Skip to main content

1.5 OT Network & Cybersecurity Baseline

A flat network is a suicide pact. If a receptionist's laptop opens a phishing email, your PLCs must not shut down. The goal of OT Cybersecurity is not "IT Compliance"; it is Production Survivability. We segment the network to contain the blast radius of inevitable breaches.

Minimum Viable Architecture (VLAN Zones)

Adhere to a strict segmentation model (modified Purdue Model). Isolate systems based on function, not location.

Level 4: Enterprise VLAN (Business/ERP)

  • Risk Profile: High (Email, Web, Phishing).
  • Connectivity: Internet Access Allowed.

Level 3.5: Industrial DMZ (The Airlock)

  • Risk Profile: Medium (Proxy services, Gateways).
  • Connectivity: The only bridge between Enterprise and Plant.

Level 3: Operations VLAN (MES/Scada Servers)

  • Risk Profile: Low.
  • Connectivity: No Internet. Talk only to DMZ and Level 2.

Level 0-2: Control VLAN (PLCs, HMIs, Robots)

  • Risk Profile: Critical.
  • Connectivity: Strictly Local. Block Default Gateway.

Segmentation Logic

  • If Source is Level 4 (Enterprise) AND Destination is Level 0-2 (PLC) → Drop Packet immediately. (Physics Rule: The ERP finance module has no business talking to a servo motor).
  • If MES needs data from ERP → Push/Pull via DMZ Proxy. Never route directly.

DMZ Placement & Rules

The DMZ is not a router; it is a termination point. Traffic must not "pass through" the DMZ; it must break the session.

  • Placement: Physically or logically between the IT Firewall and the OT Firewall.
  • Rule: No common protocols (SMB/RPC) allowed to cross the DMZ.
  • Mechanism: Use a "Protocol Break".
    • Bad: Routing database traffic (port 1433) from L4 to L3.
    • Good: L3 pushes JSON to a Message Broker in DMZ; L4 subscribes to Broker.

Pro-Tip: If a vendor claims their software "needs" a flat network or direct internet access to the PLC, they are selling you a liability. Isolate that machine in a "Dirty VLAN" and firewall it to death.

Jump Host & Vendor Access Policy

Remote access is the primary vector for ransomware. Eliminate "Shadow IT" tools like TeamViewer or AnyDesk immediately.

The Jump Host (Bastion)

  • Location: Resides in the DMZ.
  • Access: RDP/SSH only.
  • Control: Multi-Factor Authentication (MFA) is Non-Negotiable.
  • Data Hygiene: Block Clipboard and File Transfer. If code must move, scan it in a separate "Decontamination Station" first.

Vendor "Just-in-Time" Access

Vendors do not own your network. They are guests.

  1. No Always-On VPNs.
  2. Request Protocol: Vendor requests access window (e.g., Tuesday 14:00 - 16:00).
  3. Approval: OT Manager enables the account for that specific duration.
  4. Surveillance: If Vendor connects → Then Force "Shadow Session" (Internal Engineer watches the screen).
  5. Termination: Account auto-disables at 16:01.

Logging & Detection

You cannot defend what you cannot see. Enable logging to detect the "pre-attack" reconnaissance.

  • Firewall Deny Logs: A spike in "Deny" traffic usually indicates an infected host scanning for open ports. Alert on this.
  • Auth Failures: 3+ Failed Login attempts on a Jump Host → Trigger Sev 1 Alert.
  • PLC Mode Changes: If Key Switch moves from "Run" to "Program" remotely → Trigger Alarm. (This is the "Stuxnet" signature).

Final Checklist

Category

Metric / Control

Threshold / Rule

Segmentation

VLAN Leakage

0 direct routes from L4 (Office) to L2 (PLC)

DMZ

Protocol Break

No direct TCP sessions pass through DMZ

Access

MFA Coverage

100% of Remote Access requires Token/App

Vendors

VPN State

Default State = Disabled (On-demand only)

Software

Blacklist

TeamViewer, AnyDesk, VNC blocked at Gateway

Logging

Retention

Firewall Logs retained for ≥ 90 Days

Recovery

Config Backup

Network Switch configs backed up weekly

Back to top