No direct internet egress from OT networks
Demonstrate that no device within the operational technology network can initiate direct communication to external internet destinations without passing through controlled intermediary security zones.
Description
What this control does
This control enforces network segmentation by prohibiting operational technology (OT) devices from establishing direct outbound connections to the internet. All internet-bound traffic from OT networks must traverse controlled security zones with inspection, logging, and policy enforcement capabilities such as demilitarized zones (DMZs), proxies, or jumpboxes. This prevents compromised OT devices from beaconing to command-and-control servers, exfiltrating sensitive operational data, or downloading malicious payloads. Implementation typically involves firewall rules, router access control lists, and unidirectional gateways that block unsolicited outbound traffic at the OT/IT boundary.
Control objective
What auditing this proves
Demonstrate that no device within the operational technology network can initiate direct communication to external internet destinations without passing through controlled intermediary security zones.
Associated risks
Risks this control addresses
- Malware-infected OT devices establishing command-and-control channels with external threat actors, enabling remote manipulation of industrial processes
- Exfiltration of proprietary process control data, SCADA configurations, or production schedules directly to unauthorized external parties
- Automated propagation of ransomware or wiper malware from compromised OT assets to external staging servers
- Unauthorized software downloads or firmware updates from untrusted internet sources bypassing change control processes
- DNS tunneling or covert channel establishment allowing attackers to maintain persistent access despite perimeter defenses
- Exposure of OT device vulnerabilities through direct scanning and fingerprinting by external reconnaissance tools
- Unauthorized cloud service usage by OT devices creating shadow IT pathways that bypass security monitoring
Testing procedure
How an auditor verifies this control
- Obtain current network topology diagrams identifying all OT network segments, security zone boundaries, and internet egress points
- Export firewall rule sets, router ACLs, and security appliance configurations governing traffic between OT zones and external networks
- Review network segmentation documentation to identify all designated pathways for OT-to-internet communication including proxies, DMZs, and data diodes
- Select a representative sample of at least 10-15 OT devices spanning different vendors, functions, and network segments for testing
- Perform live network tracing from sampled OT devices attempting to reach public internet destinations (e.g., 8.8.8.8, example.com) and document whether connections succeed or are blocked
- Review firewall and IDS/IPS logs from the past 30 days to identify any successful outbound connections originating from OT IP address ranges to public internet addresses
- Interview network and OT engineering teams to confirm exception processes for legitimate internet access requirements and verify documented approvals
- Test unidirectional gateway configurations where deployed to confirm data flows only in the intended direction from OT to IT/DMZ zones
Where this control is tested