OT Network Security in IACS: Where Risk Moves Faster Than Your Firewall Rules + Video

By /

Listen to this Post

Featured Image

Introduction:

In Industrial Automation and Control Systems (IACS), network security is not merely an IT appendage; it is the primary battlefield where operational safety meets cyber threats. Unlike corporate networks where data confidentiality is king, OT environments prioritize availability and deterministic process control, creating a unique attack surface. As IT/OT convergence accelerates, understanding how to segment traffic, monitor industrial protocols, and control remote access is critical to containing the “blast radius” of a potential breach.

Learning Objectives:

  • Understand the core attack vectors specific to IACS environments, including protocol abuse and lateral movement.
  • Learn how to architect and enforce network segmentation based on the IEC 62443 standard.
  • Gain practical knowledge of configuring industrial firewalls, IDS/IPS, and secure remote access solutions.
  1. Why Standard IT Firewalls Fail in the OT Trenches

In a corporate setting, a firewall is often viewed as a perimeter guard that blocks unwanted internet traffic. In an IACS environment, it is a precision tool used to enforce the “zones and conduits” model outlined in standards like ISA/IEC 62443. Industrial networks are not built on trust; they are built on deterministic behavior. A standard IT firewall might understand IP addresses and ports, but it is often blind to the industrial protocols riding on top, such as Modbus TCP, Profinet, or OPC UA.

To secure an IACS network effectively, you must move beyond simple IP restrictions. An industrial-aware firewall must inspect the payload of a Modbus packet to ensure a write command is not being sent to a holding register that controls a pressure valve.

Step‑by‑step guide: Configuring a Basic OT Zone Separation (Using iptables concepts for simulation):
While physical industrial firewalls (like those from Tofino or Hirschmann) have GUIs, the logic can be simulated in Linux to understand the packet flow.

  1. Identify the Interfaces: Assume `eth0` connects to the IT corporate network (Level 3/4) and `eth1` connects to the OT process network (Level 2).

2. Block All Traffic by Default:

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP

3. Allow Established Connections: Allow return traffic for connections initiated from the OT side (e.g., updates from a specific patch management server).

sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

4. Restrict by Protocol (Modbus Example): Allow a specific engineering workstation (192.168.1.10) to talk to a specific PLC (192.168.2.50) only on port 502 (Modbus), but then reject any write commands (simulated by rate limiting or deep packet inspection logic usually done by tools like nfqueue).

 Allow the connection
sudo iptables -A FORWARD -s 192.168.1.10 -d 192.168.2.50 -p tcp --dport 502 -j ACCEPT
 Note: Actual function code blocking requires an IPS.
  1. IDS/IPS: The Art of Passive Monitoring vs. Active Blocking

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are critical for visibility, but they must be deployed with surgical precision in OT. The primary rule is “do no harm.” A passive Network-based IDS (NIDS) can monitor a SPAN port on a switch, building a baseline of normal traffic. In contrast, an active IPS sits inline; if it misidentifies a rare but legitimate engineering command as malicious and blocks it, the result could be a catastrophic production halt.

Step‑by‑step guide: Deploying a Passive NIDS (Snort) on an OT Network Mirror Port
This setup assumes you have a Linux machine connected to a switch port configured for port mirroring (SPAN).

1. Install Snort:

sudo apt-get update
sudo apt-get install snort

2. Configure the Network Variables: Edit `/etc/snort/snort.conf`.

  • Set `ipvar HOME_NET [192.168.1.0/24,192.168.2.0/24]` (Your OT subnets).
  • Set ipvar EXTERNAL_NET !$HOME_NET.
  1. Add Industrial Protocol Rules: Snort rules can detect abnormal protocol usage. Create a local rule file (/etc/snort/rules/local.rules) to detect a potential Modbus scan: 
    alert tcp $HOME_NET any -> $HOME_NET 502 (msg:"Potential Modbus Scan"; flow:to_server; detection_filter:track by_src, count 30, seconds 5; sid:1000001;)

    This rule alerts if a host sends 30 packets to port 502 (Modbus) within 5 seconds, which is atypical for a slow-polling industrial network.

4. Run in IDS Mode:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Use `-i` to specify the interface connected to the SPAN port. You are watching, not blocking.

3. VPN & Remote Access: The Encrypted Backdoor

Remote vendor access is one of the highest risks in OT. While a VPN encrypts the tunnel, it does not inherently secure the endpoint or the session. If a vendor’s laptop is compromised, the encrypted tunnel becomes a highway for malware into the plant floor. The solution lies in “least privilege” and strict access controls layered on top of the VPN.

Step‑by‑step guide: Enforcing Time-Bound Access with WireGuard

WireGuard is a modern, high-performance VPN that is simpler than IPsec. Combined with firewall rules, you can enforce time-bound access.

1. Install WireGuard on the OT Gateway:

sudo apt install wireguard

2. Generate Server and Client Keys:

 On server
wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key

3. Configure the Server (/etc/wireguard/wg0.conf): Define the VPN subnet and peer (the vendor).

[bash]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <server_private_key>

[bash]
PublicKey = <vendor_public_key>
AllowedIPs = 10.0.0.2/32

4. Implement Time-Bound Access (Linux Cron + iptables):

To enforce a temporary 4-hour window, create a script (/usr/local/bin/vendor_access.sh) that modifies the firewall to drop the peer’s traffic after hours.

