Industrial Cyber Security Best Practices

Executive Summary

Table of Contents

At Agilicus, we recognise that the convergence of business networks and industrial control systems creates unprecedented hybrid environments. This document is a blueprint for anyone who operates both Information Technology and Operational Technology in a hybrid capacity. It is designed not as a static checklist, but as a strategic guide to govern your ongoing security investments.
The core philosophy underpinning this guide is Defence in Depth. We do not believe any single control point is absolute; every perimeter will eventually face a threat it was not designed to handle. Instead, we architect fallback defences based on the Swiss cheese model. Every defensive layer has inherent flaws: the holes in the cheese, but by stacking multiple, distinct layers, you ensure that a single point of failure does not cascade into a total systemic breach.

Crucially, the practices outlined here are completely orthogonal. They control different risks using entirely different mechanisms. An adversary bypassing a network boundary does not automatically bypass an identity control, meaning an escape of one layer is not an escape of another.
This best practices guide is meant to be paired directly with our Cyber Security Assessment Scorecard as well as industry standards such as NIST SP 800-82r3. While the scorecard measures your current posture and highlights the gaps, this blueprint provides the architectural roadmap to address them. These are not binary tasks to complete once and forget; they are a set of foundational practices that must be continuously improved across the board.
Below we present 5 separate, orthogonal dimensions. Each is a unique vector to invest in reducing your cyber risk and increasing your controls. For each we present some best practice concepts that relate.

Identity & Credentials

Identity is the new air gap. In an environment where network boundaries are increasingly porous, robust authentication is the primary line of defence. This dimension mandates the shift to a zero-trust architecture where identity is unified and heavily verified. It covers the eradication of shared accounts, default vendor passwords, and static credentials. A modern approach dictates that third-party vendors bring their own identity provider, allowing operators to enforce granular, resource-specific authorisation (e.g., read-only access to a specific human-machine interface) without creating new local accounts.

Phishing-Resistant Multi-Factor Authentication

Relying on passwords alone is a proven failure, and legacy authentication methods like short message service codes are easily intercepted by modern threat actors. When administrative access to an infinitely important role relies on weak authentication, the entire perimeter is compromised the moment a credential is stolen. We believe phishing-resistant multi-factor authentication, such as hardware security keys, is an absolute necessity. This ties the digital identity to a physical token, ensuring that stolen passwords cannot be leveraged by a remote attacker, adding a crucial layer of defence in depth.

• Mandate hardware security keys for highly privileged administrative access.
• Disable short message service and email-based authentication methods.
• Require multi-factor authentication for both local and remote access attempts.
• Protect authentication portals from brute-force and credential stuffing attacks.
• Implement session timeouts that require re-authentication for idle sessions.

Unified Identity and Single Sign-On

When operators manage hundreds of separate local accounts across disparate human-machine interfaces, password reuse and credential sprawl become inevitable. This operational friction results in dormant accounts remaining active long after an employee departs, providing a silent vector for exploitation. Unifying identity through a single corporate directory eliminates this risk. Centralised authentication allows for immediate, global revocation of access when personnel change, ensuring that the operational technology environment remains strictly governed by a single source of truth.

• Centralise all human identities within a single corporate directory.
• Disable local accounts on individual programmable logic controllers and human-machine interfaces.
• Federate authentication using modern secure protocols.
• Ensure immediate session revocation when an identity is disabled centrally.
• Enforce unique, centrally managed passwords where single sign-on is technically impossible.

Third-Party and Vendor Access

Creating static, local accounts for third-party vendors typically results in shared passwords and non-expiring access, making it impossible to confidently verify who is actually connecting to your systems. As supply chains become more integrated, managing the lifecycle of these external identities creates immense administrative overhead. Permitting vendors to authenticate using their own native corporate identity provider shifts the burden of credential management back to them. You no longer store their passwords; you simply authorise their verified identity to access specific resources for a limited time.

• Eliminate shared generic accounts.
• Allow contractors to use their own corporate identity provider.
• Implement time-bound access that automatically expires.
• Require vendors to meet device posture checks before authentication.
• Audit vendor access logs against active support tickets or maintenance windows.

