Skip to content
Your Bookmarks
    No saved pages. Click the bookmark icon next to any article title to add it here.
    EMS handbook

    1.5 OT network & cybersecurity baseline

    A flat network significantly increases risk. If a receptionist’s laptop opens a phishing email, it is critical that the PLCs continue to operate safely. The primary goal of OT Cybersecurity goes beyond simple “IT Compliance”; it is about ensuring Production Survivability. Network segmentation is essential to contain the potential impact of inevitable breaches.

    Minimum viable architecture (VLAN zones)

    Section titled “Minimum viable architecture (VLAN zones)”

    A strict segmentation model (modified Purdue Model) must be adhered to. Systems must be isolated based on function, not location.

    Level 4: enterprise VLAN (business/ERP)

    Section titled “Level 4: enterprise VLAN (business/ERP)”
    • Risk Profile: High (Email, Web, Phishing).
    • Connectivity: Internet Access Allowed.

    Level 3.5: industrial DMZ (the airlock)

    Section titled “Level 3.5: industrial DMZ (the airlock)”
    • Risk Profile: Medium (Proxy services, Gateways).
    • Connectivity: The only bridge between Enterprise and Plant.

    Level 3: operations VLAN (MES/SCADA servers)

    Section titled “Level 3: operations VLAN (MES/SCADA servers)”
    • Risk Profile: Low.
    • Connectivity: No Internet. Talk only to DMZ and Level 2.

    Level 0-2: control VLAN (PLCs, HMIs, robots)

    Section titled “Level 0-2: control VLAN (PLCs, HMIs, robots)”
    • Risk Profile: Critical.
    • Connectivity: Local connections only. Block Default Gateway.

    Segmentation logic

    Section titled “Segmentation logic”
    • When traffic originates from Level 4 (Enterprise) and targets Level 0-2 (PLC), the firewall should drop the packet immediately. A fundamental principle of this architecture is that the ERP finance module does not require a direct connection to a servo motor.
    • When the MES needs data from the ERP, it should utilize a controlled push/pull mechanism via a DMZ Proxy. Direct routing is not recommended.

    DMZ placement & rules

    Section titled “DMZ placement & rules”

    The DMZ is not a router; it is a termination point. Traffic must not “pass through” the DMZ; it must break the session.

    • Placement: Architecturally or logically between the IT Firewall and the OT Firewall.
    • Rule: No common protocols (SMB/RPC) allowed to cross the DMZ.
    • Mechanism: A “Protocol Break” must be used.
      • Bad: Routing database traffic (port 1433) from L4 to L3.
      • Good: L3 pushes JSON to a Message Broker in DMZ; L4 subscribes to Broker.

    Jump host & vendor access policy

    Section titled “Jump host & vendor access policy”

    Remote access is the primary vector for ransomware. “Shadow IT” tools like TeamViewer or AnyDesk must be eliminated immediately.

    The jump host (bastion)

    Section titled “The jump host (bastion)”
    • Location: Resides in the DMZ.
    • Access: RDP/SSH only.
    • Control: Multi-Factor Authentication (MFA) should be considered Mandatory.
    • Data Hygiene: Block Clipboard and File Transfer capabilities. If code or files need to be transferred, pass them through a separate “Decontamination Station” for scanning first.

    Vendor “just-in-time” access

    Section titled “Vendor “just-in-time” access”

    Vendors do not permanently reside on the network. Access should be treated as temporary and controlled.

    1. No Always-On VPNs.
    2. Request Protocol: The Vendor requests a specific access window (e.g. Tuesday 14:00 - 16:00).
    3. Approval: The OT Manager enables the account for that approved duration only.
    4. Surveillance: When a vendor connects to a critical system, the architecture should support a “Shadow Session” (allowing an internal engineer to actively monitor the screen for oversight).
    5. Termination: The account should automatically disable at the precise end of the approved window (e.g. 16:01).

    Logging & detection

    Section titled “Logging & detection”

    What cannot be seen cannot be defended. Logging must be enabled to detect the “pre-attack” reconnaissance.

    • Firewall Deny Logs: A sudden spike in “Deny” traffic frequently indicates an infected host scanning the network for open ports. Configuring alerts for this specific behavior is essential.
    • Auth Failures: Configure the system to trigger a high-priority alert (e.g. Severity 1) when there are three or more failed login attempts on a Jump Host.
    • PLC Mode Changes: When a PLC’s key switch is changed from “Run” to “Program” remotely, the system should trigger an immediate alarm. This action is often a signature of sophisticated attacks (resembling Stuxnet).

    Recap: OT Network Segmentation and Security Controls

    Section titled “Recap: OT Network Segmentation and Security Controls”
    Network LevelRisk ProfileCore Connectivity RuleMandatory Security Control
    Level 4 (Enterprise)HighInternet access permitted.Firewall must drop all traffic to Levels 0-2.
    Level 3.5 (Industrial DMZ)MediumThe only bridge between Enterprise and Plant.Enforce protocol break (e.g., message broker); no SMB/RPC crossing.
    Levels 0-2 (Control)CriticalLocal connections only.Block default gateway.
    Jump Host (in DMZ)HighRDP/SSH access only.Mandatory MFA; block clipboard/file transfer.
    Logging & DetectionEnable firewall deny logs and auth logs.Alert on: 3+ failed logins (Jump Host); PLC mode change to “Program”.

    Сообщение об ошибке