1.5 OT Network & Cybersecurity Baseline

A flat network is a suicide pact. If a receptionist's laptop opens a phishing email, your PLCs must not shut down. The goal of OT Cybersecurity is not "IT Compliance"; it is Production Survivability. We segment the network to contain the blast radius of inevitable breaches.

Minimum Viable Architecture (VLAN Zones)

Adhere to a strict segmentation model (modified Purdue Model). Isolate systems based on function, not location.

Level 4: Enterprise VLAN (Business/ERP)

• Risk Profile: High (Email, Web, Phishing).
• Connectivity: Internet Access Allowed.

Level 3.5: Industrial DMZ (The Airlock)

• Risk Profile: Medium (Proxy services, Gateways).
• Connectivity: The only bridge between Enterprise and Plant.

Level 3: Operations VLAN (MES/Scada Servers)

• Risk Profile: Low.
• Connectivity: No Internet. Talk only to DMZ and Level 2.

Level 0-2: Control VLAN (PLCs, HMIs, Robots)

• Risk Profile: Critical.
• Connectivity: Strictly Local. Block Default Gateway.

Segmentation Logic

• If Source is Level 4 (Enterprise) AND Destination is Level 0-2 (PLC) → Drop Packet immediately. (Physics Rule: The ERP finance module has no business talking to a servo motor).
• If MES needs data from ERP → Push/Pull via DMZ Proxy. Never route directly.

DMZ Placement & Rules

The DMZ is not a router; it is a termination point. Traffic must not "pass through" the DMZ; it must break the session.

• Placement: Physically or logically between the IT Firewall and the OT Firewall.
• Rule: No common protocols (SMB/RPC) allowed to cross the DMZ.
• Mechanism: Use a "Protocol Break".
  • Bad: Routing database traffic (port 1433) from L4 to L3.
  • Good: L3 pushes JSON to a Message Broker in DMZ; L4 subscribes to Broker.

Pro-Tip: If a vendor claims their software "needs" a flat network or direct internet access to the PLC, they are selling you a liability. Isolate that machine in a "Dirty VLAN" and firewall it to death.

Jump Host & Vendor Access Policy

Remote access is the primary vector for ransomware. Eliminate "Shadow IT" tools like TeamViewer or AnyDesk immediately.

The Jump Host (Bastion)

• Location: Resides in the DMZ.
• Access: RDP/SSH only.
• Control: Multi-Factor Authentication (MFA) is Non-Negotiable.
• Data Hygiene: Block Clipboard and File Transfer. If code must move, scan it in a separate "Decontamination Station" first.

Vendor "Just-in-Time" Access

Vendors do not own your network. They are guests.

1. No Always-On VPNs.
2. Request Protocol: Vendor requests access window (e.g., Tuesday 14:00 - 16:00).
3. Approval: OT Manager enables the account for that specific duration.
4. Surveillance: If Vendor connects → Then Force "Shadow Session" (Internal Engineer watches the screen).
5. Termination: Account auto-disables at 16:01.

Logging & Detection

You cannot defend what you cannot see. Enable logging to detect the "pre-attack" reconnaissance.

• Firewall Deny Logs: A spike in "Deny" traffic usually indicates an infected host scanning for open ports. Alert on this.
• Auth Failures: 3+ Failed Login attempts on a Jump Host → Trigger Sev 1 Alert.
• PLC Mode Changes: If Key Switch moves from "Run" to "Program" remotely → Trigger Alarm. (This is the "Stuxnet" signature).

Final Checklist

Category	Metric / Control	Threshold / Rule
Segmentation	VLAN Leakage	0 direct routes from L4 (Office) to L2 (PLC)
DMZ	Protocol Break	No direct TCP sessions pass through DMZ
Access	MFA Coverage	100% of Remote Access requires Token/App
Vendors	VPN State	Default State = Disabled (On-demand only)
Software	Blacklist	TeamViewer, AnyDesk, VNC blocked at Gateway
Logging	Retention	Firewall Logs retained for ≥ 90 Days
Recovery	Config Backup	Network Switch configs backed up weekly