BEYOND THE FIREWALL: CLOSING OT HARDENING GAPS
Asset-Level Resilience
Industrial environments often suffer from the 'M&M' security model: a hard outer shell with a soft, vulnerable center. Real protection requires hardening every node.
The Danger of Default Trust
In the rush to digitize industrial operations, the focus is often placed on network-level security—firewalls, DMZs, and VPNs. While critical, this perimeter-first approach often ignores the hardening of the actual assets performing the work. Programmable Logic Controllers (PLCs), Human-Machine Interfaces (HMIs), and Engineering Workstations (EWS) are frequently deployed with 'factory default' settings that favor ease of access over security.
This lack of asset-level hardening creates an environment where a single compromised laptop or a malicious USB drive can lead to total process disruption. Attackers no longer need to break through the firewall if they can exploit unauthenticated protocols and open services once they have established a foothold within the Level 2 or Level 3 network.
Hardening is not simply about closing ports; it is about reducing the attack surface to the absolute minimum required for operational functionality. In OT, this requires a delicate balance between security and the high-availability requirements of the process.
Hardening is a continuous process, not a project. Configuration drift during maintenance is the leading cause of security degradation.
The Evolution of Asset Exploitation
Demonstrated that default PLC passwords and unhardened engineering interfaces could be used to manipulate physical processes.
Targeted Safety Instrumented Systems (SIS) by exploiting controllers left in 'Program' mode via physical key-switches.
Highlighted how default credentials on water sector PLCs allowed remote attackers to modify HMI settings globally.
Top Hardening Challenges
Securing OT assets involves navigating unique operational hurdles that don't exist in traditional IT.
Legacy Protocol Insecurity
Many controllers use Modbus or EtherNet/IP which lack native authentication, making asset-level hardening difficult without network overlays.
Vendor Warranty Fear
Operations teams often fear that disabling services or changing OS settings on HMI workstations will void OEM support agreements.
Documentation Gaps
The lack of an accurate, live asset inventory makes it impossible to ensure 100% hardening coverage across the plant floor.
The 'Big Five' Configuration Oversights
Through our site assessments, we consistently see five major missouts. First is the failure to disable unused services like FTP, HTTP, or Telnet on field devices. These are often enabled by default for 'convenience' but offer easy entry points for lateral movement.
Second is the management of physical ports. Unlocked USB ports on HMIs and open RJ45 ports on unmanaged switches are frequently overlooked. Third is the 'Run' switch oversight—leaving PLC key-switches in 'Remote' or 'Program' mode when the process is in steady-state operation.
Fourth is the lack of centralized identity management, leading to shared 'Operator' accounts with hardcoded passwords. Finally, the failure to disable unnecessary 'Discovery' protocols (like SSDP or LLDP) allows attackers to map the internal network architecture within minutes of gaining access.
Analysis: Hardening Strategies
Effective Approaches
- Disabling all unused services and protocols
- Physically locking PLC switches to RUN mode
- Implementing unique, role-based access control
Ineffective Habits
- Relying on air-gaps as the only defense
- Using shared 'Admin' passwords for all shifts
- Assuming factory settings are secure-by-design
Asset Hardening Comparison
| Asset Type | Common Missout | Recommended Action | Complexity |
|---|---|---|---|
| PLC | Key-switch in 'Program' mode | Switch to 'Run' and remove key | Low |
| HMI | Unnecessary Browser Access | Disable web browsers on HMI panels | Medium |
| Network Switch | Default SNMP Strings | Change to SNMPv3 or disable | High |
| Workstation | Active USB Ports | Physical port blockers or GPO | Low |
The 3-Phase Hardening Roadmap
Always perform configuration backups and test hardening in a staging environment before site deployment.
Audit & Discovery
Identify all assets and their current configuration states.
Surface Reduction
Close the most obvious holes and disable non-essential features.
Hardening Lifecycle
Ensure security survives the next maintenance cycle.
Questions for the Engineering Team
Hardening is as much about culture as it is about technology.
If an engineer leaves a PLC in 'Program' mode, does anyone notice?
How many devices on your floor are still using the password 'admin' or 'password'?
Is your 'standard' build for a new HMI documented and secured, or is it done from memory?