1.5 OT network & cybersecurity baseline
A flat network significantly increases risk. If a receptionist’s laptop opens a phishing email, it is critical that the PLCs continue to operate safely. The primary goal of OT Cybersecurity goes beyond simple “IT Compliance”; it is about ensuring Production Survivability. Network segmentation is essential to contain the potential impact of inevitable breaches.
Minimum viable architecture (VLAN zones)
Section titled “Minimum viable architecture (VLAN zones)”A strict segmentation model (modified Purdue Model) must be adhered to. Systems must be isolated based on function, not location.
Level 4: enterprise VLAN (business/ERP)
Section titled “Level 4: enterprise VLAN (business/ERP)”- Risk Profile: High (Email, Web, Phishing).
- Connectivity: Internet Access Allowed.
Level 3.5: industrial DMZ (the airlock)
Section titled “Level 3.5: industrial DMZ (the airlock)”- Risk Profile: Medium (Proxy services, Gateways).
- Connectivity: The only bridge between Enterprise and Plant.
Level 3: operations VLAN (MES/SCADA servers)
Section titled “Level 3: operations VLAN (MES/SCADA servers)”- Risk Profile: Low.
- Connectivity: No Internet. Talk only to DMZ and Level 2.
Level 0-2: control VLAN (PLCs, HMIs, robots)
Section titled “Level 0-2: control VLAN (PLCs, HMIs, robots)”- Risk Profile: Critical.
- Connectivity: Local connections only. Block Default Gateway.
Segmentation logic
Section titled “Segmentation logic”- When traffic originates from Level 4 (Enterprise) and targets Level 0-2 (PLC), the firewall should drop the packet immediately. A fundamental principle of this architecture is that the ERP finance module does not require a direct connection to a servo motor.
- When the MES needs data from the ERP, it should utilize a controlled push/pull mechanism via a DMZ Proxy. Direct routing is not recommended.
DMZ placement & rules
Section titled “DMZ placement & rules”The DMZ is not a router; it is a termination point. Traffic must not “pass through” the DMZ; it must break the session.
- Placement: Architecturally or logically between the IT Firewall and the OT Firewall.
- Rule: No common protocols (SMB/RPC) allowed to cross the DMZ.
- Mechanism: A “Protocol Break” must be used.
- Bad: Routing database traffic (port 1433) from L4 to L3.
- Good: L3 pushes JSON to a Message Broker in DMZ; L4 subscribes to Broker.
Pro-Tip: If a system or equipment vendor specifies that their software requires a flat network or direct internet access to the PLC, this introduces a significant security liability. It is advisable to isolate that equipment in a dedicated “Dirty VLAN” with strict firewall rules.
Jump host & vendor access policy
Section titled “Jump host & vendor access policy”Remote access is the primary vector for ransomware. “Shadow IT” tools like TeamViewer or AnyDesk must be eliminated immediately.
The jump host (bastion)
Section titled “The jump host (bastion)”- Location: Resides in the DMZ.
- Access: RDP/SSH only.
- Control: Multi-Factor Authentication (MFA) should be considered Mandatory.
- Data Hygiene: Block Clipboard and File Transfer capabilities. If code or files need to be transferred, pass them through a separate “Decontamination Station” for scanning first.
Vendor “just-in-time” access
Section titled “Vendor “just-in-time” access”Vendors do not permanently reside on the network. Access should be treated as temporary and controlled.
- No Always-On VPNs.
- Request Protocol: The Vendor requests a specific access window (e.g. Tuesday 14:00 - 16:00).
- Approval: The OT Manager enables the account for that approved duration only.
- Surveillance: When a vendor connects to a critical system, the architecture should support a “Shadow Session” (allowing an internal engineer to actively monitor the screen for oversight).
- Termination: The account should automatically disable at the precise end of the approved window (e.g. 16:01).
Logging & detection
Section titled “Logging & detection”What cannot be seen cannot be defended. Logging must be enabled to detect the “pre-attack” reconnaissance.
- Firewall Deny Logs: A sudden spike in “Deny” traffic frequently indicates an infected host scanning the network for open ports. Configuring alerts for this specific behavior is essential.
- Auth Failures: Configure the system to trigger a high-priority alert (e.g. Severity 1) when there are three or more failed login attempts on a Jump Host.
- PLC Mode Changes: When a PLC’s key switch is changed from “Run” to “Program” remotely, the system should trigger an immediate alarm. This action is often a signature of sophisticated attacks (resembling Stuxnet).
Final Checkout: Ot network & cybersecurity baseline
Section titled “Final Checkout: Ot network & cybersecurity baseline”| Category | Metric / Control | Threshold / Rule |
|---|---|---|
| Segmentation | VLAN Leakage | 0 direct routes from L4 (Office) to L2 (PLC) |
| DMZ | Protocol Break | No direct TCP sessions pass through DMZ |
| Access | MFA Coverage | 100% of Remote Access requires Token/App |
| Vendors | VPN State | Default State = Disabled (On-demand only) |
| Software | Blacklist | TeamViewer, AnyDesk, VNC blocked at Gateway |
| Logging | Retention | Firewall Logs retained for ≥ 90 Days |
| Recovery | Config Backup | Network Switch configs backed up weekly |