Core category 13: Network & Firewall
One-liner
Design, segment, and protect PCP networks and firewalls to reduce attack surface, keep operations reliable, and stay audit-ready.
Description
This category covers distinct networking run by the business and the corporate network governed by Group IS. It includes firewall configuration, VLAN standards, secure remote access (VPN/jump), and monitoring. The goal is to minimise lateral movement, protect integrity and confidentiality, and make behaviour traceable.
Aligned with the Distinct Compute Reference Design (DRD) and ISO/IEC 27001, this guide sets a global PCP baseline with room for local needs.
Scope & objectives
-
Network architecture & segmentation
Build robust, logically segmented topologies (e.g., IT/OT separation, management zones) to enforce least-privilege traffic. -
Firewall configuration & rule management
Maintain consistent zone-to-zone rulesets; review and clean up regularly to reduce risk and misconfiguration. -
Remote access & connectivity
Use secure access paths (VPN, jump hosts/RDG), strong authentication, session monitoring, and logging for sensitive environments. -
Traffic monitoring & intrusion detection
Deploy IDS/IPS/NetFlow and central logging to detect anomalies and intrusions proactively. -
VLAN standards & access control
Apply standard VLAN schemes and ACLs to segment users, servers, and devices with granular enforcement. -
Policy & compliance alignment
Ensure configs match internal policies and external frameworks (ISO/IEC 27001, ABB Network Security Policies). Keep evidence for audits.
Value & benefits
- Reduced attack surface – Segmentation and strict controls limit lateral movement and isolate critical systems.
- Operational continuity – Solid designs deliver high availability and less downtime.
- Regulatory compliance – Alignment with ISO 27001 and ABB policies improves audit readiness and lowers compliance risk.
- Improved visibility & control – Central logging and structured rulesets speed detection and response.
- Scalability & standardisation – Templates for firewalls and VLANs simplify expansion and maintenance across regions and sites.
- Security assurance – Secure remote access, strong auth, and detection mechanisms protect confidentiality and integrity.
Controls — overview (24)
| Control no. | Category | Focus | Outcome |
|---|---|---|---|
| 3.01 | Network | Record all network devices in ServiceNow | Complete asset inventory |
| 3.02 | Network | Ensure dedicated management interface on all devices | Secure administrative access |
| 3.03 | Network | Place management interfaces in the management network | Controlled and restricted access |
| 3.04 | Network | Disable insecure protocols (HTTP, Telnet, FTP, etc.) | Encrypted & secure admin traffic |
| 3.05 | Network | Install only valid ABB PKI certificates | Trusted device & secure communication |
| 3.06 | Network | Enable log forwarding on all devices | Audit-ready & central monitoring |
| 3.07 | Network | Configure authentication via AD / Entra ID | Centralised identity; no shared accounts |
| 3.08 | Network | Apply ABB local account policy (complexity, expiration) | Strong credential hygiene; reduced risk |
| 3.09 | Network | Configure devices for redundancy/high availability | Increased service reliability |
| 3.10 | Network | Monitor devices (health, performance, errors & history) | Proactive operations & early detection |
| 3.11 | Network | Record all routable subnets correctly in SNOW | Accurate routing & IP management |
| 3.12 | Network | Terminate subnets of same segregation on the firewall | Enforced network segmentation |
| 3.13 | Firewall | Record all firewalls in ServiceNow | Complete & accurate firewall inventory |
| 3.14 | Firewall | Ensure dedicated management interface | Secure admin access |
| 3.15 | Firewall | Place management interface in the management network | Restricted & controlled admin path |
| 3.16 | Firewall | Disable insecure protocols (HTTP, Telnet, etc.) | Encrypted firewall administration |
| 3.17 | Firewall | Install valid ABB PKI certificates | Trusted & secure firewall communication |
| 3.18 | Firewall | Enable log forwarding to central SIEM | Full auditability & security monitoring |
| 3.19 | Firewall | Configure authentication via AD / Entra ID | Centralised authentication; no shared accounts |
| 3.20 | Firewall | Apply ABB local account policy (complexity, expiration) | Strong authentication & credential hygiene |
| 3.21 | Firewall | Deploy in redundant setups | High availability & failover readiness |
| 3.22 | Firewall | Configure per ABB hardening policy | Reduced attack surface & policy compliance |
| 3.23 | Firewall | Monitor performance/health & store history | Stability, early detection & forensic data |
| 3.24 | Firewall | Ensure all firewalls are Next-Gen | Advanced security capabilities enabled |
Control requirements — detailed
| Control no. | Category | Control requirement | Description |
|---|---|---|---|
| 3.01 | Network | All network devices are recorded in ServiceNow | Register routers, switches, Wi-Fi controllers, and appliances in ServiceNow CMDB with correct CI type, owner, location, IPs, and tags. |
