· Cybersecurity · 2 min read
OT Cybersecurity Checklist: Implementing the Purdue Model
Protecting a plant is not about installing an antivirus. It is about segmentation, visibility, and discipline. Practical checklist to secure industrial networks (ISA/IEC 62443).
In the IT world, if you get a virus, you wipe and restore from backup. In OT, if you get ransomware, the physical plant stops, machines break, or (worse) people get hurt.
Security by obscurity (“nobody knows this PLC is here”) does not exist anymore. Shodan.io finds your exposed HMI in 5 seconds.
This is the checklist I use to audit and harden industrial networks, based on the Purdue Model and the IEC 62443 standard.
1. Segmentation: Divide and Conquer (Purdue Model)
If you connect the PLC to the same network as the office coffee machine, find another job. The flat network is the cardinal sin.
- Level 4 (Enterprise): ERP, Email, Internet Access.
- Industrial DMZ (Level 3.5): Here live the Jump Servers, Replicated Historians, and WSUS. No one passes from Level 4 to Level 3 without going through the DMZ.
- Level 3 (Site Ops): Central SCADA, Control Room HMI. No direct Internet access.
- Level 2 (Area Control): Local HMIs, Engineering Stations.
- Level 1 (Basic Control): PLCs, VFDs, Remote I/O.
- Level 0 (Physical Process): Motors, Sensors.
Immediate Action: Install an Industrial Firewall (Fortinet, Palo Alto, Cisco ISA) between Level 3 and Level 4. Block EVERYTHING by default.
2. Visibility: You Can’t Protect What You Can’t See
Most plant managers don’t know what IPs are connected.
- Passive Asset Inventory: Use tools like Claroty, Nozomi, or Microsoft Defender for IoT. They listen to traffic (port mirror) and tell you: “You have a Siemens S7-300 PLC firmware v2.6 at IP 10.10.5.20”.
- Traffic Analysis: If your PLC suddenly starts talking to a Russian IP at 3 AM, you have a problem.
3. Hardening Checklist
For each device, apply the “Least Privilege” rule.
- Change Default Passwords:
admin/adminor1001are the front door. - Disable Useless Services: Does your PLC need an HTTP web server? FTP? If you don’t use it, turn it off. Reduce the attack surface.
- USB Management: Physically or software-block USB ports on engineering PCs. The technician’s flash drive is attack vector #1 (Stuxnet, ring a bell?).
- Firmware: Keep PLCs updated, but test updates in a lab first.
4. Secure Remote Access
Vendors always ask for VPN to provide support.
- BAD: Direct VPN to the plant network (Level 2).
- GOOD: VPN to the DMZ, with MFA (Multi-Factor Authentication). From there, RDP to a Jump Server, and from the Jump Server, controlled access to the PLC. Session is recorded and audited.
Conclusion
Industrial cybersecurity is not a product you buy, it is a process. Start by segmenting your network. A well-configured firewall is worth more than a hundred antiviruses.
