14.3 Practical Hardening

The previous chapter defined the IEC 62443 security levels and the zone/conduit model. This chapter translates those requirements into concrete actions: what to configure, in what order, and why.

Why Hardening is Not Optional

A factory-fresh Hirschmann switch has HTTP enabled, Telnet enabled, SNMPv1/v2c enabled, and a default password. Every one of these defaults is an attack vector. Hardening closes these vectors before the switch enters production.

Switch Hardening — Hirschmann HiOS

Each hardening step has a specific security rationale. Understanding the “why” prevents engineers from reverting changes when they seem inconvenient.

Disable Insecure Protocols

Action	HiOS Path	Rationale
Disable HTTP	`Basic Settings → Network → HTTP → Off`	HTTP transmits credentials in plaintext. An attacker on the network captures the admin password with a packet sniffer.
Enable HTTPS	`Basic Settings → Network → HTTPS → On`	HTTPS encrypts the management session with TLS. Credentials and configuration data are protected in transit.
Disable Telnet	`Basic Settings → Network → Telnet → Off`	Telnet transmits every keystroke in plaintext, including passwords and configuration commands.
Enable SSH	`Basic Settings → Network → SSH → On`	SSH encrypts the CLI session. Use SSH key authentication for additional security.
Disable SNMPv1/v2c	`Security → SNMP → v1: Off, v2c: Off`	SNMPv1/v2c transmit the community string in plaintext. An attacker captures it and gains read/write access to every OID.
Enable SNMPv3	`Security → SNMP → v3: On`	SNMPv3 provides SHA-256 authentication and AES-128 encryption. Configure unique credentials per user.

Authentication and Access Control

Navigate to Security → User Management → Password Policy and configure:

Minimum length: 12 characters
Require uppercase, lowercase, digits, and special characters
Maximum age: 90 days
Account lockout after 5 failed attempts

Restrict management access to the management VLAN at Security → Management Access → VLAN: 50. This prevents devices on production VLANs from reaching the switch management interface.

Port Security

Disable unused ports at Basic Settings → Port → Admin State: Off. Assign all unused ports to VLAN 4094 (black hole VLAN). This prevents an attacker from plugging into an unused port and gaining network access.

Logging

Configure syslog to a central server at Basic Settings → Diagnostics → Syslog. Set severity to Informational. Configure SNMP trap destinations for link up/down, authentication failure, and MRP topology change events.

802.1X Port-Based Network Access Control

802.1X is a port-based NAC (Network Access Control) standard. It prevents unauthorized devices from accessing the network by requiring authentication before the switch port forwards any traffic.

How 802.1X Works

Three roles participate in 802.1X authentication:

Supplicant: the device requesting access (laptop, HMI, IP phone)
Authenticator: the switch port that controls access
Authentication server: a RADIUS (Remote Authentication Dial-In User Service) server that validates credentials

Until the supplicant authenticates, the switch port blocks all traffic except EAP (Extensible Authentication Protocol) frames. After successful authentication, the RADIUS server can assign the port to a specific VLAN based on the user’s role.

EAP Methods

Method	Credentials	Certificate Required	Use Case
EAP-TLS	Client certificate	Yes (client + server)	Highest security, managed devices
EAP-PEAP	Username/password	Server certificate only	Laptops, workstations
EAP-MD5	Username/password	None	Legacy, not recommended
MAB (MAC Auth Bypass)	MAC address	None	Devices without 802.1X support (PLCs, printers)

802.1X in OT

Many OT devices (PLCs, drives, I/O modules) do not support 802.1X. For these devices, use MAB (MAC Authentication Bypass): the switch sends the device’s MAC address to the RADIUS server, which checks it against a whitelist. MAB is weaker than 802.1X (MAC addresses can be spoofed) but provides a layer of access control for devices that cannot authenticate.

On Hirschmann HiOS, configure 802.1X at Security → 802.1X → Port Configuration. Set engineering workstation ports to 802.1X (EAP-PEAP). Set PLC ports to MAB with a static VLAN assignment.

Network Segmentation Hardening

Beyond VLAN configuration, additional switch features harden the segmentation.

Black Hole VLAN for Unused Ports

Assign all unused ports to VLAN 4094 with no IP interface, no routing, and no DHCP. A device plugged into an unused port receives no IP address, no gateway, and no connectivity.

BPDU Guard

BPDU Guard disables a port if it receives a BPDU (Bridge Protocol Data Unit), which is a spanning tree frame. Access ports connected to end devices (PCs, PLCs) never send BPDUs. If a BPDU arrives on an access port, it means someone connected a switch or a device is attempting an STP manipulation attack. BPDU Guard shuts the port down immediately.

On HiOS: Switching → Spanning Tree → BPDU Guard → Enable on all access ports.

Root Guard

Root Guard prevents a port from becoming the root port. If a switch connected to a root-guard-protected port advertises a superior BPDU (claiming to be the root bridge), the port enters a “root-inconsistent” state and stops forwarding. This prevents an attacker from inserting a switch with a low bridge priority and becoming the root bridge, which would redirect all traffic through the attacker’s switch.

