- Don't rely on air gap
- How will you do firmware updates?
- Contingency plans
- Block egress traffic
- No email in network
- Allowlisting
- Application
- Especially on engineering workstations
- Privileges
Secure Architecture for Industrial Control Systems
https://www.sans.org/white-papers/36327/
- Access control
- Passwords + 2FA
- Least privilege
- Log management
- Read only, authorised access
- Firewalls, IDSs, VPNs, servers, applications
- Network security
- Firewall segmentation with authentication (deny all)
- IDSs
- Remote access
https://www.sans.org/blog/introduction-to-ics-security-part-2/
- The Internet should not be accessible below Level 4.
- Operations staff may have a separate, dedicated business computer for access to services such as email, Internet, and printing.
- Active Directory (AD) can be implemented to help manage control networks, but
any such AD deployment should be completely independent of the business
AD. Domain Controllers and other AD servers should be placed in Level 3.
- Enforcement boundaries should be employed as shown in the ICS410 Reference Model.
- Firewalls should block all communication by default, permitting only the communication that is required.