5 Recommendations for the Deployment of Secure OT Networks (Part I)

The emergence of different forms of cyberterrorism and cybercrime, the proliferation of web access to SCADA systems, the standardization of IT technologies in the industrial field, and the adoption of cloud, mobile, and BYOD paradigms make it necessary to pay special attention to the secure deployment in the OT networks (Operation Technology) of the technologies provided by the main manufacturers of PLCs and SCADA (Wonderware, Siemens, Rockwell, Schneider, etc.).

Although many of these technologies are “secure by design”, this does not guarantee protection against the large number of threats that currently arise in industrial and infrastructure environments.

In a series of entries, we want to propose up to five recommendations that will allow you to provide greater security to an OT network:

1. Always use manageable industrial switches whenever possible.

The MTBF of these switches is much higher than transactional switches, the fact that they are manageable will allow greater flexibility in their configuration and can be provided with special characteristics for specific environments (DIN rail, IP20, IP67, high availability, redundancy, specific approvals such as IEC61850, industrial protocols such as Profibus or EhternetIP, etc.).

2. Physically segment the IT network and the OT network where real-time technologies (PLCs, SCADA, HMI, etc.) have been installed using industrial firewalls/routers.

The figure shows how the Firewall/Router device separates two network segments (network A or IT with IP address range 192.168.1.X and network B or OT with IP address range 193.167.1.X). In addition to separating both networks, the device acts as a firewall blocking unauthorized traffic between both network segments.
Normally, this type of segmentation mechanism can be configured to perform NAT (Network Address Translation) 1:1, that is, the equipment located in the IT network only sees the IP address of the router’s network card that communicates with the equipment located in the OT network, thus increasing security in the transit of information between both networks.

3. Avoid using VLANs to separate IT and OT.

If you do it within the OT environment itself, do not perform “truncking” between switches to communicate server and client equipment. If you have to do it for very specific needs, filter the traffic between switches/VLANs using industrial firewalls compatible with the IEEE 802.1Q standard

In the next entry, we will propose another two recommendations.