When industrial companies acquire or merge with other operations, cybersecurity due diligence often gets shortchanged. IT security is sometimes included; OT cybersecurity is frequently overlooked. This is a critical gap. Acquiring a facility with outdated control systems, poor security practices, and no incident response capability introduces significant risk. Post-acquisition integration can expose both the acquired operation and the acquirer to attacks. Rigorous cybersecurity due diligence—both IT and OT—is essential.
OT cybersecurity due diligence is different from IT due diligence. You're not just evaluating digital assets; you're assessing the security of physical processes that may be decades old, that may run 24/7, and that may be difficult to modify without significant downtime and engineering effort. Your assessment must account for operational constraints and realistic remediation timelines.
Due Diligence Assessment Areas
Start with asset inventory and network architecture. What control systems does the target operate? How are they networked? Are they segmented from corporate IT? What remote access exists? How is it secured? Document everything. Many acquisitions have uncovered undocumented systems and network connections that create unexpected risk. Ask the target for their network diagrams, asset lists, and network topology documentation. If they can't provide it, that's a data quality problem that affects your risk assessment.
Assess the target's security maturity. Do they have a cybersecurity program? Who owns it? What monitoring exists? Have they conducted vulnerability assessments? What's their patch management process? Do they have incident response capability? These questions reveal whether they've invested in security or whether security is reactive and ad-hoc. A target with minimal security investment presents remediation costs that you must factor into the valuation.
Key Due Diligence Areas
- OT asset inventory and documentation: What control systems do they operate, what are they used for, what are their criticality levels, and is there accurate documentation? Missing documentation is a red flag.
- Network architecture and segmentation: How are control systems networked? Are critical systems segregated from business systems? How is remote access managed? Flat networks and unrestricted remote access represent elevated risk.
- Regulatory compliance status: If the target is subject to NERC CIP, EPA guidance, or other regulations, are they compliant? What violations or findings exist? Compliance gaps create post-acquisition remediation costs and potentially legal exposure.
- Vulnerability and patch management: Have they conducted vulnerability assessments? What's the age and severity of known vulnerabilities? What's their patch management process? Unpatched critical vulnerabilities present immediate risk.
- Incident response and forensics capability: Have they experienced security incidents? How did they handle detection, response, and recovery? Lack of incident response capability increases risk if an incident occurs during integration.
- Personnel and staffing: Who manages cybersecurity? Do they have dedicated OT security expertise? Is knowledge concentrated in a few key people? Turnover or loss of critical expertise is a risk.
Valuation and Integration Planning
Use due diligence findings to adjust valuation and plan integration. Significant cybersecurity gaps should be valued as remediation costs and deducted from purchase price or held in escrow pending remediation. Regulatory non-compliance should be valued as legal and remediation risk. In post-acquisition integration planning, prioritize security integration. Plan how you'll integrate their systems into your network, how you'll remediate vulnerabilities, and how you'll standardize their security practices to match your baseline.
We help industrial organizations conduct cybersecurity due diligence for acquisitions and support post-acquisition security integration. Contact us to plan cybersecurity due diligence for your transaction.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.