IT & OT Network Security - Example Do's & Don'ts

Hi there,

Hope you are doing well.

In this edition, I’ll be sharing some:

• ✍️Common Issues I’ve observed across OT/ICS Network Architectures.

• 📘 Recommended fixes to uplift OT/ICS Network Security without heavy $$.

• ↪️ CISO’s queries on the use of Managed vs. Un-Managed switches.

• 📲Updates - Recent & upcoming OT virtual conferences.

• ✍️ Upcoming newsletters & call for expert input & shares.😉 

But before we begin, do me a favour and make sure you “Subscribe” to let me know that you care and keep me motivated to publish more. Thanks!

Ready? let’s dig in.

Yours truly.

— Yousuf.

Together with (Sponsor):

Turn AI into Your Income Engine

Ready to transform artificial intelligence from a buzzword into your personal revenue generator

HubSpot’s groundbreaking guide "200+ AI-Powered Income Ideas" is your gateway to financial innovation in the digital age.

Inside you'll discover:

• A curated collection of 200+ profitable opportunities spanning content creation, e-commerce, gaming, and emerging digital markets—each vetted for real-world potential

• Step-by-step implementation guides designed for beginners, making AI accessible regardless of your technical background

• Cutting-edge strategies aligned with current market trends, ensuring your ventures stay ahead of the curve

Download your guide today and unlock a future where artificial intelligence powers your success. Your next income stream is waiting.

Get Your Guide

OT / ICS Network Security - Don’ts & Do’s!

I have reviewed and or looked at a few IT and OT network architectures for critical infrastructure sectors e.g. power/utility, energy, and in particular manufacturing sector specific industrial environments; and there’s a common set of issues, mistakes and errors I have observed that a typical manufacturing organisation makes, whether big or small. Below is a list of few issues that are often observed:

Don’ts / Sins

Here are few example list of common issues I’ve observed across manufacturing sector when it comes to IT and OT / ICS Networks (in no particular order):

1. Flat IT/OT network - no separation or segmentation between IT & OT.

2. Direct Internet Access from OT Assets / devices - all OT assets are allowed outbound access to / can reach internet directly.

3. Dual homed devices - assets (windows, PLCs etc.) with one interface connected to IT and other to OT network and or multiple zones/subnets.

4. Insecure Remote Access - direct remote access from internet to internal assets bypassing firewall and other security controls.

5. No OT DMZ - no intermediary zones and or sub-zones between IT and OT.

6. Open rules on firewalls b/w IT & OT - firewall with all ports / traffic allowed, to/from, arguing that at-least firewall is doing packet inspection. ;-)

7. Misconfigured VLANs Limited segmentation using firewall and VLANs - often misconfigured. Same VLANs traversing IT and OT network subnets. Mis configured and or misplaced IT / OT assets in wrong VLANs, e.g., OT assets with IT VLANs assigned and vice versa.

8. Direct Wireless connections - wireless networks connected to OT networks and not firewalled off.

9. No edge driven architecture - missing design the architecture where only edge driven architecture is allowed.

10. Shared Active Directory - another classic one is having a shared Active Directory b/w IT and OT networks, but on top all traffic from AD to machines in OT network is allowed on all ports.

11. Patching directly from the internet - most common form of this issue is directly related to point #2 earlier, most end points are allowed to go online to directly fetch patches, firmware’s and or signature updates from the internet.

12. No Time source used / Direct use of External Time source - time is fetched from internet sources - no use of stratum hierarchy.

So how do we address these issues? while not the intent of this article to go into details on how to fix each of these problems, here’s a brief overview of what you should be doing instead.

Do’s / Wins  

Here are the associated Do’s or Wins or fixes to the above list of common issues without spending too much $$$$ to uplift security state of IT and OT / ICS Networks for industrial / manufacturing environment (in no particular order):

1. Segment IT & OT Networks - Let’s say you are just starting out on this journey and a brownfield (exiting old setup) environment; begin with identifying assets on both IT and OT sides that needs to communicate with each other along with identifying specific ports, next use whatever options you have available in the current technology stack, e.g. you’d usually have an IT firewall with unused interfaces, some layer 3 devices (switches / routers) with unused ports and ACLs functionality; start utilizing those interfaces to separating IT & OT networks into separate zones - one internal interface used for your IT/enterprise network, one for external interface for internet, and than one DMZ interface for a zone hosting assets with shared services between IT and OT and lastly an OT/ICS zone (most secure internal zone) for your production environment. Until you get the required $$$ budget for big fully network security re-architecture project.

