Full Report
This blog is part of a blog series detailing best practices for operational technology (OT) cybersecurity for under-resourced organizations by... The post OT Cybersecurity Best Practices for SMBs: How to Disconnect Your IT, DMZ, and OT from Each Other & What to Consider first appeared on Dragos.
Analysis Summary
# Best Practices: Operational Technology (OT) Cybersecurity for Under-Resourced Organizations (Focusing on Network Separation and Incident Response Planning)
## Overview
These practices focus on establishing minimum baseline OT cybersecurity protections, particularly for under-resourced organizations (SMBs), emphasizing the critical need to separate IT and OT environments and develop concrete plans for emergency network disconnection during an incident.
## Key Recommendations
### Immediate Actions
1. **Join OT-CERT:** If your resources are limited, immediately join the free Dragos OT-CERT program to access essential toolkits, assessments, and training materials.
2. **Assess IT/OT Connectivity:** Immediately document all pathways (physical and logical) that allow traffic, data, or remote access between the Information Technology (IT) network and the Operational Technology (OT) network.
3. **Identify Disconnect Points:** Based on network assessment, identify the most natural and effective physical choke points (e.g., DMZ firewalls, specific cables) that could be used to sever the IT/OT connection rapidly.
### Short-term Improvements (1-3 months)
1. **Develop a Formal Disconnect Plan:** Create a written Incident Response (IR) plan detailing the steps required to safely and quickly isolate the OT network from the IT network during a ransomware or major cyber incident.
2. **Determine Critical Data Flows:** Document all mission-critical or business-critical information that traverses or relies on the IT-OT connection (e.g., billing data, work orders, regulatory reports). This informs the impact analysis of a disconnect.
3. **Establish Manual Operation Procedures:** Document procedures for safely maintaining or halting OT operations manually if connectivity to IT/ERP systems (like those providing serial numbers or work orders) is severed.
### Long-term Strategy (3+ months)
1. **Implement Network Segmentation:** Actively work to enforce strong network segmentation between IT, DMZ, and OT environments, ideally utilizing firewalls at choke points, as recommended in the Network Segmentation Toolkit provided by OT-CERT.
2. **Conduct Disconnect Tabletop Exercises:** Regularly practice the documented disconnect/reconnect procedure using tabletop exercises to validate decision points, timelines, and communication paths.
3. **Supply Chain Risk Management:** Promote OT-CERT membership and secure configuration best practices to critical suppliers, proactively quantifying the risk their potential compromise poses to your operations.
## Implementation Guidance
### For Small Organizations
- **Focus on Fundamentals:** Prioritize accessing and utilizing the OT-CERT "OT Cybersecurity Fundamentals Self-Assessment Survey" and the "OT Asset Management Toolkit" as the starting point for establishing a baseline program.
- **Physical Disconnection Strategy:** Since sophisticated segmentation may be costly, focus heavily on creating simple, executable procedures for physically pulling cables or powering off specific boundary devices known to connect IT to OT.
### For Medium Organizations
- **Utilize Segmentation Tools:** Leverage the OT-CERT "Network Segmentation Toolkit" and "Firewall Configuration Toolkit" to design and document a robust DMZ architecture that controls and inspects *all* traffic between IT and OT.
- **Implement Host-Based Logging:** Begin deploying capabilities outlined in the "Host-Based Logging and Centralized Logging Toolkits" to gain visibility on assets near the IT/OT boundary for early detection.
### For Large Enterprises
- **Incorporate Third-Party Risk:** Ensure that OT risk assessments explicitly quantify the likelihood and impact of cyber incidents originating from critical suppliers (supply chain risk).
- **Refine Disconnect Scenarios:** Develop granular, tiered disconnect plans considering various failure modes (e.g., partial loss vs. total ransomware event) and integrate the results into enterprise-wide IR plans, paying close attention to billing and regulatory ramifications (like the Colonial Pipeline example).
## Configuration Examples
*The source material directly points toward using specific toolkits rather than providing configuration examples. Actual configuration advice will be found within the linked OT-CERT resources.*
**Key Infrastructure Focus Areas (to be configured based on OT-CERT Toolkits):**
* Network Choke Point Configuration (e.g., DMZ Firewall rules permitting only required OT/IT communication).
* Host Hardening baselines via the System Hardening Toolkit.
* Secure Remote Access implementation using the Secure Remote Access Toolkit.
## Compliance Alignment
While the OT-CERT resources aim to establish a *minimum baseline* protection rather than meeting full compliance standards, adherence to their guidance supports foundational controls aligned with:
- **NIST Cybersecurity Framework (Identify & Protect):** Especially asset management, risk assessment, and awareness training components.
- **ISO 27001/27002 (Information Security Controls):** Related to access control segmentation and incident management planning.
- **CIS Critical Security Controls (CSC):** Foundational controls related to inventory (Asset Management) and boundary defense (Network Segmentation).
## Common Pitfalls to Avoid
1. **Assuming Security is Complete:** Believing that having a strong IT security posture inherently protects the OT environment. The risk of IT compromise leading to OT impact is high.
2. **Lacking a Pre-Planned Disconnect:** Not having a rehearsed plan for immediate isolation means organizational leaders will make panicked, complex decisions under duress, potentially leading to extended downtime (better safe than sorry, but preparation minimizes downside).
3. **Ignoring the "Why":** Disconnecting without understanding the immediate operational impact (e.g., inability to bill, receive work orders, or safely shut down production) can cause operational failure even if the cyber threat is averted.
4. **Viewing OT Security in Isolation:** Failing to engage with critical suppliers regarding their security posture, thereby inheriting significant supply chain risk.
## Resources
* **OT Cybersecurity Program Establishment:** Dragos OT-CERT (Free membership for asset owners/operators).
* **Essential Toolkits Available via OT-CERT:**
* OT Asset Management Toolkit
* Collection Management Framework for Incident Response
* Network Segmentation Toolkit
* Firewall Configuration Toolkit
* Self-Service OT Ransomware Tabletop Exercise Toolkit
* **Training:** Introductory ICS/OT cybersecurity courses in Dragos Academy.