Granular Role and Resource Authorisation

Granting broad administrative access simply because an engineer needs to monitor a single process violates the core tenet of least privilege. When users possess more access than required, any compromised account becomes a highly destructive tool in the hands of an attacker. Granular authorisation ensures that roles are mapped tightly to specific tasks and individual devices. By decoupling network access from application access, you ensure that a contractor viewing read-only telemetry cannot inadvertently or maliciously issue a stop command to a programmable logic controller.

• Restrict access on a strict least-privilege basis.
• Map user roles directly to specific applications or individual assets.
• Separate read-only monitoring access from read-write engineering access.
• Prevent users from accessing unrelated resources within the same physical site.
• Require secondary approval for high-risk configuration changes.

Machine-to-Machine Authentication

Static application programming interface keys are often embedded directly into scripts and rarely rotated, acting as immortal passwords for automated systems. If an attacker extracts one of these keys from a compromised server, they gain unfettered, persistent access to internal interfaces. The modern approach requires abandoning static secrets in favour of short-lived tokens and continuous authorisation. By cryptographically binding machine identities to specific hardware and requiring frequent token renewals, the window of opportunity for an attacker to misuse a stolen credential is fundamentally eliminated.

• Rotate service account passwords automatically.
• Replace static application programming interface keys with short-lived tokens.
• Bind machine identities to specific hardware using certificates.
• Enforce mutual transport layer security for system-to-system communication.
• Alert on anomalous service account usage outside of scheduled automation.

System Hardening

Threat actors often “live off the land” by exploiting native administrative utilities to avoid detection. This dimension focuses on the restriction of tools and the rigorous enforcement of configuration baselines on all equipment, from standard servers to programmable logic controllers. It encompasses the application of standardised security frameworks (like National Institute of Standards and Technology guidelines or Centre for Internet Security Benchmarks), the lockdown of scripting environments, and the strict management of firmware updates to ensure unauthorised changes cannot persist.

Administrative Tool Restriction

Modern threat actors prefer to ‘live off the land,’ leveraging native administrative utilities like PowerShell and the command-line interface to execute malicious payloads without triggering traditional antivirus alarms. If standard operators have unfettered access to these powerful tools, the system is primed for exploitation. Locking down scripting environments and enforcing application whitelisting ensures that only explicitly approved executables can run. This defensive layer strips the adversary of the built-in weapons they rely on, forcing them to import external tools that are much easier for security teams to detect.

• Restrict the use of PowerShell to designated administrative service accounts.
• Disable the command-line interface for standard operators.
• Implement application whitelisting to block unauthorised executables.
• Monitor the execution of native Windows Management Instrumentation tools.
• Remove unnecessary software and utilities from industrial control devices.

Configuration Management

Operational technology environments are often manually configured, leading to a slow degradation of security posture known as configuration drift. When systems deviate from their secure baselines, it creates silent vulnerabilities and allows attackers to establish persistence through hidden scheduled tasks or altered startup services. Robust configuration management automates the enforcement of secure settings across all endpoints. By continuously monitoring for drift and immediately alerting on unauthorised changes, you guarantee that the intended defence in depth architecture remains actively enforced over the lifecycle of the equipment.

• Establish secure baselines for all operational technology endpoints.
• Monitor critical assets continuously for configuration drift.
• Track all configuration changes in a centralised change management system.
• Automate the deployment of secure configurations where possible.
• Alert on unauthorised creation of scheduled tasks or background services.

Standardised Security Baselines

Deploying industrial equipment with factory-default configurations is equivalent to installing a high-security door and leaving the factory default combination on the lock. These unhardened systems contain unnecessary services, open ports, and default passwords that are universally known to attackers. Applying rigorous, industry-standard baselines, such as Centre for Internet Security benchmarks, systematically eliminates these vulnerabilities before the equipment enters production. This hardening process establishes a consistent, defensible foundation that significantly narrows the available attack surface for any adversary.

• Apply Centre for Internet Security benchmarks or equivalent to all standard operating systems.
• Implement vendor-provided hardening guidelines for specific industrial control systems.
• Remove default factory configurations and default passwords before deployment.
• Disable unnecessary network services and daemons.
• Conduct periodic reviews of applied baselines against current threat intelligence.

