System hardening is essential as industrial control environments become increasingly interconnected and exposed to targeted cyber threats. While layered defenses help prevent external threats from reaching critical assets, hardening ensures that the control system as a whole remains resilient—even in the event of deeper intrusion. It is a vital step toward maintaining operational integrity, minimizing risk propagation across subsystems, and aligning with modern cybersecurity standards.
Below are high-level examples of hardening actions.
- Network Isolation: Separate control systems from corporate IT networks and the internet using firewalls and DMZs.
- Security Zoning: Divide the system into smaller, well-defined zones (e.g., safety, control, monitoring) with controlled communication paths.
- Strong Password Policies: Enforce complex passwords, regular changes, and avoid default credentials.
- Role-Based Access Control (RBAC): Assign permissions based on user roles to limit access to only what's necessary.
- Disable Unused Services and Ports: Reduce attack surface by turning off unnecessary features and interfaces.
- Secure Configuration: Apply recommended security settings and avoid factory defaults.
- Patch Management: Keep firmware and software up to date with vendor-approved security patches.
- Logging and Monitoring: Enable audit logs and real-time monitoring to detect anomalies and unauthorized access.
- Physical Security Controls: Restrict physical access to control equipment and network infrastructure.
- Backup and Recovery Plans: Ensure regular backups and tested recovery procedures for critical systems.
For detailed guidance about the system hardening, refer to the latest applicable Cyber Security Deployment Guideline, chapter Basic system hardening rules.