IntermediateNetwork Security

Segment OT and ICS networks completely from corporate IT

The 2015 Ukraine power grid attack succeeded because the attackers could reach SCADA industrial control systems from the corporate network they had infiltrated via phishing emails. The Target breach succeeded because POS systems were on the same network segment as a compromised HVAC vendor's access point. Operational technology (OT) and industrial control systems (ICS) must be completely isolated from corporate IT networks with no routable path between them. If monitoring requires connectivity, use unidirectional data diodes. Any device that can read a corporate email must never be able to reach a centrifuge controller, power substation relay, or manufacturing system.

Tags

OT segmentationICSSCADAnetwork isolationindustrial security

More in Network Security

All guides
advanced

Adopt zero-trust architecture: verify every request regardless of network origin

The SolarWinds attack compromised the trust that internal network location implies authorisation. Once inside a network via a malicious software update, the attackers moved freely because internal systems implicitly trusted each other. Zero-trust architecture removes that assumption: every request, regardless of whether it originates from inside or outside the network perimeter, must be authenticated, authorised, and continuously validated. Implement micro-segmentation, require MFA for all internal application access, enforce device health checks before granting access, and log all east-west traffic.

See: SolarWinds Supply ChainNetwork Security
beginner

Place IoT and smart devices on isolated VLANs with no access to production systems

An internet-connected fish tank thermometer at a casino served as the entry point for attackers who reached the high-roller customer database. The thermometer was on the corporate network with a routable path to internal systems. Every IoT device — smart TVs, HVAC controllers, IP cameras, building management systems, even fish tank sensors — must be on a dedicated VLAN that has no access to any system containing sensitive data. The VLAN should permit only the specific outbound internet traffic the device requires for its function. Treat every IoT device as untrusted by default.

See: Casino Fish Tank IoT HackNetwork Security
intermediate

Monitor DNS traffic — it reveals command-and-control, data exfiltration, and lateral movement

DNS is one of the most information-rich network signals available. Command-and-control malware uses DNS to communicate with its operators. Data exfiltration can be encoded in DNS queries. Lateral movement generates characteristic DNS lookup patterns. Many organisations monitor HTTP traffic but leave DNS unmonitored. Deploy DNS security services (Cisco Umbrella, Cloudflare Gateway, or a self-hosted resolver with logging) and configure alerts for: newly registered domains, unusual query volumes, queries for domains with high entropy names (DGA indicators), and DNS-over-HTTPS to unexpected resolvers.

See: Conficker WormNetwork Security