Firmware and Software Integrity

Supply chain attacks have demonstrated that even legitimate software updates can be weaponised if their integrity is not rigorously verified. Installing unverified firmware on a programmable logic controller can introduce deep, persistent backdoors that bypass all external network defences. A rigorous integrity management process ensures that every piece of software is cryptographically signed by a trusted authority before execution. By centrally managing and verifying these updates, organisations ensure that only authentic, unmodified code runs on their critical infrastructure.

• Centralise the management of firmware updates for all network devices.
• Verify cryptographic signatures of all software updates before installation.
• Maintain offline backups of known-good firmware versions.
• Test updates in a staging environment prior to production deployment.
• Enforce a strict change control process for all software modifications.

Immutable Infrastructure Principles

Traditional systems treat data and operating environments as a single, changeable entity, meaning a successful compromise permanently alters the state of the machine. This allows rootkits and malware to embed themselves deeply within the system files. Immutable infrastructure principles decouple the operating system from persistent data, utilising read-only file systems wherever possible. If an unauthorised modification is detected, the system can be instantly reverted or rebuilt from a known-good image, effectively erasing the attacker’s foothold and guaranteeing the absolute integrity of the endpoint.

• Utilise read-only file systems for critical operational technology devices where supported.
• Implement automated mechanisms to revert unauthorised changes instantly.
• Rebuild compromised systems from trusted images rather than attempting manual repair.
• Separate persistent data storage from the underlying operating system.
• Treat configuration as code to ensure consistent, reproducible deployments.

Appendix: Understanding the Purdue Model

If you are tasked with securing an industrial environment, the Purdue Model is the architectural blueprint you must understand before placing a single firewall. You cannot defend what you do not understand structurally.

Origins and Purpose

Developed in the 1990s by Theodore Williams at Purdue University, the framework was originally known as the Purdue Enterprise Reference Architecture. At its inception, it was not a cyber-security framework; it was an organisational model designed to map the flow of data and control in manufacturing. It defined how physical processes, basic control devices, and corporate business systems should logically interact to improve efficiency.

Over time, as Information Technology and Operational Technology began to converge, security practitioners adopted the Purdue Model. It provided the perfect structural map to define where network boundaries should exist. By segmenting the environment into distinct hierarchical levels, engineers could enforce strict access controls, ensuring that a compromised corporate email account could not directly issue commands to a physical pump or valve.

The Hierarchical Levels

The model divides industrial operations into separate zones, typically ranging from the physical process up to the corporate enterprise:

• Level 0 (The Physical Process): The actual physical equipment doing the work, such as motors, pumps, valves, and sensors.
• Level 1 (Basic Control): The devices that sense and manipulate the physical process, such as programmable logic controllers and remote terminal units.
• Level 2 (Supervisory Control): The systems used by operators to monitor the plant floor, including human-machine interfaces and Supervisory Control and Data Acquisition software.
• Level 3 (Site Operations): Systems that manage production across the facility, such as manufacturing execution systems or historian databases.
• Demilitarised Zone: The critical buffer zone inserted between the industrial network and the corporate network to broker shared services and prevent direct network routing.
• Levels 4 and 5 (Corporate Information Technology): The enterprise network where business functions, email, and corporate servers reside, eventually connecting to the external internet.

Foundation for Industry Standards

Because it elegantly defines the boundaries between different types of systems, the Purdue Model serves as the structural baseline for the world’s most critical industrial cyber-security standards. 

The International Society of Automation (ISA-99) and the International Electrotechnical Commission 62443 standards use the Purdue Model concepts to define “zones” and “conduits.” These standards mandate that systems with similar security requirements be grouped into a secure zone, and that communication between zones only occurs through tightly controlled, heavily inspected conduits.

Similarly, the National Institute of Standards and Technology relies heavily on the Purdue Model. In their guidelines for securing industrial control systems, they use the framework to illustrate how defence in depth should be practically applied. When auditors or regulators assess an industrial facility, they invariably look for adherence to this layered, segmented architecture.

