# Halting Lateral Movement in Operational Technology Industrial Cybersecurity Best Practices - [Assessing Your Industrial Cyber Security Posture](/assessing-your-industrial-cyber-security-posture/) - [Boundary Defence: The First Layer of Industrial Cyber Security](https://www.agilicus.com/boundary-defence-the-first-layer-of-industrial-cyber-security/) - [Identity and Credentials: The New Air Gap](https://www.agilicus.com/identity-and-credentials-the-new-air-gap/) - [Halting Lateral Movement in Operational Technology](/halting-lateral-movement-in-operational-technology) - [System Hardening: Fortifying Industrial Infrastructure](/system-hardening-fortifying-industrial-infrastructure) - [Visibility and Detection: Illuminating the Industrial Network](/visibility-and-detection-illuminating-the-industrial-network) - A Pragmatic Blueprint for Industrial Cyber Security [Download the Best Practices Guide](/white-papers/industrial-cyber-security-best-practices/) [Take the Cybersecurity Assessment](/l/industrial-cyber-security-best-practices-scorecard/) Welcome to the fourth post in our series on industrial cyber security best practices. We have covered [Boundary Defence](#) and [Identity and Credentials](#). Today, we examine the third orthogonal dimension: Lateral Movement. If an attacker breaches the perimeter and steals a credential, their immediate next step is to navigate the internal network. Lateral movement is the process by which an adversary expands their foothold, moving from a compromised, low-value asset to critical control systems. This dimension addresses how easily a threat actor can move once inside. Defence in depth here means ensuring that even authenticated sessions are contained, preventing broad network discovery and system-wide compromise. ### Network Micro-Segmentation A flat internal network operates under the flawed assumption that everything inside the perimeter is trusted. Once an adversary bypasses the external firewall, this lack of internal friction allows them to move laterally with absolute impunity. They can discover and compromise critical assets without raising alarms. Micro-segmentation divides the operational technology environment into tightly controlled functional zones. By enforcing strict rules that govern which devices can communicate with one another, you ensure that a compromised engineering workstation cannot freely connect to unrelated process controllers. This approach contains the blast radius of a breach. Divide the network by functional process areas and implement host-based firewalls on all engineering workstations. ### Legacy Protocol Eradication Legacy administrative protocols like the Remote Desktop Protocol and Windows Admin Shares were designed for convenience, not security. Today, they are the primary mechanisms attackers use to navigate internal networks. Leaving these protocols enabled by default provides built-in highways for adversaries to deploy ransomware across the entire industrial control system. Eradicating or heavily brokering these protocols removes the native tools attackers rely on to live off the land. This significantly elevates the difficulty of lateral movement, forcing the attacker to generate noisy, detectable traffic. Disable Remote Desktop Protocol internally unless explicitly required and brokered, and block the use of cleartext protocols like Telnet. ### Application-Layer Brokering When users authenticate to a traditional gateway, they are typically granted access to a full subnet. This allows their machine to ping and map the surrounding network architecture. This broad visibility is an intelligence goldmine for threat actors conducting reconnaissance. Application-layer brokering fundamentally alters this dynamic. Connections are established only to the specific service requested, never dropping the user directly onto the network itself. Because the network topology remains hidden from the endpoint, an attacker who compromises a remote machine cannot scan the operational technology environment. The network simply does not exist from their perspective. ### Least Privilege Routing In many environments, routing tables are overly permissive, allowing any device to communicate with any other device across different subnets. This means a compromised printer could theoretically initiate a connection to a human-machine interface. This is an unacceptable architectural flaw. Implementing least privilege routing ensures that network paths only exist where there is a documented operational necessity. By configuring switches and routers to drop all traffic that does not match an explicit allow rule, you severely restrict the pathways an attacker can use to traverse the environment. ### Securing Engineering Workstations Engineering workstations hold the keys to the kingdom. They run the software used to program and configure the programmable logic controllers that dictate physical processes. If an attacker compromises one of these workstations, they effectively own the plant floor. These workstations must be treated as highly privileged assets, isolated from generic corporate email and web browsing. By restricting lateral movement to and from these critical machines, you ensure that a phishing email opened on a corporate laptop cannot be used as a stepping stone to alter industrial processes. Halting lateral movement ensures that a minor breach remains a minor breach. We encourage you to evaluate your internal network controls by taking our Cyber Security Assessment and downloading the companion best practices guide. Next up, we will discuss the fourth dimension: System Hardening. Industrial Cybersecurity Best Practices - [Assessing Your Industrial Cyber Security Posture](/assessing-your-industrial-cyber-security-posture/) - [Boundary Defence: The First Layer of Industrial Cyber Security](https://www.agilicus.com/boundary-defence-the-first-layer-of-industrial-cyber-security/) - [Identity and Credentials: The New Air Gap](https://www.agilicus.com/identity-and-credentials-the-new-air-gap/) - [Halting Lateral Movement in Operational Technology](/halting-lateral-movement-in-operational-technology) - [System Hardening: Fortifying Industrial Infrastructure](/system-hardening-fortifying-industrial-infrastructure) - [Visibility and Detection: Illuminating the Industrial Network](/visibility-and-detection-illuminating-the-industrial-network) - A Pragmatic Blueprint for Industrial Cyber Security [Download the Best Practices Guide](/white-papers/industrial-cyber-security-best-practices/) [Take the Cybersecurity Assessment](/l/industrial-cyber-security-best-practices-scorecard/)