Cellular modems are the forgotten security perimeter in manufacturing. A modem connected to an industrial router, an old automation controller, or a remote access terminal becomes a backdoor that is invisible to your network team and uncovered by your firewall rules. Many facilities have cellular connectivity they don't even know exists—installed by equipment vendors for remote support or by integrators for ease of initial commissioning.
The security issue is that a cellular modem connected to a PLC or controller creates a direct inbound access path from the internet that bypasses your network perimeter entirely. An attacker who gains access to a cellular network provider's subscriber network, or who finds the modem's default credentials, can reach inside your plant without ever touching your firewall.
The Cellular Security Threat Model
Cellular modems typically run embedded firmware that is rarely updated. They authenticate to the carrier's network using credentials that are hard-coded or stored in plain text. Most modems support HTTP-based remote management interfaces accessible over the cellular connection with default credentials still active. If a modem is accessible from the internet (many are), an attacker can reach it before your firewall even knows a connection attempt is happening.
The second threat is accidental: a cellular modem could provide an unintended egress path for malware or exfiltrated data. A compromised OT device with cellular access can phone home to an attacker without traversing your firewall, DNS servers, or proxy. Data loss detection systems won't catch outbound traffic that bypassed your network.
Inventory and Hardening
- Complete Cellular Audit: Systematically identify all cellular modems in your facilities. Check backup WAN routers, equipment cabinets, remote pump stations, and SCADA consoles. Document the device model, firmware version, purpose, and network interface it connects to.
- Disable Unnecessary Connectivity: If a modem exists for equipment vendor remote support and you have since assigned an internal support team, consider deactivating it. If it is required only for emergency notifications, disable TCP/IP and restrict it to SMS-only functionality.
- Strong Authentication and Encryption: Change default credentials immediately. Enable SSH-only access (disable Telnet and HTTP). Use VPN over the cellular connection to establish secure tunnels back to your facilities rather than exposing the device directly to the internet.
- Restricted Network Connectivity: Use ACLs on the host router to restrict which devices can reach the cellular modem. Never allow the modem to bridge directly to the OT network—it should be on a separate management VLAN with explicit firewall rules controlling what it can reach.
Carrier and Operational Considerations
Cellular coverage, latency, and carrier service quality vary by location. Document which devices require cellular connectivity for operational purposes (emergency alerts, critical remote access) and which are vestigial. Prioritize cellular hardening for devices that control physical access or safety-critical functions.
Work with your carrier to enable additional security services: restricted APN access, rate limiting on data connections, and alerts for unusual traffic patterns. Some carriers offer private APNs that segregate your traffic from public internet, reducing the attack surface significantly.
If you'd like to audit cellular modems in your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.