Youtube Linkedin
Youtube Linkedin

Serving Montgomery County & Greater Houston

Galaxy IT Solutions Logo
Industrial control panel with ruggedized FortiGate firewall, PLCs, Starlink dish and 5G connectivity protecting oilfield equipment

Securing Internet-Exposed PLCs: Field Kit in a Box for Industrial OT Security

The PLC behind your pumping station may already be exposed

Most small water utilities, oilfield operators, and manufacturing sites in Texas don’t realize how thin the security boundary is between a public-facing programmable logic controller (PLC) and the equipment it commands. A breaker. A pump. A treatment dose. A wellhead choke. In many real-world deployments, that PLC is sitting on the open internet with default credentials, a web interface on port 80, and zero monitoring — and adversaries know it.

This isn’t theoretical. In late 2023, an Iranian-affiliated group calling itself CyberAv3ngers compromised dozens of Unitronics Vision-series PLCs across at least 10 U.S. states, including the Municipal Water Authority of Aliquippa, Pennsylvania. CISA, the FBI, NSA, and EPA issued a joint advisory (AA23-335A) confirming the attackers exploited default passwords on internet-exposed devices. In 2024 and 2025, CISA’s ICS advisory cadence accelerated — Siemens alone published multi-vulnerability bulletins covering SIMATIC ET 200SP, TeleControl Server Basic, and SINEC NMS, while WAGO, Delta, Schneider, and Rockwell PLCs received critical patches throughout the year.

If you operate industrial control systems — water and wastewater, oil and gas, manufacturing, building automation, or process control — and any part of your environment touches the public internet for remote management, this post is for you. We’ll walk through what’s actually happening, what good looks like in 2026, and how Galaxy IT Solutions delivers a turn-key OT security drop-in: a Field Kit in a Box built around the Fortinet Rugged platform with built-in 5G, Starlink failover, and central management.

Why so many PLCs are exposed in the first place

PLCs were designed for one thing: deterministic control of physical processes, often over decades of service life. Security was an afterthought — and in many cases, simply not a requirement when the device was specified.

The most common patterns we see in the field across Montgomery County and the broader Houston / South Texas industrial corridor:

  • Direct cellular modems with public IPs. A SCADA integrator drops a 4G LTE modem at a remote pumping station so they can dial in from a laptop. The PLC ends up directly addressable from the internet, with nothing between it and a Shodan query.
  • Default or shared credentials. Vendors ship with well-known default passwords, and field crews rarely change them — sometimes because the customer’s own SCADA tooling relies on the default.
  • Flat networks. The PLC, HMI, engineering workstation, badge reader, and corporate file share all sit in the same broadcast domain. One compromised laptop reaches everything.
  • Unmonitored remote sites. Nobody is watching the logs because there are no logs — or the logs live on the device itself with no central collector.
  • Outdated firmware. Patching means a planned outage on a physical process, so devices run firmware that’s three, five, sometimes ten years behind the vendor’s current release.

The CyberAv3ngers campaign wasn’t sophisticated. It was Shodan plus default passwords. The next campaign won’t need to be sophisticated either — that’s the problem.

What “good” looks like for OT security in 2026

The CISA Cross-Sector Cybersecurity Performance Goals and the international IEC 62443 standard converge on the same handful of principles. None of them are exotic; they’re just rarely all in place at once on a small or mid-sized site.

  1. Zero direct internet exposure. No PLC, HMI, or engineering workstation should be reachable from the public internet. Period. Remote access happens through an authenticated, encrypted gateway — never directly to the device.
  2. Network segmentation between IT and OT. Corporate file shares, email, and user laptops live in a different security zone from production control systems. The boundary is a firewall that understands industrial protocols (Modbus, DNP3, EtherNet/IP, OPC UA, IEC 61850, S7) at the payload level.
  3. Identity-aware remote access. Vendor logins are tied to named individuals with multi-factor authentication, time-bound sessions, and full session recording — not shared “service” passwords on a sticky note.
  4. Continuous monitoring and centralized logging. Every site forwards security events to a central analyzer where anomalies trigger alerts. The goal is to know within minutes that something is wrong, not weeks later when a process trip finally surfaces it.
  5. Virtual patching. When a vendor patch for a PLC isn’t safe to deploy yet, the firewall in front of the device blocks the specific exploit traffic. This is one of the most underrated capabilities in modern OT firewalls.
  6. Redundant connectivity. Field sites need uptime even when the primary link drops. Cellular plus Starlink failover is the new baseline for remote operations.
  7. Hardened, ruggedized hardware. A consumer-grade firewall in an outdoor enclosure in Texas summer heat is a ticking failure. Field gear needs to be DIN-rail mountable, fanless, wide-temperature-range, and certified for industrial environments.