2. No internet access from OT assets - Deny all outgoing traffic from all OT assets (specially windows/Linux based devices as a starting point immediately) to the internet.

3. Restrict use of dual homed assets/devices – must not connect to IT & OT network at the same time.

4. Use Secure Remote Access methods only – avoid using insecure methods (e.g. direct RDP, no MFA, web based) bypassing enterprise control. Instead of traditional VPNs, use more advanced secure remote access solution supporting Zero trust. If budget is a constraints, at-least using VPNs with MFA.

5. Create a DMZ b/w IT & OT – define an intermediary zone (and ideally sub-zones) for separation between IT and OT networks, restricting all access coming from IT to be terminated at DMZ with no direct internet or IT assets accessing assets in OT directly.

6. Wireless connections firewalled – Avoid connecting Wireless connections directly to IT LAN and especially OT LAN / zone. Make sure there’s a firewall and ideally an IDS/IPS on top of all wireless based access and restrict traffic for what is required only.

7. Restricted firewall rules b/w IT & OT – Often overlooked, ensure to avoid open (any-to-any) and or zone to zone full open access rules in firewall. Ensure that even if you have to allow some traffic from IT to OT due to existing design limitations, it is restricted to specific IPs and ports numbers only to start with, while in longer term adjusted according to a proper rules once network is re-architected later.

8. Misconfigured VLANs - Ensure VLANs are not traversing across IT & OT networks and correct VLAN assignments.

9. Edge driven network architecture – put that as a principle or policy to only use edge driven network architectures.

10. Shared Active Directory - start with planning for separating IT and OT shared active directory to separate AD instances. For immediate action, until done, try restricting traffic from AD traffic required to work in OT based on specific AD IP addresses instead of allowing entire AD zone.

11. Patch OT systems through intermediaries instead of internet or at-least restrict the traffic source/destinations - Ideally, a best practice is to ensure that you have not setup OT assets to directly fetch OS, firmware and or other signature updates directly from internet and instead use management systems to be placed either in DMZ to receive updates from IT/internet from specific designated IP addresses and than push them to OT zones. Same for getting updates on systems in IT.

12. Design & Use of Stratum Hierarchy - fetch time from dedicated internal sources for OT assets instead from internet. If change requires time, start with limiting the ntp port with a dedicated external time source IP address.
    

Security risks using unmanaged switches in OT networks

Few weeks ago a global CISO queried about managed vs. un-managed switches. This was the second time within a year’s or so when a CISO reached out, going through OT security projects, inquiring about this. He asked the following (para-phrasing here):

“Hi Yousuf, what are pros/cons on using managed vs. un-managed switches? Is the understanding correct that it should be Managed layer 3 switches. Do you know if Unmanaged industrial switches will not support port span, traffic capture and monitoring functions? Understand that unmanaged switches can have security issues as they can not be configured. I am checking this both from an OT Policy and OT network visibility / monitoring”.

So I thought of summarizing my responses for other Security Practitioners and or CISOs / CIOs that are going through similar projects to help build some understanding around this.

Key Differences:

Here’s a base summary on the key differences in terms of features, functionality and or capabilities:

Use Case Comparison and Recommendations

Risks & Risks Mitigation for unmanaged switches

Below are a list of potential risks using unmanaged switches.

• Unauthorized network access via physical ports: Unmanaged switches cannot restrict or disable ports, so anyone with physical access can plug in a device (e.g., a laptop or rogue Wi-FI) and gain network access, potentially bypassing other security layers.

• Man-in-the-Middle (MiTM) attacks: Unmanaged switches lack monitoring and control features, allowing attackers to intercept or alter communications between devices unnoticed, risking data theft and manipulation.

• MAC spoofing and reconnaissance: Attackers can imitate legitimate MAC addresses to bypass security, and unmanaged switches provide no means to detect or prevent such spoofing activities.

