Take the information gathered in Week 24 on your OT electronic security perimeters and evaluate the risk related to each communication allowed through the OT electronic security perimeter. This is typically a rule by rule analysis. If you have a well-documented firewall ruleset, this is easy. If you don’t, this is the time to dig in and document those rulesets.
Note: if something besides a firewall is forming the OT electronic security perimeter identify the similar configuration settings that determine what is allowed through this perimeter.
Rate the security of each communication / rule allowed through the OT electronic security perimeter as either:
- Acceptable – the communication is required and is done in a secure manner.
- Review – the communication is required but could be done in a more secure manner. For example, OT data could be pushed out to IT and accessed on IT rather than allowing IT users into OT.
- Potentially Unacceptable – the communication represents high risk, but OT would not operate if this communication was eliminated.
- Unacceptable – The allowed communication is unnecessary for operations. This is often due to not implementing least privilege or old firewall rules that have not been removed.
Note: one way to identify if a rule is needed is to look in the logs or statistics in the firewall that identify how often a rule is being used. If the answer is zero, there is a good chance that hole in your OT electronic security perimeter is unnecessary and should be closed.
Key factors to consider:
- Where is the communication initiated? It’s lower risk to initiate communication from the more trusted zone, i.e. OT to OT DMZ or OT DMZ to IT.
- Communication between OT and IT should be indirect and mediated through a system in an OT DMZ.
- Is communication allowed through the OT electronic security perimeter using an authenticated protocol?
- Is communication allowed through the OT electronic security perimeter least privilege? Is the applicable rule specifying a source address, destination address and protocol/port? The use of “any” in an allow rule is a red flag.
- What is the business purpose that necessitates the allowed communication?
It will be impractical to document the allowed communication analysis in this book. Enter the file name and location of the document, spreadsheet, or database. This information may be the same as what you entered last week.
OT Security Perimeter Device 1
Allowed Communication Analysis File Name And Location
OT Security Perimeter Device 2
Allowed Communication Analysis File Name And Location
OT Security Perimeter Device 3
Allowed Communication Analysis File Name And Location