Chapter 77 Β· Concepts

Hardening Targets β€” Concepts Map

Six comparison tables: all nine targets at a glance, update urgency by device type, segmentation strategies, cloud hardening pillars, SCADA vs. standard IT, and the IoT risk profile.

Table 1 β€” Nine Hardening Targets: Key Controls at a Glance
TargetPrimary RiskKey Hardening ControlsManagement Tool
Mobile devicesAlways-connected; personal/corporate data mixedUpdates, data segmentation, strong authenticationMDM
WorkstationsUser-facing; phishing/malware entry pointOS/app/firmware patches, remove unused software, policy managementActive Directory Group Policy
Network infrastructureBackbone compromise; embedded OS, default credentialsChange defaults, configure authentication, apply firmware patchesVendor management console + TACACS+/RADIUS
Cloud infrastructureBroad blast radius from admin account compromiseSecure management workstation, least privilege, EDR, C2C backupCloud-native policy (AWS Config, Azure Policy)
ServersHolds critical data; lateral movement targetOS patches/service packs, strong accounts, limit network access, EDR/AVPatch management + Group Policy / MDM
SCADA / ICSPhysical consequences; critical infrastructureAir-gap / extensive segmentation, no internet accessIsolated control network
Embedded systemsHard to update; purpose-built firmwareApply patches when available, segment + firewallNetwork-level containment
RTOSTiming disruption; safety-critical processesIsolate from all networks, minimum services, host-based firewallPhysical isolation + host firewall
IoTWeak defaults; manufacturer not security-focusedChange default credentials, patch quickly, segment to own VLANVLAN + firewall rules
Table 2 β€” Update Frequency and Urgency by Target
TargetUpdate FrequencyUrgency LevelNotes
Mobile devicesFrequent (monthly or more)HighUnpatched mobiles directly exposed on untrusted networks
WorkstationsMonthly (Patch Tuesday cycle)HighTest in pilot group before broad deployment
Network infrastructureRare (when vendor releases)Very high when releasedInfrequent releases mean each one addresses something significant
Cloud infrastructureVaries (platform-managed vs. self-managed)HighCloud workstation and connected endpoints need fastest cycle
ServersMonthly + service packsHigh (with change control)Server reboots have operational impact; test before deploying
SCADA / ICSRare; change-controlledCarefully evaluatedUpdates require extensive testing due to safety criticality
Embedded systemsRareHigh when releasedIf vendor bothered to release a patch, it addresses something serious
RTOSVery rareHigh when releasedAny change to RTOS must not affect deterministic timing
IoTInfrequent; often manualHigh β€” deploy quicklyKnown CVEs widely published; every unpatched device is an open target
Table 3 β€” Segmentation Strategies by Target
TargetSegmentation ApproachWhy
Mobile (corporate data)Work profile / managed container separates corporate from personal dataPrevents malware in personal apps from accessing corporate resources
ServersFirewall rules limit which systems can reach each serverLimits lateral movement paths after initial compromise
SCADA / ICSAir-gap or completely isolated network; no internet accessPhysical process control β€” compromise has physical safety consequences
Embedded systemsDedicated network segment + firewall in frontLimits reach of unpatched embedded devices; contains compromise
RTOSPhysical network isolation from all general networksGeneral network traffic disrupts deterministic timing; safety criticality
IoTDedicated VLAN separated from corporate systemsWeak device security β€” contain blast radius to IoT segment only
Table 4 β€” Cloud Hardening: Four Pillars
PillarWhat It MeansWhy It Matters
Secure cloud management workstationHarden, EDR-protect, and restrict access to the machine used to administer cloud resourcesCompromise of this workstation = access to entire cloud environment ("keys to the kingdom")
Least privilegeEvery service, account, and application has only the permissions its function requires β€” nothing moreMisconfigured cloud permissions are the most common cloud security incident; least privilege limits blast radius
EDR on cloud-connected devicesAll endpoints accessing cloud management must have behavioral threat detectionDetects endpoint compromise before attacker pivots to cloud; signature-only AV is insufficient
Cloud-to-Cloud (C2C) backupReplicate cloud data to a different provider or region under separate credentialsOutage, accidental deletion, or ransomware at primary provider does not affect backup stored elsewhere
Table 5 β€” SCADA/ICS vs. Standard IT: Key Differences
DimensionStandard IT SystemsSCADA / ICS
Primary consequence of compromiseData breach, service disruptionPhysical damage, safety hazards, critical infrastructure failure
Network connectivityInternet-connected; broad network accessAir-gapped or isolated; no internet access
Update cycleMonthly patches; relatively straightforwardRare updates; extensive safety testing required before any change
Availability priorityBalanced with confidentiality and integrityAvailability is paramount β€” downtime can stop physical processes
Hardening approachPatches, configuration management, EDRPhysical isolation, segmentation, change-controlled updates
Who manages itIT security teamOT (Operational Technology) team, often separate from IT
Table 6 β€” IoT Risk Profile and Controls
IoT Risk FactorWhy It ExistsHardening Control
Weak default credentialsManufacturers prioritize ease of setup; same default on every unit; documented publiclyChange all default credentials immediately at deployment
Infrequent security patchesManufacturer is HVAC/lighting engineer, not security vendor; no long-term patch supportApply available patches immediately; prioritize IoT patching above other devices
Open network servicesDefault config exposes services for convenience; vendor doesn't consider attack vectorsDisable unused services; segment to VLAN with restrictive firewall rules
Unencrypted communicationsLow-power devices; no TLS/encryption by default in many devicesNetwork-level controls; VLAN isolation limits exposure of unencrypted traffic
No EDR/AV capabilityLimited hardware; no OS with endpoint security supportCompensating controls: network monitoring, VLAN isolation, firewall logging