About this program
The Purdue model still matters. Quick check on the boundary between IT and OT, the OT DMZ, and what crosses it.
Risks addressed
- Critical Ransomware on IT side propagates to OT
- High OT engineers bridge networks with a laptop
- Critical Vendors connect direct to PLCs / HMIs from corporate VPN
Controls (6)
-
IT / OT boundary firewall with explicit allowlist
CriticalIT / OT boundary firewall with explicit allowlist
How to test + evidence
Testing procedure: Firewall rules list documented; default-deny between IT and OT zones.
Evidence to collect: Firewall rules export.
-
Industrial DMZ between IT and OT
CriticalIndustrial DMZ between IT and OT
How to test + evidence
Testing procedure: Historian / Jump host / Update server live in the IDMZ, not directly inside OT.
Evidence to collect: Network diagram.
-
No direct internet egress from OT networks
CriticalNo direct internet egress from OT networks
How to test + evidence
Testing procedure: OT zones cannot reach the internet directly; only via brokered services.
Evidence to collect: Egress rule export.
-
No dual-homed laptops or "swing" devices
HighNo dual-homed laptops or "swing" devices
How to test + evidence
Testing procedure: Engineering laptops connect to OT OR IT, never both. Enforce with NAC.
Evidence to collect: NAC policy + audit log.
-
Vendor remote access via jump host + MFA
CriticalVendor remote access via jump host + MFA
How to test + evidence
Testing procedure: Vendors connect to a brokered jump host with session recording, MFA, time-limited tickets.
Evidence to collect: Remote-access platform config.
-
Inter-zone communications logged
HighInter-zone communications logged
How to test + evidence
Testing procedure: Boundary firewall + IDMZ flows mirrored to SIEM (or OT-specific monitoring).
Evidence to collect: SIEM source inventory.