• Lack of traffic segmentation and visibility: Without VLANs or monitoring, unmanaged switches cannot isolate critical OT devices or provide network visibility, making it difficult to detect intrusions or contain threats.

• Bypassing organizational defenses: A malicious device connected behind an unmanaged switch can create a hidden link to the internet or IT infrastructure, circumventing firewalls and other protections.

• Increased risk despite physical security: Even in controlled environments like substations, physical security can be breached, and unmanaged switches offer no network-level controls to mitigate this risk.

In summary, unmanaged switches expose OT networks to unauthorized access, data interception, spoofing, and lack of network control, making them unsuitable for secure OT environments.

To mitigate risks (as listed above) associated with unmanaged switches in OT networks, consider these measures:

• Physical security: Restrict physical access to switch locations to prevent unauthorized device connections, since unmanaged switches rely heavily on physical security.

• Network segmentation: Use managed switches or routers to segment the network into VLANs, isolating critical OT devices from less secure areas, limiting lateral movement by attackers. Need extra caution not to disrupt operations, so careful planning is required.

• Deploy managed switches where possible: Replace unmanaged switches with managed ones that support port security, VLANs, and access controls for better monitoring and control.

• Monitoring and alerting: Implement network monitoring tools and intrusion detection systems to detect unusual traffic or unauthorized devices connected via unmanaged switches.

• Disable unused ports: Where managed switches are used, disable unused ports to prevent unauthorized connections; for unmanaged switches, physically block or secure unused ports if possible.

• Use network access control (NAC) and 802.1X authentication: Enforce device authentication before network access, reducing risk from rogue devices connected to unmanaged switches. Use caution: May not be feasible within the lower levels of OT zone.

• Regular audits and vulnerability scanning: Continuously assess the network for unauthorized devices and vulnerabilities introduced by unmanaged switches. Use caution: do not use IT style scanning profiles and be selective on what traffic to send to what OT devices, use maintenance windows to perform such scans.

• Backup and patch management: For managed devices, keep firmware updated and configurations backed up to reduce risks from known vulnerabilities.

In summary, while unmanaged switches lack inherent security features, risks can be reduced by strong physical security, network segmentation, monitoring, and gradually replacing unmanaged switches with managed ones for critical OT network segments.

Together with (sponsor)

Start learning AI in 2025

Keeping up with AI is hard – we get it!

That’s why over 1M professionals read Superhuman AI to stay ahead.

• Get daily AI news, tools, and tutorials

• Learn new AI skills you can use at work in 3 mins a day

• Become 10X more productive

Sign up and start mastering AI

Few Updates (Sharing and Conference)

• My thoughts along with leading experts, Mike & Tim, was published - here.

• It was good to participate in any conference after a very long time at-least virtually, and also got the chance to present Industrial Cyber Days for Manufacturing for US time zone → US. (the last time I was in any conference in person was in Nov. 2019 in Malaysia).

  Am running the same presentation in EMEA and APAC - register for your respective region below:

  • Industrial Cyber Days for Manufacturing for → EMEA.

  • Industrial Cyber Days for Manufacturing for → APAC.

Title of my talk is → “Securing the Digital Factory: Lessons from the Field on Security Challenges from Industry 3.0 to 4.0 and Beyond”.

This session explores the challenges of securing manufacturing operations during the transition from Industry 3.0 to Industry 4.0. Drawing from experiences across three different manufacturers, the discussion highlights the limitations of traditional security approaches and their applicability in modern manufacturing environments that incorporate UNS and IIoT-based architectures.

Additionally, this session serves as a mini-course introduction to the Securing Things IT-OT CySEAT (Cyber Security Education and Transformation) program, providing insights into securing digital factories.

Key Learning Objectives:

Understanding Industry 4.0, the manufacturing lifecycle, automation stack, and digital transformation Exploring secure UNS-based architecture and the lack of industry-specific security guidance. Developing a strategic approach for securing the digital factory.

If you haven’t checked out yet - do join IT-OT CySEAT waiting List before the launch discount closes.

What’s coming?