!/bin/bash
 Add this to cron to run at 8 AM: add vendor route
iptables -I FORWARD -s 10.0.0.2 -j ACCEPT

Run at 12 PM: remove vendor route
iptables -D FORWARD -s 10.0.0.2 -j ACCEPT
wg set wg0 peer <vendor_public_key> remove
  1. Network Segmentation: VLANs and the Demilitarized Zone (DMZ)

Flat networks are the enemy of resilience. If an attacker breaches one HMI in a flat network, they can likely reach the engineering workstation and then the PLCs. Segmentation forces the attacker to pivot through controlled choke points where security controls can inspect the traffic. The Purdue Model provides the blueprint for this, with a DMZ acting as the buffer between the chaotic IT world and the deterministic OT world.

Step‑by‑step guide: Creating a Layer 3 Boundary with a Router-on-a-Stick
Using a managed switch and a router/firewall (simulated with Linux), you can segment traffic.

1. On the Switch: Create VLANs. For example:

  • VLAN 10: Corporate IT (Level 3)
  • VLAN 20: Control Center (Level 2 – HMI)
  • VLAN 30: Plant DMZ (Historian, Patch Server)
  1. Configure Trunk Port: Set the port connecting to the firewall/router to trunk mode, allowing all VLANs (tagged).
  2. On the Linux Firewall (Router-on-a-Stick): Create virtual interfaces. 
    Assign IPs to sub-interfaces
sudo ip link add link eth0 name eth0.10 type vlan id 10
sudo ip link add link eth0 name eth0.20 type vlan id 20
sudo ip link add link eth0 name eth0.30 type vlan id 30</li>
</ol>

sudo ip addr add 192.168.10.1/24 dev eth0.10  IT Gateway
sudo ip addr add 192.168.20.1/24 dev eth0.20  OT Gateway
sudo ip addr add 192.168.30.1/24 dev eth0.30  DMZ Gateway

sudo ip link set eth0.10 up
sudo ip link set eth0.20 up
sudo ip link set eth0.30 up

    4. Apply Routing Rules: Traffic from VLAN 20 (OT) can only initiate connections to specific IPs in VLAN 30 (DMZ) for data historization, but never directly to VLAN 10 (IT).

    5. Protocol Abuse and How to Catch It

    Attackers rarely brute-force an HMI login. Instead, they exploit the trust inherent in industrial protocols. For example, Modbus TCP has no inherent security; a successful ARP spoofing attack on the network allows an attacker to sit between the HMI and the PLC, altering the values the operator sees (a Man-in-the-Middle attack) or sending malicious “stop” commands directly to the coil.

    Step‑by‑step guide: Detecting ARP Spoofing in the OT Network
    ARP spoofing disrupts the MAC-to-IP mapping, causing traffic to flow through the attacker.

    1. Use `arpwatch` to Build a Baseline: This tool monitors ethernet traffic and logs pairings. 
      sudo apt install arpwatch
sudo arpwatch -i eth0

      It will log to /var/log/syslog. Any change in MAC address for a critical PLC IP will trigger an alert.

    2. Manual Inspection with `arp` and `ping`:

    • Note the MAC address of the PLC when the network is known-good.
      – `arp -a | grep ` (Check the current ARP cache).
    • If the MAC changes unexpectedly (and it’s not a NIC replacement), run a network scan.
    1. Use `tcpdump` to Spot Anomalies: Look for a high volume of ARP replies. 
      sudo tcpdump -i eth0 arp

      If you see a single IP claiming two different MAC addresses rapidly, you are likely witnessing an ARP spoofing attack.

    What Undercode Say:

    • Passivity is not weakness: In OT, choosing IDS over IPS is a strategic decision to prioritize uptime, but it requires a mature incident response team that can act on passive alerts instantly.
    • Convergence complicates everything: The shift to smart manufacturing is forcing Level 3 (Operations) and Level 2 (Control) to interact more, but this data exchange must happen through a DMZ, not a direct bridge.

    Analysis:

    The post correctly highlights that network security in IACS is about controlling communication, not just building walls. The debate between Ashish Kumar and Adarsa Dora in the comments is crucial: IPS is often prohibited deep in Level 2 because a false positive is a physical incident. However, at the Level 3.5 DMZ boundary, IPS might be acceptable. The future of OT security lies in “software-defined” segmentation that can adapt to threats without rebooting controllers, combined with deep packet inspection engines that understand that a specific Function Code 15 (Write Multiple Coils) is normal from the engineering workstation but deadly from the HVAC system.

    Prediction:

    As OT environments adopt more Industry 4.0 technologies, network security will shift from rigid, static firewalls to AI-driven anomaly detection that baselines “normal” process behavior. However, the talent gap will widen; the industry will need engineers who understand both a Python script and a PID loop. The next major breach will likely occur not because a firewall was missing, but because a legitimate remote access session was hijacked and used to issue malicious commands that appeared “protocol-compliant” to the security stack. Expect stricter regulatory mandates for session recording and just-in-time access privileges for vendors.

    ▶️ Related Video (82% Match):

    🎯Let’s Practice For Free:

    IT/Security Reporter URL:

    Reported By: Adarsa Dora – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: