# Industrial Network Security Implementation Roadmap
## 90-Day Quick Start Guide

This document provides a practical, step-by-step roadmap for implementing industrial network security in 90 days.

---

## Overview

This roadmap is designed for organizations that need to implement basic industrial cybersecurity quickly while working toward full IEC 62443 compliance.

**Timeline**: 90 days (can be adjusted based on resources)
**Goal**: Achieve 70-80% compliance with critical security controls
**Based On**: IEC 62443, NIST SP 800-82, CISA Guidelines

---

## Week 1-2: Quick Assessment

### Day 1-3: Inventory and Discovery
```
✓ List all PLCs (model, IP, firmware, location)
✓ Create basic network diagram
✓ Document who has access (local and remote)
✓ List all HMI/SCADA systems
✓ Identify critical production systems
```

**Deliverable**: Asset inventory spreadsheet + network diagram

### Day 4-7: Quick Risk Assessment
```
✓ Identify top 5 critical assets
✓ Rate each asset: Impact (1-5), Likelihood (1-5)
✓ Calculate risk scores
✓ Prioritize based on risk score
```

**Risk Matrix Template:**
| Asset | Impact | Likelihood | Risk Score | Priority |
|-------|--------|-----------|-----------|----------|
| PLC-REACTOR-01 | 5 (Safety) | 4 | 20 | P1 |
| HMI-CONTROL-01 | 4 | 3 | 12 | P2 |

### Day 8-10: Gap Analysis
```
✓ Check current security controls
✓ Compare against critical requirements
✓ Create quick-win list (no downtime needed)
```

**Critical Requirements Checklist:**
- [ ] PLC password protection
- [ ] IP access control
- [ ] Firewall between IT/OT
- [ ] Remote access controls
- [ ] Backup procedures
- [ ] Logging enabled

---

## Week 3-4: Quick Wins (No Downtime)

### Tasks That Can Be Done Immediately

#### 1. Enable PLC Password Protection
```
Time: 15 minutes per PLC
Risk: None
Impact: HIGH

Steps:
1. Open TIA Portal
2. PLC Properties → Protection
3. Set "Read/Write Protection"
4. Create strong password (min 8 chars)
5. Document in password vault
6. Download to PLC
```

**Password Requirements:**
- Minimum 8 characters
- Mix of uppercase, lowercase, numbers
- Store in secure password manager
- Change every 90 days

#### 2. Configure IP Access Control Lists
```
Time: 10 minutes per PLC
Risk: None (tested before applying)
Impact: HIGH

Steps:
1. List authorized IPs (HMI, Engineering station)
2. PLC Properties → Connection mechanisms
3. Enable "Permit access only for..."
4. Add authorized IPs
5. Test from authorized station
6. Download to PLC
```

**Example ACL:**
```
Allowed IPs:
- 192.168.10.50 (Engineering Station)
- 192.168.10.60 (HMI-01)
- 192.168.10.70 (SCADA Server)
```

#### 3. Disable Unused PLC Services
```
Time: 5 minutes per PLC
Risk: Low (test first)
Impact: MEDIUM

Disable if not needed:
- [ ] Web Server (HTTP/HTTPS)
- [ ] FTP Server
- [ ] SNMP
- [ ] Modbus TCP
```

#### 4. Change Default Passwords
```
Time: Varies
Risk: None
Impact: HIGH

Change passwords on:
- [ ] HMI systems
- [ ] SCADA servers
- [ ] Network switches
- [ ] Firewalls
- [ ] Routers
```

#### 5. Enable Logging
```
Time: 30 minutes
Risk: None
Impact: MEDIUM

Enable logs on:
- [ ] PLCs (if supported)
- [ ] Firewalls
- [ ] Switches
- [ ] HMI/SCADA systems
- [ ] Engineering stations
```

#### 6. Create Baseline Backups
```
Time: 1 hour
Risk: None
Impact: HIGH

Backup:
- [ ] All PLC programs
- [ ] HMI projects
- [ ] SCADA configurations
- [ ] Network device configs
- Store in 3 locations (network, external drive, off-site)
```

**End of Week 4 Status Check:**
- [ ] All PLCs have passwords
- [ ] IP ACLs configured
- [ ] Unused services disabled
- [ ] Default passwords changed
- [ ] Logging enabled
- [ ] Backups created

**Expected Compliance: ~40%**

---

## Week 5-6: Basic Network Security

### Task 1: Install Firewall Between IT and OT
```
Time: 2-4 hours (includes planning)
Risk: Medium (requires downtime)
Impact: CRITICAL

Steps:
1. Purchase industrial firewall (or use existing)
2. Design firewall rules (whitelist only)
3. Schedule maintenance window
4. Install firewall
5. Configure and test rules
6. Document configuration
```

**Basic Firewall Rules:**
```
ALLOW:
- SCADA → PLCs (port 102, S7 protocol)
- HMI → PLCs (port 102)
- Engineering Station → PLCs (port 102)
- Historian → PLCs (read-only)

DENY:
- All other traffic
```

### Task 2: Segment Network with VLANs
```
Time: 4-8 hours
Risk: Medium (test thoroughly)
Impact: HIGH

VLAN Structure:
- VLAN 10: Control Network (PLCs)
- VLAN 20: Supervisory (SCADA/HMI)
- VLAN 30: Engineering
- VLAN 40: DMZ (Historian)
```

### Task 3: Secure Remote Access
```
Time: 4 hours
Risk: Low
Impact: HIGH

Implementation:
1. Set up VPN server
2. Configure VPN client access
3. Require strong authentication
4. Implement VPN logging
5. Document procedures
```

**Remote Access Requirements:**
- VPN required for all external access
- Strong passwords (12+ characters)
- MFA if possible
- Session timeout: 4 hours
- All sessions logged

**End of Week 6 Status Check:**
- [ ] Firewall installed and configured
- [ ] VLANs implemented
- [ ] VPN for remote access
- [ ] Firewall rules documented

**Expected Compliance: ~55%**

---

## Week 7-8: System Hardening

### Task 1: Harden Windows Systems
```
Time: 2 hours per system
Risk: Low
Impact: MEDIUM

Apply to: HMI, SCADA, Engineering Stations

Hardening Steps:
1. Install latest Windows updates
2. Enable Windows Firewall
3. Disable unnecessary services
4. Remove unused software
5. Configure User Account Control (UAC)
6. Enable BitLocker encryption (if available)
```

**Windows Hardening Checklist:**
- [ ] Windows Firewall: Enabled
- [ ] Windows Update: Enabled (with control)
- [ ] SMBv1: Disabled
- [ ] RDP: Disabled (unless needed)
- [ ] Guest account: Disabled
- [ ] Autorun: Disabled
- [ ] Screen lock: 15 minutes

### Task 2: Deploy Antivirus
```
Time: 1 hour per system
Risk: Medium (test for false positives)
Impact: MEDIUM

Steps:
1. Choose industrial-friendly AV
2. Test in non-production first
3. Configure exclusions for control apps
4. Deploy to all Windows systems
5. Enable centralized management
```

**Important**: Some AV can interfere with real-time control systems. Test thoroughly!

### Task 3: USB Device Control
```
Time: 2 hours total
Risk: Low
Impact: MEDIUM

Options:
A) Group Policy: Disable USB storage
B) Third-party tool: Whitelist approved USB devices
C) Physical: USB port locks
```

**End of Week 8 Status Check:**
- [ ] All Windows systems hardened
- [ ] Antivirus deployed
- [ ] USB controls implemented

**Expected Compliance: ~65%**

---

## Week 9-10: Monitoring and Documentation

### Task 1: Set Up Basic Monitoring
```
Time: 8 hours
Risk: Low
Impact: HIGH

Implement:
1. Centralized log collection (syslog server)
2. Basic SIEM or log analysis tool
3. Critical alerts (email/SMS)
```

**Minimum Alerts:**
- PLC program download
- PLC mode change (RUN/STOP)
- Failed login attempts (5 within 1 hour)
- Firewall rule violations
- Antivirus detections

### Task 2: Document Everything
```
Time: 4-8 hours
Risk: None
Impact: MEDIUM

Create documentation:
1. Network architecture diagram (updated)
2. Asset inventory (complete)
3. Security configuration baselines
4. Access control matrix (who has access to what)
5. Incident response procedures (basic)
6. Backup and recovery procedures
```

**Document Templates in Appendix**

**End of Week 10 Status Check:**
- [ ] Log collection working
- [ ] Critical alerts configured
- [ ] Documentation complete

**Expected Compliance: ~70%**

---

## Week 11-12: Policies and Training

### Task 1: Create Security Policies
```
Time: 8-16 hours
Risk: None
Impact: MEDIUM

Minimum required policies:
1. Cybersecurity Policy (overall)
2. Access Control Policy
3. Password Policy
4. Remote Access Policy
5. Change Management Policy
6. Incident Response Policy
```

**Policy Template Structure:**
```
1. Purpose
2. Scope
3. Responsibilities
4. Requirements
5. Procedures
6. Exceptions
7. Enforcement
```

### Task 2: Conduct Security Awareness Training
```
Time: 2-4 hours
Risk: None
Impact: HIGH

Training topics:
1. Why security matters in OT
2. Password security
3. Phishing awareness
4. Physical security
5. Incident reporting
6. USB and removable media risks
```

### Task 3: Create Incident Response Plan
```
Time: 4-8 hours
Risk: None
Impact: HIGH

Plan components:
1. IR team contact list
2. Incident classification
3. Response procedures
4. Communication plan
5. Escalation matrix
```

**End of Week 12 Status Check:**
- [ ] Security policies documented
- [ ] Staff training completed
- [ ] Incident response plan ready

**Expected Compliance: ~75%**

---

## Post-90 Days: Continuous Improvement

### Immediate Next Steps (Days 91-180)

#### 1. Advanced Monitoring
- Deploy IDS/IPS for OT networks
- Implement behavior-based anomaly detection
- Set up SIEM with custom use cases

#### 2. Advanced Access Control
- Implement multi-factor authentication
- Deploy privileged access management
- Set up jump servers for remote access

#### 3. Compliance and Audit
- Conduct formal security assessment
- Address remaining gaps
- Prepare for external audit

#### 4. Advanced Network Security
- Implement data diodes for one-way communication
- Deploy industrial firewalls at zone boundaries
- Consider zero-trust architecture

### Long-Term Roadmap (6-12 months)

**Month 6:**
- Full IEC 62443 gap assessment
- Penetration testing (test environment)
- Update all documentation

**Month 9:**
- Achieve 90% compliance
- ISASecure certification preparation
- Advanced threat hunting capabilities

**Month 12:**
- External security audit
- Full IEC 62443 compliance
- Mature security operations center (SOC)

---

## Budget Estimates

### Minimal Budget ($5K-$15K)
- Basic firewall: $2K-$5K
- VPN server/licenses: $1K-$3K
- Syslog server (can be free)
- Training (internal)
- Documentation (internal time)

### Recommended Budget ($25K-$50K)
- Industrial firewall: $10K-$20K
- SIEM/Log management: $5K-$10K
- Managed switch with VLANs: $3K-$5K
- Antivirus licenses: $2K-$5K
- Training (external): $3K-$5K
- Consulting support: $2K-$5K

### Full Implementation ($100K+)
- Industrial firewalls (multiple): $30K-$50K
- IDS/IPS for OT: $20K-$40K
- SIEM platform: $20K-$40K
- Network upgrades: $10K-$20K
- Professional services: $20K-$50K
- Training and certification: $5K-$10K

---

## Success Metrics

### Week-by-Week Targets

| Week | Target | Compliance % |
|------|--------|--------------|
| 2 | Assessment complete | 0% |
| 4 | Quick wins done | 40% |
| 6 | Network security | 55% |
| 8 | System hardening | 65% |
| 10 | Monitoring active | 70% |
| 12 | Policies and training | 75% |

### Key Performance Indicators (KPIs)

**Security Posture:**
- % of PLCs with password protection
- % of PLCs with IP ACLs
- Number of security zones
- Firewall rule compliance

**Operational:**
- Mean time to detect (MTTD) incidents
- Mean time to respond (MTTR) incidents
- % of systems with current patches
- Backup success rate

**Compliance:**
- % of IEC 62443 requirements met
- Number of open findings
- Time to remediate findings
- Training completion rate

---

## Common Pitfalls to Avoid

### 1. Not Testing in Lab First
**Problem**: Changes break production
**Solution**: Always test in non-production environment