Authoritative References

For a deeper understanding of how the Purdue Model is applied to secure critical infrastructure, consult the following authoritative sources:

• United States Department of Energy: Infrastructure Topic Paper on Industrial Control Systems Security. Provides a strategic overview of securing energy infrastructure based on segmented architectures.
• National Institute of Standards and Technology: Special Publication 800-82, Revision 3. The definitive guide to securing industrial control systems, which relies heavily on the zone and conduit models to restrict lateral movement.
• SANS Institute: Introduction to Industrial Control Systems Security. A practical breakdown of how security professionals map defensive strategies to the hierarchical Purdue levels.
• NERC CIP (Critical Infrastructure Protection)

Appendix: Defence in Depth and the Swiss Cheese Model

The Philosophy of Inevitable Failure

Defence in depth is not merely a technical architecture; it is a philosophy built on the acknowledgement of inevitable failure. Historically, organisations relied on a single, hardened perimeter: a supposedly impenetrable air gap or a massive perimeter firewall. This approach is fundamentally brittle. A single layer of defence with a single strategy means that once a threat actor finds a vulnerability, they achieve total compromise. True defence in depth requires deploying multiple, overlapping defensive measures so that if one mechanism fails, another stands in its way.

Uncorrelated Tactics and the Swiss Cheese Model

The core mechanism of effective defence in depth is best illustrated by the Swiss Cheese model of risk and security. Imagine each layer of your security architecture as a slice of Swiss cheese. Every layer has inherent flaws, misconfigurations, or operational blind spots: these are the holes in the cheese. 

If your defensive layers rely on the exact same strategy (for example, stacking three firewalls from the same vendor), the holes in the cheese perfectly align. A single exploit will pierce straight through. Therefore, it is critical that defensive tactics are uncorrelated and orthogonal. By combining entirely different control mechanisms: such as physical separation, application-layer identity verification, and deep packet inspection, you ensure the holes do not align. An adversary who bypasses a network control using a zero-day exploit will still be halted by an uncorrelated identity control requiring a hardware token.

Zero Trust as a Key Component

Zero Trust architecture is the modern catalyst for effective defence in depth. While legacy models assumed that anything inside the corporate network was trustworthy, Zero Trust operates on the assumption that the network is already compromised. It acts as a continuous, ubiquitous layer of verification that does not rely on physical network boundaries. By requiring explicit, continuous authorisation for every user, device, and application, regardless of location, Zero Trust provides an entirely uncorrelated layer of defence that complements traditional boundary controls perfectly.

Key Activities and Posture Assessment

Implementing and assessing defence in depth requires continuous operational discipline rather than a one-time installation. Key activities include:

• Comprehensive Asset Discovery: You cannot layer defences around assets you do not know exist.
• Threat Modelling: Identifying specific threat vectors to ensure diverse controls are applied where they are most needed.
• Layered Control Implementation: Deploying a mix of administrative policies, physical security controls, and technical safeguards.

To assess your defence in depth posture, organisations must abandon self-attestation in favour of rigorous, objective measurement. This involves conducting continuous vulnerability assessments, executing regular penetration tests that specifically attempt to chain exploits across different layers, and using structured frameworks such as Agilicus’ Cyber Security Assessment Scorecard to identify where defensive layers are dangerously correlated or missing entirely.

Authoritative References

For further reading on the foundational principles of layered security, consult these authoritative sources:

• National Institute of Standards and Technology: Measuring and Improving the Effectiveness of Defense-in-Depth Postures. A comprehensive analysis of how to objectively assess overlapping security controls. (https://www.nist.gov/publications/measuring-and-improving-effectiveness-defense-depth-postures)
• National Institute of Standards and Technology Glossary: Defense in Depth. The definitive technical definition of layered security. (https://csrc.nist.gov/glossary/term/defense_in_depth)
• Canadian Nuclear Safety Commission: Defence in Depth. A practical look at how the philosophy of layered safety and security is applied in the most critical of physical environments, nuclear power generation. (https://www.cnsc-ccsn.gc.ca/eng/reactors/power-plants/defence-in-depth/)
• Wikipedia: Defence in Depth. An overview of how the military strategy was adapted into information systems security. (https://en.wikipedia.org/wiki/Defence_in_depth)
• NIST Special Publication NIST SP 800-82r3 Guide to Operational Technology (OT) Security https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf
• TSA Security Directive Pipeline-2021-02C (SD02C)

Appendix: Frequently Asked Questions