That last point matters a lot. The reason most small operators don’t deploy proper OT security isn’t ignorance — it’s that doing it right has historically meant integrating five different vendors, ordering a $15,000 industrial PC, hiring a SCADA integrator, and waiting six months. We’ve fixed that.

The Galaxy IT “Field Kit in a Box”

We’ve packaged everything an industrial site needs to lock down its PLC environment into a single deployable kit. One PO, one delivery, one onboarding session — and the site is on a managed, monitored, segmented network with redundant connectivity.

What’s in the box

  • FortiGate Rugged 70G with dual 5G modems — Fortinet’s flagship ruggedized next-generation firewall. Fanless, DIN-rail mountable, redundant 12-125V DC inputs, wide operating temperature range, and built to withstand the shock, vibration, humidity, and heat of a Texas field site. Two integrated 5G cellular modems with active/active dual-SIM support deliver up to 8 Gbps firewall throughput and 1.3 Gbps threat protection — overkill on day one, headroom for years.
  • Starlink Business or Mini terminal — wired into the FortiGate as a tertiary WAN, with automatic failover from primary 5G to secondary 5G to Starlink. Sites stay up even when both cellular carriers have an outage, a tower goes down, or a backhoe finds the fiber. SD-WAN policies route SCADA traffic over the lowest-latency path.
  • FortiSwitch Rugged — managed industrial switch with PoE for cameras, sensors, and access points. Fully managed from the FortiGate, so the site has one pane of glass for switching, wireless, and security.
  • FortiAP Rugged (optional) — for sites that need secure Wi-Fi for handhelds, tablets, or contractor laptops without punching another hole through the perimeter.
  • Pre-staged segmentation — out of the box, the kit deploys with separate security zones for OT (PLCs, HMIs, RTUs), IIoT (sensors, cameras), corporate (laptops, printers), and management. Inter-zone traffic is permitted only by explicit, logged policy.
  • Out-of-band management — the FortiGate’s cellular WAN is dedicated for management even when the primary link is down, so we can recover the site remotely without a truck roll.

Why FortiGate Rugged

Compared to a typical office-grade firewall in an industrial enclosure, the Rugged 70G delivers:

  • 3.6x firewall throughput and 6.3x IPSec VPN throughput versus the industry average for ruggedized appliances of similar size
  • 3,060 OT protocol signatures — virtual patches for Modbus, DNP3, EtherNet/IP, OPC UA, IEC 61850, S7, BACnet, and 80+ other industrial protocols
  • Dual active 5G modems for carrier diversity (e.g., AT&T + T-Mobile + Starlink as failover)
  • Trusted Platform Module (TPM) for hardware-rooted device identity
  • Digital I/O module for tripping local alarms or door sensors from the firewall itself
  • Fanless design rated for harsh, dusty, hot environments — no moving parts to fail

For very small sites, the FortiGate Rugged 50G-5G drops the price and footprint while keeping the OT protocol coverage, single 5G modem, and the same FortiOS platform. For sites that need integrated Wi-Fi 6 plus dual 5G, the FortiWiFi 50G-5G-II rolls all of it into one box.

Central management with FortiManager and FortiAnalyzer

A single secure firewall at a single site is a good start. The real value shows up when you have 20, 50, or 200 sites — and you need policy consistency, change control, and unified visibility across all of them. That’s where the management plane comes in.

FortiManager — one policy, every site

FortiManager is Fortinet’s centralized device management platform. Galaxy IT Solutions hosts and operates FortiManager for our managed clients, which means:

  • One policy authored once, deployed everywhere. A new firewall rule, an updated VPN tunnel, a tightened IPS profile — pushed to 1 site or 200 sites with full change history and rollback.
  • Administrative Domains (ADOMs) — your sites are isolated from other customers’ sites at the management layer, and your sub-organizations (different plants, business units, joint ventures) can have separate access if needed.
  • Firmware orchestration — coordinated, scheduled firmware upgrades with pre/post-checks and the ability to roll back automatically if a site fails its post-checks.
  • Configuration backup and restore — every change is versioned, so if a field tech makes a mistake at 2 a.m., we can revert in seconds.
  • Zero-touch provisioning — ship a FortiGate to a site, plug it in, and it pulls its full configuration from FortiManager on first boot. No on-site engineer required.

