Industrial switches are critical infrastructure that few facilities actively harden. Managed switches often ship with default credentials, insecure protocols like Telnet, and no access control lists protecting the management interface. A compromised switch becomes a central point for lateral movement, VLAN hopping, and persistence that is difficult to detect and expensive to remediate.
Switch hardening is not complex, but it requires discipline and documentation. The challenge is enforcing consistent configuration across 30+ switches across multiple production areas when each facility may have been set up by different integrators using different models and firmware versions.
Fundamental Hardening Steps
Change all default credentials immediately and store them in a password manager, not a spreadsheet. Configure SSH only (disable Telnet and HTTP) on management interfaces. Restrict management port access using ACLs—only specific engineering workstations or jump hosts should reach the switch CLI. Enable logging to a centralized syslog server so changes are auditable even if someone gains local access.
Configure SNMP version 3 with authentication and encryption, not version 2 with plaintext community strings. Disable unnecessary services: DHCP server, HTTP server, and DNS forwarding features that you don't use. Each enabled service is an attack surface.
Essential Hardening Checklist
- Authentication: Change default credentials, disable Telnet and HTTP, enable SSH with strong key exchange algorithms. Use TACACS+ or RADIUS for centralized authentication on larger networks.
- Port Configuration: Explicitly assign ports to VLANs. Disable all unused ports or configure them in a dedicated management VLAN. Enable port security to limit MAC address learning and prevent rogue device insertion.
- Management Access Control: Restrict in-band management (SSH, SNMP) to specific source IP addresses. Consider out-of-band management via console ports on a dedicated serial network for critical infrastructure switches.
- Logging and Monitoring: Enable syslog export, configure NTP for accurate timestamps, and send critical alerts (configuration changes, authentication failures) to your SIEM or alerting system in real time.
Deployment Without Disruption
Hardening existing production switches requires careful sequencing. Plan changes during maintenance windows. Test configuration changes on identical non-production switches first. Use configuration backups so you can recover quickly if a hardening step breaks connectivity. Document the baseline configuration before making changes so you know what broke if something goes wrong.
Many switch hardening recommendations are technical, but the practical challenge is change management at scale. Develop a standard hardened baseline, version it, and deploy it consistently. If you'd like to discuss switch hardening for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.