• Don't rely on air gap
  • How will you do firmware updates?
• Contingency plans
• Block egress traffic
  • Stop C2
• No email in network
  • Avoid phishing
• Allowlisting
  • Application
  • Especially on engineering workstations
• Privileges

Secure Architecture for Industrial Control Systems

https://www.sans.org/white-papers/36327/

• Access control
  • Passwords + 2FA
  • Least privilege
• Log management
  • Read only, authorised access
  • Firewalls, IDSs, VPNs, servers, applications
• Network security
  • Firewall segmentation with authentication (deny all)
  • IDSs
• Remote access
  • One level at a time

https://www.sans.org/blog/introduction-to-ics-security-part-2/

• The Internet should not be accessible below Level 4.
• Operations staff may have a separate, dedicated business computer for access to services such as email, Internet, and printing.
• Active Directory (AD) can be implemented to help manage control networks, but any such AD deployment should be completely independent of the business AD. Domain Controllers and other AD servers should be placed in Level 3.
• Enforcement boundaries should be employed as shown in the ICS410 Reference Model.
• Firewalls should block all communication by default, permitting only the communication that is required.