FortiAnalyzer — the eyes on every site

FortiAnalyzer is the logging, analytics, and reporting hub. It ingests every event from every firewall, switch, and access point in the fleet and turns that into actionable signal:

  • OT-specific MITRE ATT&CK for ICS dashboards — visual mapping of detected events against the industrial-control-system kill chain
  • IEC 62443 and NERC CIP compliance reports generated automatically and exportable for audits
  • Cross-vendor log ingestion — FortiAnalyzer also parses logs from Nozomi, Dragos, Claroty, Cisco, Aruba, and other OT/IT tools, so you get one unified view even in a mixed environment
  • Behavioral baselining — once we’ve watched your network for a few weeks, FortiAnalyzer flags any deviation: a PLC that suddenly starts talking to a new IP, a Modbus write at an unusual time, a credential brute force, a configuration change outside the maintenance window
  • Long-term retention for forensic investigation and regulatory recordkeeping

Together, FortiManager and FortiAnalyzer turn a collection of field firewalls into a coordinated, monitored, auditable fleet — which is the difference between “we have a firewall” and “we have an OT security program.”

What deployment actually looks like

We’ve intentionally designed the Field Kit so a site can be productive within a single business day from the time the gear arrives.

  1. Pre-deployment design (1-2 days) — Galaxy IT engineers work with your team to document the existing PLC environment: IP addresses, protocols, vendor remote-access requirements, primary and backup carriers, and the segmentation model you want.
  2. Staging and pre-configuration (1-2 days) — we build the FortiGate, switch, and any APs against your design, pre-load the configuration via FortiManager, and pre-activate cellular and Starlink service. The kit ships to the site fully built.
  3. On-site cutover (half day per site) — physical install (DIN rail, antennas, Starlink, cabling), cutover from the existing network, verification, and signoff. For sites near our Conroe office we do this onsite; for distant sites we coordinate with a local electrician under our remote supervision.
  4. Ongoing management — Galaxy IT monitors the fleet from our NOC, applies firmware and policy updates on a scheduled cadence, responds to alerts, and produces a monthly executive report on OT security posture, compliance status, and any incidents.

Who this is for

The Field Kit in a Box pattern fits any operator running PLCs, RTUs, or HMIs in environments that need ruggedized hardware and reliable remote connectivity:

  • Oil and gas — wellhead automation, tank battery monitoring, midstream compressor stations, SCADA back-office. See our oil and gas IT services page for the broader offering.
  • Water and wastewater — lift stations, treatment plants, telemetry over wide service areas
  • Manufacturing — plant-floor PLCs, vision systems, MES integration. Our manufacturing IT services page covers the corporate side of the equation.
  • Energy and utilities — substations, renewables (solar, wind), distributed generation
  • Building automation — large facilities, campuses, healthcare systems with BACnet and Modbus controllers
  • Transportation and logistics — yard automation, port terminals, fueling infrastructure

If your environment has any of the warning signs — a cellular modem with a public IP, a PLC web interface still on default credentials, no log retention, no segmentation between corporate and OT, no failover for the primary link — the Field Kit closes those gaps in a single, pre-engineered package.

What you get with Galaxy IT Solutions

We’re a Conroe, Texas-based MSP and authorized Fortinet partner. Our cybersecurity engineers are certified across Fortinet, Palo Alto, Cisco, and Illumio platforms, with hands-on experience deploying OT segmentation, zero trust, and microsegmentation in production environments. Customers working with us get:

  • Local engineers who can be onsite same-day across Montgomery County and the greater Houston / South Texas industrial corridor
  • Flat-rate managed services — predictable monthly cost, no surprise tickets
  • 24/7 monitoring out of our Conroe NOC, with named escalation contacts you actually reach when it matters
  • Quarterly executive briefings covering OT security posture, compliance evidence, incidents, and recommended next steps
  • Integration with your existing investments — we don’t rip-and-replace working systems unless there’s a reason to

Where to go from here

Securing internet-exposed PLCs isn’t a one-time project — it’s a posture you maintain. But the gap between “wide open with default passwords” and “monitored, segmented, and recoverable” is closable in weeks, not years, when you start with the right hardware and the right management plane.

If you have a remote site, a plant floor, or a fleet of field assets that you’re not 100% sure are properly segmented from the public internet, we’d be glad to do a free walkthrough. Send us your asset list and current network diagram (or whatever you have, even if it’s a whiteboard photo) and we’ll come back with a clear picture of what’s exposed, what isn’t, and what the path looks like to a Field Kit deployment that fits your operation.

Call (346) 406-1700 or request a free OT security assessment. We’re in Conroe, TX — minutes from most Montgomery County and North Houston industrial sites, and a phone call away from anywhere else in Texas.

Search
Categories

Recent Posts

Popular Posts

About Us

In most businesses, IT support is reactive by nature. System upgrades or security changes are recommended only after the company has been negatively impacted. Galaxy IT Solutions transforms your IT by proactively monitoring and reporting on your IT assets, taking the guess work out of support.

Youtube Linkedin