### 2. Inadequate Communication
**Problem**: Operations surprised by changes
**Solution**: Involve ops team from day 1

### 3. Weak Passwords
**Problem**: Easy to guess or crack
**Solution**: Enforce 8+ chars, complexity, password manager

### 4. No Backup Before Changes
**Problem**: Can't rollback if needed
**Solution**: Backup everything before changes

### 5. Overly Complex Rules
**Problem**: Firewall rules break production
**Solution**: Start simple, iterate

### 6. Ignoring Legacy Systems
**Problem**: Old PLCs can't be secured
**Solution**: Extra network controls around legacy

### 7. Documentation Neglect
**Problem**: Changes not documented
**Solution**: Make documentation part of change process

### 8. Set and Forget
**Problem**: Security degrades over time
**Solution**: Regular reviews and updates

---

## Resource Requirements

### Personnel

**Week 1-4 (Quick Wins):**
- Control engineer: 40 hours
- IT security: 20 hours
- Management: 5 hours

**Week 5-8 (Network Security):**
- Network engineer: 40 hours
- Control engineer: 20 hours
- IT security: 30 hours

**Week 9-12 (Monitoring & Policies):**
- IT security: 40 hours
- Control engineer: 20 hours
- HR/Training: 10 hours
- Management: 10 hours

### Tools and Software

**Essential (Free/Low Cost):**
- [ ] TIA Portal (for PLC configuration)
- [ ] Network mapping tool (e.g., Nmap)
- [ ] Syslog server (e.g., syslog-ng)
- [ ] Password manager
- [ ] Documentation tool (e.g., Markdown)

**Recommended (Paid):**
- [ ] Industrial firewall
- [ ] VPN server
- [ ] SIEM platform
- [ ] Antivirus for OT
- [ ] Network monitoring tool

---

## Appendices

### Appendix A: Critical Controls Quick Reference

**Top 10 Critical Controls (Do These First):**

1. **Enable PLC passwords** - Prevents unauthorized access
2. **Configure IP ACLs** - Limits who can connect
3. **Install firewall** - Separates IT from OT
4. **Change default passwords** - Eliminates easy targets
5. **Create backups** - Enables recovery
6. **Enable logging** - Provides visibility
7. **Disable unused services** - Reduces attack surface
8. **Implement VPN** - Secures remote access
9. **Deploy antivirus** - Protects Windows systems
10. **Train staff** - Human firewall

### Appendix B: Weekly Checklist Template

```markdown
## Weekly Security Checklist

Date: __________
Completed by: __________

### Access Control
- [ ] No new unauthorized users found
- [ ] All remote access via VPN
- [ ] No password violations detected

### Monitoring
- [ ] Reviewed critical alerts
- [ ] Checked firewall logs
- [ ] Verified backup completion

### System Health
- [ ] No unauthorized changes detected
- [ ] Antivirus definitions current
- [ ] System performance normal

### Physical Security
- [ ] Control room access log reviewed
- [ ] No unauthorized access detected
- [ ] Equipment cabinets secured

Notes:
__________________________________________
```

### Appendix C: Emergency Contact Card

```
┌─────────────────────────────────────┐
│   CYBERSECURITY INCIDENT            │
│   EMERGENCY CONTACT CARD            │
├─────────────────────────────────────┤
│ INCIDENT COMMANDER:                 │
│ Name: ____________________________  │
│ Phone: ___________________________  │
│                                      │
│ TECHNICAL LEAD:                     │
│ Name: ____________________________  │
│ Phone: ___________________________  │
│                                      │
│ OPERATIONS:                         │
│ Name: ____________________________  │
│ Phone: ___________________________  │
│                                      │
│ VENDOR SUPPORT:                     │
│ Siemens: 1-800-________            │
│ Firewall: ____________________     │
│                                      │
│ EXTERNAL:                           │
│ ICS-CERT: 888-282-0870             │
│ FBI Cyber: ___________________     │
└─────────────────────────────────────┘
```

### Appendix D: Pre-Change Checklist

Before making any security changes:

```
CHANGE: _________________________________
DATE: ___________________________________

PRE-CHANGE:
[ ] Change documented and approved
[ ] Tested in lab/non-production
[ ] Backup created and verified
[ ] Operations notified
[ ] Maintenance window scheduled
[ ] Rollback plan ready
[ ] On-call support arranged

DURING CHANGE:
[ ] Follow documented procedure
[ ] Document any deviations
[ ] Test functionality after each step

POST-CHANGE:
[ ] Verify system functionality
[ ] Update documentation
[ ] Monitor for 24 hours
[ ] Close change ticket

Sign-off:
Engineer: __________ Date: __________
Approver: __________ Date: __________
```

---

**Document Version**: 1.0  
**Last Updated**: February 16, 2026  
**For Use With**: industrial-network-security-guide.md