Every default is an attack vector
HTTP, Telnet, SNMPv1/v2c, and default passwords are enabled on a factory-fresh switch. Disable these defaults before the switch enters production.
14.3 Practical Hardening
The previous chapter defined the IEC 62443 security levels and the zone/conduit model. This chapter translates those requirements into concrete actions: what to configure, in what order, and why.
Why Hardening is Necessary
Section titled “Why Hardening is Necessary”A factory-fresh Hirschmann switch has HTTP enabled, Telnet enabled, SNMPv1/v2c enabled, and a default password. Every 1 of these defaults is an attack vector. Hardening closes these vectors before the switch enters production.
Switch Hardening — Hirschmann HiOS
Section titled “Switch Hardening — Hirschmann HiOS”Each hardening step has a specific security rationale. Understanding the “why” keeps engineers from reverting changes when the changes seem inconvenient.
Disable Insecure Protocols
Section titled “Disable Insecure Protocols”| Action | HiOS Path | Rationale |
|---|---|---|
| Disable HTTP | Basic Settings → Network → HTTP → Off | HTTP transmits credentials in plaintext. An attacker on the network captures the admin password with a packet sniffer. |
| Enable HTTPS | Basic Settings → Network → HTTPS → On | HTTPS encrypts the management session with TLS. Credentials and configuration data are encrypted in transit. |
| Disable Telnet | Basic Settings → Network → Telnet → Off | Telnet transmits every keystroke in plaintext, including passwords and configuration commands. |
| Enable SSH | Basic Settings → Network → SSH → On | SSH encrypts the CLI session. Use SSH key authentication for additional security. |
| Disable SNMPv1/v2c | Security → SNMP → v1: Off, v2c: Off | SNMPv1/v2c transmit the community string in plaintext. An attacker captures the string and gains read/write access to every OID. |
| Enable SNMPv3 | Security → SNMP → v3: On | SNMPv3 supports SHA-256 authentication and AES-128 encryption. Configure unique credentials per user. |
Authentication and Access Control
Section titled “Authentication and Access Control”Navigate to Security → User Management → Password Policy and configure:
- Minimum length: 12 characters
- Require uppercase, lowercase, digits, and special characters
- Maximum age: 90 days
- Account lockout after 5 unsuccessful attempts
To restrict management access to the management VLAN, navigate to Security → Management Access → VLAN: 50. This setting blocks devices on production VLANs from reaching the switch management interface.
Port Security
Section titled “Port Security”To disable unused ports, navigate to Basic Settings → Port → Admin State: Off. Assign unused ports to VLAN 4094 (black hole VLAN). This configuration blocks an attacker from plugging into an unused port and gaining network access.
Logging
Section titled “Logging”To configure syslog, navigate to Basic Settings → Diagnostics → Syslog and set the destination to a central server. Set severity to Informational. Configure SNMP trap destinations for link up/down, authentication detected errors, and MRP topology change events.
802.1X Port-Based Network Access Control
Section titled “802.1X Port-Based Network Access Control”802.1X is a port-based NAC (Network Access Control) standard. 802.1X blocks unauthorized devices from accessing the network by requiring authentication before the switch port forwards any traffic.
How 802.1X Works
Section titled “How 802.1X Works”3 roles participate in 802.1X authentication:
- Supplicant: the device requesting access (laptop, HMI, IP phone)
- Authenticator: the switch port that controls access
- Authentication server: a RADIUS (Remote Authentication Dial-In User Service) server that validates credentials
Until the supplicant authenticates, the switch port blocks traffic except EAP (Extensible Authentication Protocol) frames. After successful authentication, the RADIUS server assigns the port to a specific VLAN based on the user role.
EAP Methods
Section titled “EAP Methods”| Method | Credentials | Certificate Required | Use Case |
|---|---|---|---|
| EAP-TLS | Client certificate | Yes (client + server) | Highest security, managed devices |
| EAP-PEAP | Username/password | Server certificate only | Laptops, workstations |
| EAP-MD5 | Username/password | None | Legacy, not recommended |
| MAB (MAC Auth Bypass) | MAC address | None | Devices without 802.1X support (PLCs, printers) |
802.1X in OT
Section titled “802.1X in OT”Many OT devices (PLCs, drives, I/O modules) do not support 802.1X. For these devices, use MAB (MAC Authentication Bypass): the switch sends the device MAC address to the RADIUS server, and the RADIUS server checks the address against a whitelist. MAB is weaker than 802.1X (MAC addresses are spoofable) but adds a layer of access control for devices that do not authenticate.
On Hirschmann HiOS, configure 802.1X at Security → 802.1X → Port Configuration. Set engineering workstation ports to 802.1X (EAP-PEAP). Set PLC ports to MAB with a static VLAN assignment.
Network Segmentation Hardening
Section titled “Network Segmentation Hardening”Beyond VLAN configuration, additional switch features harden the segmentation.
Black Hole VLAN for Unused Ports
Section titled “Black Hole VLAN for Unused Ports”Assign unused ports to VLAN 4094 with no IP interface, no routing, and no DHCP. A device plugged into an unused port receives no IP address, no gateway, and no connectivity.
BPDU Guard
Section titled “BPDU Guard”BPDU Guard disables a port when the port receives a BPDU (Bridge Protocol Data Unit), a spanning tree frame. Access ports connected to end devices (PCs, PLCs) never send BPDUs. When a BPDU arrives on an access port, someone connected a switch or a device is attempting an STP manipulation attack. BPDU Guard shuts the port down immediately.
On HiOS: Switching → Spanning Tree → BPDU Guard → Enable on access ports.
Root Guard
Section titled “Root Guard”Root Guard blocks a port from becoming the root port. If a switch connected to a root-guard-enabled port advertises a superior BPDU (claiming to be the root bridge), then the port enters a “root-inconsistent” state and stops forwarding. Root Guard blocks an attacker from inserting a switch with a low bridge priority and becoming the root bridge. Becoming the root bridge redirects traffic through the attacker switch.
On HiOS: Switching → Spanning Tree → Root Guard → Enable on ports facing downstream switches.
Ingress Filtering
Section titled “Ingress Filtering”Ingress filtering drops frames with VLAN tags that do not match the port VLAN membership. Without ingress filtering, a device on VLAN 10 sends a tagged frame for VLAN 20, and the switch forwards the frame. With ingress filtering enabled, the switch drops the frame because VLAN 20 is not in the port membership list.
On HiOS: Switching → VLAN → Ingress Filtering → Enable on all ports. Ingress filtering blocks VLAN hopping via single-tagged frames on access ports.
PLC Hardening
Section titled “PLC Hardening”PLCs have limited security features. Focus on the controls that are available:
| Action | Rationale |
|---|---|
| Change default passwords | Default passwords are published in vendor documentation |
| Disable unused communication ports | Reduces the attack surface |
| Enable write protection (hardware key or software) | Blocks unauthorized program changes |
| Restrict programming access to specific IPs | Only the engineering workstation modifies the program |
| Disable the built-in web server when not needed | Removes an unnecessary network service |
| Enable CPU access protection (Siemens: protection level 3) | Requires a password for read/write access |
Network Monitoring
Section titled “Network Monitoring”Collect syslog from switches and centralize the logs in a SIEM (Security Information and Event Management) system. Monitor SNMP traps for link up/down, MRP topology changes, and authentication detected errors. Baseline normal traffic so anomalies stand out. Deploy OT-specific IDS tools (Claroty, Dragos, Nozomi Networks) that passively monitor OT traffic. Alert on any new MAC address appearing on the network.
Patch Management
Section titled “Patch Management”Inventory software and firmware versions. Subscribe to vendor security advisories (Siemens ProductCERT, Hirschmann security advisories). Test patches in a lab before deploying to production. Schedule patches during planned maintenance windows. When a system does not accept patches, compensate with network controls (firewall, VLAN isolation, monitoring).
Hardening Compliance Report
Section titled “Hardening Compliance Report”The following script connects to Hirschmann switches via SNMP and checks key hardening indicators: system name (is the name configured?), SNMP version, and uptime. Extend the script with additional OID checks for a complete compliance report.
from pysnmp.hlapi import ( getCmd, SnmpEngine, CommunityData, UdpTransportTarget, ContextData, ObjectType, ObjectIdentity)
def snmp_get(host: str, community: str, oid: str) -> str: iterator = getCmd( SnmpEngine(), CommunityData(community, mpModel=1), UdpTransportTarget((host, 161), timeout=2, retries=1), ContextData(), ObjectType(ObjectIdentity(oid)) ) err_ind, err_stat, _, var_binds = next(iterator) if err_ind or err_stat: return f"ERROR: {err_ind or err_stat}" return str(var_binds[0][1])
SWITCHES = ["192.168.50.1", "192.168.50.2", "192.168.50.3"]COMMUNITY = "public" # If this works, SNMPv2c is still enabled (finding!)
print(f"{'Host':20s} {'sysName':20s} {'sysDescr':40s} {'Uptime':15s} {'SNMPv2c'}")print("-" * 100)for host in SWITCHES: name = snmp_get(host, COMMUNITY, "1.3.6.1.2.1.1.5.0") descr = snmp_get(host, COMMUNITY, "1.3.6.1.2.1.1.1.0")[:40] uptime = snmp_get(host, COMMUNITY, "1.3.6.1.2.1.1.3.0") snmpv2_status = "ENABLED (finding!)" if "ERROR" not in name else "disabled" print(f"{host:20s} {name:20s} {descr:40s} {uptime:15s} {snmpv2_status}")If the script successfully reads data using an SNMPv2c community string, then that switch still has SNMPv2c enabled. SNMPv2c being enabled is a hardening finding. A fully hardened switch rejects SNMPv2c queries and requires SNMPv3 authentication.
Key Takeaways
Section titled “Key Takeaways”802.1X controls port access
Use 802.1X for devices that support 802.1X and MAB for devices that do not. RADIUS centralizes authentication and VLAN assignment.
BPDU Guard and Root Guard help protect STP
BPDU Guard shuts down access ports that receive BPDUs. Root Guard blocks unauthorized root bridge elections.
What Comes Next
Section titled “What Comes Next”Parts 1 through 4 covered networking foundations, industrial protocols, and security. Part 5 shifts to operations: keeping a network running day-to-day through documentation, change management, monitoring, and disaster recovery. The next chapter covers network operations.
References
Section titled “References”- NIST SP 800-82 Rev. 3 — Guide to Operational Technology (OT) Security (2023)
- IEC 62443-2-1:2010 — Establishing an IACS security management system
- IEEE 802.1X-2020 — Port-Based Network Access Control
- Hirschmann. (2023). Security Hardening Guide: HiOS. Belden/Hirschmann.
- CISA. (2023). Cross-Sector Cybersecurity Performance Goals. CISA.