SucheKontaktRessourcen
Guidelines from the UK Cyber ​​Security Agency

How to document your OT without breaking down (part 2)

René Krause
Teamlead Service
Jan 6, 2026
3 min

Part 1 of this blog post discussed the implementation of preparatory core principles 1 and 2 of the guide “Creating and maintaining a definitive view of your Operational Technology (OT) Architecture.” The second part gets to the heart of core principles 3 to 5: How can a passive network-based intrusion detection system such as Rhebo Industrial Protector aid you in identifying, evaluating, and documenting your OT infrastructure?

Core principle 3: Identify and categorize OT assets

Step 3 marks the start of the actual data collection and documentation process. A NIDS, i.e., passive network-based intrusion detection system with integrated detection and analysis mechanisms, can cover a large part of the data collection process. Above all, its real-time analysis provides an up-to-date and accurate picture of the security situation.  

In general, the following applies: The longer (i.e., weeks or months) a NIDS runs in the OT network, the more complete the documentation becomes, as all processes and systems involved are detected, including those that only occur periodically (updates, maintenance processes, backups). In the meantime, the NIDS simply does what can do best: detect anomalies in the OT communication that indicate cyberattacks and technical errors.

Task How-to with a NIDS
Identify OT assets (systems, devices, information).
  • An initial assessment can be made by means of a Rhebo Industrial Security Assessment . This involves integrating the NIDS into the OT via mirror port switches (takes approx. 30 minutes) and passively recording the OT communication for 2 weeks. Only a few minutes after the recording starts, a current network map is generated, which already displays information required by core principles 3 (assets) and 4 (connections, protocols).
  • For a longer-term picture: Integrate and operate the NIDS as an intrusion detection system. Communicating devices and systems are displayed in real time. Time series can be used to analyze behavior patterns and protocol use.
Evaluate assets in terms of criticality, risk exposure and availability requirements.
  • Compile all information in context.
  • Assess criticality and availability requirements, e.g., based on the operational, occupational safety, and economic significance of a system. Tap into the wisdom of your OT staff.
  • Assess risk exposure using connection information (especially to IT, the Internet, and remote access) from the NIDS.
Core principle 4. Identify connection between OT systems

Task How-to with a NIDS
Cross-check which connections an asset needs to function, and which it currently has.
  • Analyze the connections of each system using the data from the NIDS. The network map shows which systems communicate with each other and to what extent (data throughput and round trip times). This step is also part of a standard Rhebo Industrial Security Assessment.
  • Pay particular attention to connection attempts to the IT system and the Internet. This step is also part of a standard Rhebo Industrial Security Assessment.
  • Compare the connections with existing infrastructure and data flow diagrams that document which connections are legitimate and absolutely necessary.
  • If necessary, remove or regulate (e.g., via data diodes) connections that are not relevant or undesirable for the function of the industrial process.
Cross-check which protocols an asset needs to function, and which it currently uses. Ensure, the protocols in use are secured (as far as possible).
  • Analyze asset time series in the NIDS to identify protocols and their versions used and evaluate them from a security perspective. This step is also performed as part of a standard Rhebo Industrial Security Assessment.
  • Compare this information with the data flow diagram.
  • Deactivate insecure and unnecessary protocols (e.g., LLNR, mDNS, Web Services Discovery, TELNET).
  • Update systems—where possible—to higher, secure protocol versions (e.g., SNMP v2 to SNMP v3, NFS v2 to NFS v3, FTP to FTPS).
Document and evaluate current OT security measures in terms of functionality, scope and effectiveness.
  • Discuss with the IT and cybersecurity teams which security measures are dedicated to protecting OT and where gaps exist.
  • Check network segmentations.
  • Document who can access OT systems, how they can do it, and what privileges they have.
  • Identify protocol breaches.
Document requirements and limitations of the OT network.
  • Document parameters such as bandwidth, latency, availability, redundancy and exposure.
  • Use the throughput and data traffic time series from the NIDS to identify violations of the parameters (e.g., drops or fluctuations, ICMP unreachable alarms, TCP retransmissions). This step is performed as part of a standard Rhebo Industrial Security Assessment.

Core principle 5: Understand 3rd party dependencies

In OT in particular, vendors often have substantial access rights. Contracts frequently stipulate that systems and devices may only be maintained and repaired by the vendor's personnel or certified service providers. This creates a significant vulnerability, as control over the cybersecurity of third-party companies is very limited.

Task How-to with a NIDS
Evaluate the trust level of 3rd party entities and other networks that have access to your OT.
  • Use the device list from the Rhebo Industrial Security Assessment and operative NIDS to identify vendors, models, and connections to external networks.
  • Supplement the information with details from service level agreements.
  • Assess external connections according to trust level (high = identical risk profile, high control, e.g., OT in a substation; medium = IT network; low = third-party companies, Internet).
  • Ensure that no system from a lower level can administer a system from a higher level.
  • Harden the security measures between different trust levels (e.g., DMZ, firewall, MFA, security monitoring).
Understand the access requirements for vendors and service providers.
  • Use time series from the NIDS to track data flows to external networks.
  • Analyze update and maintenance processes with vendors (What do they access? How do they ensure security and quality of their updates? How do they ensure the cybersecurity of staff and IT resources?).
  • Analyze access requirements from vendors.
  • Identify requirements where security controls are bypassed or weakened.
  • Coordinate with vendors on how to harmonize access and security requirements. In any case, ensure that all assets in the OT are protected, e.g., through access controls, data diodes, and segmentation.
  • Ensure secure data transfer (encryption).
Identify and block/secure insecure access points by vendors and service providers.
  • Check how third-party companies can access your OT systems.
  • Ensure that no connection methods are used that you cannot secure (e.g., 4G modems, Bluetooth, Wi-Fi, USB).

Due to the limitations of controlling third-party companies in terms of their level of trustworthiness with regard to cybersecurity, their activities should be monitored particularly closely. This includes measures such as:  

  • centralized approval of access (incl. remote),
  • logging of activities (change log),
  • monitoring of connections and communication to the OT during access in order to immediately detect unauthorized operations or infections via, for example, maintenance laptops.
  • targeted monitoring of maintained devices and systems after restarting in order to detect unwanted or malicious changes in communication behavior.

Start now to gain visibility and clarity in your OT: Information about the Rhebo Industrial Security Assessment and NIDS Rhebo Industrial Protector.