Beside the below, I am excited to work with 2 guest writers to publish some upcoming newsletter versions. More on this in the next edition.

I have been juggling with few things lately, in addition to newsletters publishing, social posts/interactions, some volunteering time, and trying to wrap up few project assignments while figuring out what’s next later in store for me in Q2/Q3.

Have been working on few upcoming Part 3 of The Digital Factory series:

Call 🤙 out to all OT/ICS experts out here 📢 

I need your input - on "Industry Debates and Updates in/ OT / ICS - The Digital Factory - Architecture - Part 3"! 🗞️

In my upcoming newsletter edition, I'm trying to cover few industry debates;

👉 Digital Transformation - a project or a strategy?

👉 IT/OT Convergence - is it or is it not converging? :-p

👉 Purdue Model – Dead or Alive? | For Security or no Security?!

👉 🙋‍♂️ any other suggestions?

and few Industry updates: (well not so known but not new)

👉 Death of Purdue Model - Gartner position (2023)

👉 Network Architecture – Solutions driven

👉 IT/OT Event Driven Reference Architecture –

👉 62443 standards requirements for Cloud - ISA's position

💁‍♂️ 💁‍♀️ I've got some references to interesting debates from socials (LinkedIn) but want to see if you guys have some spicy ones at your disposal that you can share.

Also, if you want to contribute? ✍ send me a DM 📥 / drop a comment👇

Will add yours with attribution and a shout out! 📢 

♻️ if you know someone be interested.

Thanks 🌟

My Recent Most Viewed Social Posts

In case you’ve missed - here are some of my recent most viewed social posts.

• 📰 [ST # 62] ✅Cybersecurity Insights from Q1 2025 - ✅ IT, OT, AI Cybersecurity Market Insights, M&As, Incidents, breaches, ransomware, threats and changing regulatory landscape🚀 [Securing Things by M. Yousuf Faisal]

• 📰 [ST # 61] ✅My list of IT-OT & Cybersecurity, Leadership, Productivity, Personal Development, and Money/Business books - must read for Cyber Leaders and Practitioners. Few updates on OT Security conference, & more.🚀 [Securing Things by M. Yousuf Faisal] 📰

• 📢 [ST #60] All Series Index - Securing Things 📢✅IT, OT & AI Cybersecurity – Program, Digital Factory, Guides, Standards, Crash Courses, Quarterly Insights & more.🚀 [Securing Things by M. Yousuf Faisal] 🗞️🗞️🗞️

• Cybersecurity and AI Across the Industrial Automation Stack - Monthly Digest # 1 - ✅ Industry Trends, Market Insights on cybersecurity and AI across the layers of industrial automation stack (Cloud, ERP, DMZ, MES, SCADA, HMI, PLC/Edge), physical devices & more.🚀 [Securing Things by M. Yousuf Faisal].

• ISA/IEC 62443 Standards - Part 5 - Security Program Elements (SPEs) for 62443-2-1:2024, Upcoming Asset Owner ACS Security Assurance (ACSSA) Certification Scheme to ISA/IEC 62443-2-1, 2-4, 3-2, 3-3 by ISCI, CISO's role, other interesting reads.

• The Digital Factory (Data Flow) - Part 2 Industry 4.0 data/event driven data flows and security considerations and how's CISO's role is evolved in OT security.

• Cybersecurity & Data Privacy for Hong Kong - HK Cybersecurity Market, upcoming Critical Infrastructure Bill 2024 regulations, Data Privacy Program Core elements, HK markets and more.

Ways in which I can help?

Whenever you are ready - I can help you with:

A - IT & OT Cybersecurity Advisory / Consulting services - for securing your business and or its digital transformation journey.

B - Security Awareness Training & Phishing Awareness Portal - Train your staff and build a Security awareness program through our subscription based service.

C - Securing Things Academy (STA) - Security trainings for IT & OT practitioners.

Visit the newsletter website for Links to above services and or reach out at info[at]securingthings[dot]com or DM me via LinkedIn.

D - Securing Things Newsletter - Sponsor this newsletter to showcase your brand globally, or subscribe to simply Get Smarter at Securing Things.

Reach out at newsletter[at]securingthings[dot]com or DM me via LinkedIn.