4 Steps to Better Protect OT Networks From Cyber Attacks

As OT (Operational Technology) networks converge with IT networks, network security is a serious concern. OT systems that used to be air-gapped must still protect network communications without interrupting operations. To protect your industrial networks and critical assets, you need a secure network infrastructure with powerful secure routers to build solid network segmentation.  The following four steps show how you can secure your OT networks while ensuring they are resilient to threats and disruption.

1. Manage Your OT Networks

Operators who manage their OT network (rather than relying on the IT department) can quickly respond to problems and troubleshoot issues more rapidly. Before you can protect the assets on your OT network, you need to know what is there – and what isn’t. It’s critical that OT operators have complete visibility to everything on their networks – just like IT network administrators do. Make sure everything that should be on your OT network is there. And identify anything that should not be there.

Managing your OT network requires controlling who has access to the network by utilizing network Access Control Lists (ACL) and other authentication mechanisms. In other words, everything on the trusted list is allowed to go through the network, and anything not specified is blocked. An Access Control List filters traffic and allows users to configure customized filter criteria and deny access to specific source or destination IP/MAC addresses. For example, access control lists found in Moxa’s Layer 3 Ethernet switches make it easy to quickly establish filtering rules, manage rule priorities, and view overall settings in the display page.

Also, there are simple mechanisms that OT operators can set up to define which equipment, like a PLC, can be connected to the network by port access control or secure “sticky” MAC address, which dynamically associates the mac-address to the port. Without the sticky option, the mac-address association goes away after a specified period of time.

2. Patch Vulnerabilities

Equipment and devices running on OT networks cannot be upgraded or replaced like they can on IT networks. Many legacy OT devices remain unpatched and are relatively easy for hackers to exploit. Some of those legacy devices may be running on operating systems as old as Windows 95. If no patch is available from the original equipment vendor, consider putting a virtual patch on a device that goes in front of your legacy devices.

3.  Segment Your OT Networks

Segmenting OT networks prevent cyber threats from spreading to other parts of the network.

Unlike IT networks that can be segmented by dividing the network into different departments with their own set of permissions, OT networks are basically one big Intranet where everything is connected. This makes OT networks more difficult to segment, but not impossible. There are two ways you can segment an OT network:

  • Vertical segmentation involves adding an Industrial Demilitarized Zone (IDMZ) between the IT network and OT network. Although this separation should be mandatory, many companies still have not segmented their OT networks from their IT networks.
  • Horizontal or lateral segmentation involves creating and separating cells, zones, and sites on the OT network. A cell is essentially a tiny place where all equipment is stored, such as a cabinet. Several cells can form a zone, and multiple zones can form a site.

Moxa recommends:
Establishing Zones and Conduits:

  • VLAN: Moxa’s devices help administrators restrict users access to only data and parts of the network necessary for them to perform their responsibilities.
  • Firewalls: Moxa’s devices help administrators establish conduits in the network to only allow permitted traffic and packets to transfer from one zone to another.
  • NAT: Moxa’s devices help administrators establish a private local zone to hide internal network information from external probing.

Network Security Control:

  • VLAN ID or MAC Addresses: Moxa’s devices only allow users to access data and networks based on their roles.
  • IP Addresses and Ports: Moxa’s devices only allow permitted traffic on the network.
  • Deep Packet Inspection: Moxa’s devices check the content of each packet payload to ensure only approved content is transmitted on the networks.

4. Secure Remote Connections

Besides managing and segmenting OT networks, it’s also important that remote connections are secure. Protecting the data that is secure remote access for OT networkstransmitted from your plant or remote site back to the monitoring and control center is absolutely crucial. Ensure that each remote connection to your OT network is both authenticated and encrypted. Authentication verifies the identity of the user requesting access whereas encryption ensures that the data transmitted is securely encoded and cannot be easily deciphered by prying eyes.

  • Enable a management platform to control all remote connections.
  • Encrypt end-to-end communication to prevent data leaks.
  • Ensure all remote connections are pre-configured with correct access control.

Moxa’s Remote Connect (MRC) Suite is a management suite for remote connections that lets you  easily build remote connections for your devices by using Moxa Remote Connect Quick Link service or you can also build your own private MRC server portal.

As a leading industrial networking provider, MSI TEC can help you develop secure and reliable networking solutions that protect OT environments from cyber threats. As an authorized Moxa, Cisco, Advantech, Axiomtek and Weidmuller distributor, we offer the widest range of rugged networking products that are designed specifically for industrial applications.

Contact us. 

abstract cyberspace background
Liked this article? Share:

Explore More Posts


Monitor Equipment 24|7 With Omron K6PM

Safely monitor equipment around the clock Continuous thermal monitoring is the key for optimizing predictive maintenance and eliminating unnecessary downtime. Using our K6PM thermal condition monitoring device, you can keep tabs on your equipment 24/7

Read More »

Cisco Ultra-Reliable Wireless Backhaul Selection Guide

Get ultra-reliable wireless connectivity for any application, anywhere, with Cisco’s Ultra-Reliable Wireless Backhaul (formely known as FluidMesh). Cisco Ultra-Reliable Wireless Backhaul is a wireless technology that enables you to connect moving assets or extend your

Read More »
Classes & Training

Cybersecurity Webinar Series – Part 1

Moxa is offering a 3-part webinar series that discusses common cybersecurity structures. Cybersecurity Webinar Series Part 1 of 3: Defense-in-Depth Date: April 19, 2023 Time: 11:00 AM – 11:30 AM PDT Defense-in-depth continues to be an important

Read More »

10 Advantages of Remote Access

The ability to remotely access a machine’s control system can help troubleshoot and resolve the majority of problems encountered, avoiding the need for technicians or engineers to travel to the site. These problems can often

Read More »
Uport 400A USB models
Industrial Networking

Moxa Expansion USB 3.2 Hubs Are IF Certified

Expand your connections with Moxa’s 3.2 USB-IF certified hubs for better reliability. Moxa’s new UPort 400A and Uport 200A series expand USB ports into 4 or 7 USB ports with USB 3.2 SuperSpeed. The industrial

Read More »

Subscribe to our Newsletter

Be the first to learn about classes, training, webinars, products news and more.

Contact us