By Eddie Aveitia, NERC CIP Reliability Specialist
Every open port on a BES Cyber System is a potential entry point for a threat actor. Best practice — and a foundational principle of industrial cyber security — dictates that only the ports and services necessary for operations should be enabled. Everything else should be disabled or restricted. This principle exists for good reasons: the fewer doors you leave open, the fewer ways an attacker can access your data.
Unused ports that remain open create unnecessary attack surface. Adversaries routinely scan industrial networks for listening services on common ports — such as Telnet (23), RDP (3389), or legacy protocols still present on older generation BES Cyber Systems. If those ports are open and unmonitored, they can be exploited without triggering an immediate alert.
So how do you identify them? Your team should periodically review which ports are active on BES Cyber Systems, compare those results against what is known and expected, and investigate any deviation as a potential unauthorized change.
Operators and technicians play a key role here. If you connect a laptop to the internet or intranet, install software, or make any configuration change on a BES Cyber System — even temporarily — you may be introducing new open ports without realizing it.
Remember: If a port isn’t needed, it shouldn’t be open. If it’s open and you don’t know why — report it to your supervisor or security team immediately.
