Inloggen - Registreer  

Helaas is deze vacature inmiddels waarschijnlijk verlopen

Network Architect for OT/IT segmentation

Ormer - Rotterdam - 26-09-2022 Naar vacature  

Chiara staat voor je klaar

Chiara van Grieken

Sales Consultant
‘'Pas als de opdrachtgever én de kandidaat tevreden zijn, heb ik mijn werk goed gedaan.’'
Intro
Voor een eindklant in de omgeving Rotterdam zijn wij op zoek naar een netwerkarchitect. Interesse? Lees dan snel verder!
Startdatum: zo snel mogelijk
Duur opdracht: 3 maanden
Optie tot verlenging: ja
Aantal uur: 24 – 32 uur per week
Opdrachtomschrijving
Uit een uitgebreid (Engelstalig) document komen de volgende passages die meer richting geven aan hetgeen gevraagd wordt. De opdracht kan zowel fulltime (4 – 5 dagen per week) als parttime (2 – 3 dagen per week) uitgevoerd worden.

Wij zijn op zoek naar een ervaren/senior architect welke vanuit het Network Segmentaton OT IT procurement document een high-level design hiervoor kan opstellen.

Dit design dient gebruikt te worden om vervolgens uit te kunnen zetten in de markt (als tender) zodat wij bij verschillende organisaties het verdere low level design en de implementatie kunnen uitvragen.

“External cyber security assessments of the infrastructure performed in 2017 and 2021 have shown that the current network does not comply to industry standards and security practices. The aim is to change this with this project by creating a multi-layer network, in which each (segmented) zone hosts a different functional purpose. This ultimately leads to a more manageable and secure network for the organization.”

Because of this, the following activities should be carried out to optimize the network

  • Create a new network design featuring multiple zones in collaboration with an experienced network (security) architect
  • Create / enhance local networks companies’ equipment
Based on the following (principle assumptions) and additional requirements, the request is to find an external network architect who can help us design and document a practically implementable network design. Based on the principle that a clear segmentation and separation can be applied between the OT and IT network. Separate segments for IT, OT, management, DMZ and office segments should be taken into account.

Principle assumptions for new Network Design

MUST HAVES

  • All operational systems and management of the OT systems are in an OT domain network.
  • DMZ is created to separate the IT and OT network.
  • No internet access is allowed in the OT network.
  • Separate management traffic from production traffic.
  • Redesign of the ICT (office) network.
  • Updates from the internet are only allowed to the (update) systems in the DMZ
  • Updates for systems in the OT are only given from systems in the DMZ
  • Only clients / users have remote access via RAS from the DMZ to the systems within OT network
  • Maintenance technician has remote access to the systems or direct access when they are within the OT domain.
  • Scaling of the OT network has to be defined in the architecture.
  • Legacy assets( ie S5 equipment ), isolate and freeze updates from the rest of the OT domain.
  • The current functionality like : Remote Access (including file-transfer function ) , Version- Asset Management must still be possible in the new environment.
  • In the new situation RA for camera systems must still possible.
  • Maintenance department must have inside of the OT network with reading rights to determine settings ( ie IP addresses etc ) network connectivity and network load.
  • Maintenance department must still be possible connect in the OT network locally to trouble shoot ie PLC or other devices.
  • Connectivity between the OT domain and DMZ / Enterprise network is untrusted by default.
  • The OT domain relies on its own Active Directory, which operates independently from the Enterprise AD.
  • The OT Active Directory contains internal and external accounts. External accounts are reviewed on a quarterly basis by the responsible manager.
  • Local (direct) access to OT equipment is disabled by default through port security / NAC services.
  • Access to OT equipment with an untrusted device is requested through a designated procedure.
  • All (direct and remote) access to OT equipment is logged and consolidated to a logging or a SIEM.
  • The RAS is inaccessible from the internet and can only be reached from trusted devices and users from the Enterprise Network.

SHOULD HAVES

  • Connectivity to OT equipment with an untrusted device generates an alert which is investigated by a designated team. Approval to OT equipment is carried out by the “four-eyes” principle.
  • Trusted devices are whitelisted and managed through one dedicated source.
  • Trusted devices are periodically checked whether they should still be trusted. This check is supported by the device life cycle process.
  • All devices used to locally access OT equipment are hardened and have an up-to-date AV-product installed.
meer...



Meer vacatures van Ormer