| 3.02 | Network | Dedicated management interface on all devices | Use a separate management port/VLAN for administration; admin access only via the management VLAN. |
| 3.03 | Network | Management interfaces are in the management network | Place all mgmt interfaces (switch mgmt VLAN, OOB ports, console servers) in the dedicated management network; restrict access via Jump/VPN. |
| 3.04 | Network | Insecure protocols disabled | Disable HTTP, Telnet, FTP, SNMPv1/v2 and other cleartext services. Enforce HTTPS, SSH, SNMPv3 and block cleartext ports via ACLs/firewall. |
| 3.05 | Network | Only valid ABB certificates installed | Use ABB PKI for HTTPS/SSL admin interfaces. Remove default/self-signed certificates and track renewals. |
| 3.06 | Network | Log forwarding enabled | Forward syslog/NetFlow to Splunk/SIEM; configure NTP for accurate timestamps. |
| 3.07 | Network | Authentication via AD / Entra ID | Integrate with TACACS+ / RADIUS; enforce RBAC, no shared admin accounts, MFA where supported. |
| 3.08 | Network | Local accounts follow ABB policy | Enforce password complexity & expiration; allow local accounts only for break-glass. Prefer domain auth. |
| 3.09 | Network | Redundant/high-availability setup | Use dual PSUs/uplinks, VRRP/HSRP, LACP, redundant core/distribution. Provide topology evidence. |
| 3.10 | Network | Devices are monitored | Monitor device & port status, CPU/RAM/network/disk, performance indicators, errors/alerts; keep ≥ 6 months history. |
| 3.11 | Network | Routable subnets recorded in SNOW | Document subnets, masks, VLAN IDs, routing and purpose in ServiceNow. Keep updated through lifecycle changes. |
| 3.12 | Network | Same-segregation subnets terminate on firewall | All VLANs of a security zone (OT, Office, DMZ, etc.) must terminate on the firewall. No L3 bypass. |
| 3.13 | Firewall | All firewalls recorded in ServiceNow | Register firewall clusters/virtual firewalls with CI type, owner, location, IPs, cluster members, and tags. |
| 3.14 | Firewall | Dedicated management interface | Use separate MGT interfaces isolated via mgmt VLAN or OOB network. Access from Jump/VPN only. |
| 3.15 | Firewall | Mgmt interface in the management network | Place mgmt ports in the designated mgmt network; restrict via ACLs and AD auth. |
| 3.16 | Firewall | Insecure protocols disabled | Allow only HTTPS/SSH; disable cleartext/legacy mgmt protocols and insecure SNMP versions; block ports accordingly. |
| 3.17 | Firewall | Valid ABB certificates installed | Use ABB certificates on HTTPS admin pages, VPN portals, and inspection services. Remove self-signed certs. |
| 3.18 | Firewall | Log forwarding enabled | Send traffic/threat/system/config logs to Splunk/SIEM; NTP configured. |
| 3.19 | Firewall | Authentication via AD / Entra ID | Use TACACS+/RADIUS/SSO; enforce RBAC; MFA mandatory for admin access where supported. |
| 3.20 | Firewall | Local accounts follow ABB policy | Apply ABB password complexity & expiration; local accounts break-glass only. |
| 3.21 | Firewall | Redundant deployment | Deploy HA pairs (active/active or active/passive), redundant power/uplinks/paths; provide HA configuration evidence. |
| 3.22 | Firewall | Aligned to ABB hardening policy | Apply ABB baseline: disable unused services, harden admin interface, secure logging, restricted API, secure boot, updated firmware. |
| 3.23 | Firewall | Monitoring requirements met | Monitor device health, CPU/memory/disk, interface/throughput/latency, error/threat events; notify via mail/ticket; keep ≥ 6 months history. |
| 3.24 | Firewall | Next-Gen capability | Firewalls support NGFW features: App-ID, User-ID, IPS/IDS, SSL inspection (where allowed), anti-malware, URL filtering. Not legacy L3-only. |
Typical artefacts & documentation
- Network HLD/LLD
- Zoning & segmentation blueprints (IT/OT, DMZ, management)
- Firewall rule docs and rule review logs
- ACL and VLAN documentation
- Remote access design, user access logs, VPN & Jump Host/RDG configs
- IDS/IPS deployment diagrams
- Network monitoring dashboards & alerting configuration
- Logging and traffic audit reports
- Policy alignment checklists (ISO 27001, ABB standards)
- Change/exception approvals for firewall/network rules
- Incident response & containment procedures for network components
- Remote-access usage statistics and session logs
Example topology — OPC or large country hub (illustrative)
- Shared Platform, Engineering, and Software Build use global IP ranges; servers join the global AD domain.
- Engineering (brownfield), ABB University, and Demo are segregated from Corporate due to external exposure or EoL systems.
- R&D is segregated because it may host systems not compliant with Cyber/IS policies and standards.
DSR guideline (labs)
- Labs are fully segregated from ABB Corporate and local networks via a firewall.
- One physical firewall, or a shared physical firewall, serves the South region; the North and South firewalls may be identical with logical separation.
- VPN connectivity is established for each lab environment.
- Remote Desktop Gateway (RDG) and jump servers are permitted.
- Internet access is allowed through a proxy governed by PAPCP policies.