On HiOS: Switching → Spanning Tree → Root Guard → Enable on ports facing downstream switches.

Ingress Filtering

Ingress filtering drops frames with VLAN tags that do not match the port’s VLAN membership. Without ingress filtering, a device on VLAN 10 can send a tagged frame for VLAN 20, and the switch forwards it. With ingress filtering enabled, the switch drops the frame because VLAN 20 is not in the port’s membership list.

On HiOS: Switching → VLAN → Ingress Filtering → Enable on all ports. This prevents VLAN hopping via single-tagged frames on access ports.

PLC Hardening

PLCs have limited security features. Focus on the controls that are available:

Action	Rationale
Change default passwords	Default passwords are published in vendor documentation
Disable unused communication ports	Reduces the attack surface
Enable write protection (hardware key or software)	Prevents unauthorized program changes
Restrict programming access to specific IPs	Only the engineering workstation can modify the program
Disable the built-in web server if not needed	Removes an unnecessary network service
Enable CPU access protection (Siemens: protection level 3)	Requires a password for read/write access

Network Monitoring

Collect syslog from all switches and centralize in a SIEM (Security Information and Event Management) system. Monitor SNMP traps for link up/down, MRP topology changes, and authentication failures. Baseline normal traffic so anomalies stand out. Deploy OT-specific IDS tools (Claroty, Dragos, Nozomi Networks) that passively monitor OT traffic. Alert on any new MAC address appearing on the network.

Patch Management

Inventory all software and firmware versions. Subscribe to vendor security advisories (Siemens ProductCERT, Hirschmann security advisories). Test patches in a lab before deploying to production. Schedule patches during planned maintenance windows. Accept that some systems cannot be patched and compensate with network controls (firewall, VLAN isolation, monitoring).

Hardening Compliance Report

The following script connects to Hirschmann switches via SNMP and checks key hardening indicators: system name (is it configured?), SNMP version, and uptime. Extend it with additional OID checks for a complete compliance report.

from pysnmp.hlapi import (
    getCmd, SnmpEngine, CommunityData, UdpTransportTarget,
    ContextData, ObjectType, ObjectIdentity
)

def snmp_get(host: str, community: str, oid: str) -> str:
    iterator = getCmd(
        SnmpEngine(),
        CommunityData(community, mpModel=1),
        UdpTransportTarget((host, 161), timeout=2, retries=1),
        ContextData(),
        ObjectType(ObjectIdentity(oid))
    )
    err_ind, err_stat, _, var_binds = next(iterator)
    if err_ind or err_stat:
        return f"ERROR: {err_ind or err_stat}"
    return str(var_binds[0][1])

SWITCHES = ["192.168.50.1", "192.168.50.2", "192.168.50.3"]
COMMUNITY = "public"  # If this works, SNMPv2c is still enabled (finding!)

print(f"{'Host':20s} {'sysName':20s} {'sysDescr':40s} {'Uptime':15s} {'SNMPv2c'}")
print("-" * 100)
for host in SWITCHES:
    name = snmp_get(host, COMMUNITY, "1.3.6.1.2.1.1.5.0")
    descr = snmp_get(host, COMMUNITY, "1.3.6.1.2.1.1.1.0")[:40]
    uptime = snmp_get(host, COMMUNITY, "1.3.6.1.2.1.1.3.0")
    snmpv2_status = "ENABLED (finding!)" if "ERROR" not in name else "disabled"
    print(f"{host:20s} {name:20s} {descr:40s} {uptime:15s} {snmpv2_status}")

If the script successfully reads data using an SNMPv2c community string, that switch still has SNMPv2c enabled, which is a hardening finding. A fully hardened switch rejects SNMPv2c queries and requires SNMPv3 authentication.

Key Takeaways

Every default is an attack vector

HTTP, Telnet, SNMPv1/v2c, and default passwords are all enabled on a factory-fresh switch. Disable them before the switch enters production.

802.1X controls port access

Use 802.1X for devices that support it and MAB for devices that do not. RADIUS provides centralized authentication and VLAN assignment.

BPDU Guard and Root Guard protect STP

BPDU Guard shuts down access ports that receive BPDUs. Root Guard prevents unauthorized root bridge elections.

What Comes Next

Parts 1 through 4 covered networking foundations, industrial protocols, and security. Part 5 shifts to operations: how to keep a network running day-to-day through documentation, change management, monitoring, and disaster recovery. The next chapter covers network operations.

References

NIST SP 800-82 Rev. 3 — Guide to Operational Technology (OT) Security (2023)
IEC 62443-2-1:2010 — Establishing an IACS security management system
IEEE 802.1X-2020 — Port-Based Network Access Control
Hirschmann. (2023). Security Hardening Guide: HiOS. Belden/Hirschmann.
CISA. (2023). Cross-Sector Cybersecurity Performance Goals. CISA.