice to industry on New Zealand’s relevant vulnerabilities.
Please let us know if this guidance aided you in discovering and addressing unintentionally internet-exposed OT devices.
We also welcome any feedback on this guidance. Contact us at info@ncsc.govt.nz and include the title of this guidance in the subject line.
Resources
The NCSC recommends organisations review and implement the guidance outlined in the following resources where possible:
Advice on reducing internet exposure of OT:
CISA’s Internet Exposure Reduction Guidance External Link
Advice on reducing cyber threats to OT:
CISA’s Primary Mitigations to Reduce Cyber Threats to Operational Technology External Link
Advice on creating an asset inventory for OT:
NCSC's Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators
Information on what to require when procuring OT:
NCSC’s Secure by Demand for OT Owners and Operators
Advice on improving cyber security for IT-to-OT networks:
Guidance on developing a comprehensive record of OT systems:
NCSC Joint Guidance: Creating and maintaining a definitive view of your OT architecture
Guidance on creating an effective OT security program:
Australia Signals Directorate’s Principles of operational technology cyber security External Link
Download a PDF version of this guidance:
Preventing unintentional operational technology (OT) device exposure [PDF, 246 KB]
NCSC Cyber Security Framework
This advice is consistent with the Prevent and Protect function within the NCSC Cyber Security Framework.
The advice is designed to assist with reducing actual risk and incrementally improving security now, rather than aiming for perfect security tomorrow. Assets need protection in a way that prevents incidents and addresses vulnerabilities before they are exploited. To do this effectively, asset owners need to Identify and Understand their assets and how they can be targeted.
To create an asset inventory for OT, see Asset Inventory Guidance for Owners and Operators:
Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators
Acknowledgements
The NCSC would like to thank the NZ ICS Cyber Technical Network for their support in developing this resource for New Zealand industrial organisations and practitioners. For more information, visit the Technical Network’s website: