Productized Security for Critical Systems
The Infrastructure Hardening Kit is a proven architecture and implementation approach for securing industrial control systems without disrupting operations.
Rather than custom engineering each engagement, the Kit provides validated components, reference architectures, and deployment procedures that can be adapted to your specific environment.
This approach delivers better security, faster deployment, and lower total cost than traditional consulting.
What’s Included
The Kit consists of:
Reference Architectures
Network Segmentation for OT/IT Separation
Proven designs for isolating control networks from corporate IT using data diodes, unidirectional gateways, and DMZ architectures. Includes traffic flow analysis and firewall rulesets.
Secure Remote Access
Jump box and VPN configurations that provide authenticated, logged access to control systems without exposing them to the internet. Includes multi-factor authentication and session recording.
Version-Controlled Configuration Management
Git-based tracking of PLC programs, HMI configurations, and SCADA system settings. Includes change attribution, approval workflows, and automated rollback procedures.
Automated Vulnerability Management
Continuous CVE monitoring with prioritization based on exploitability and compensating controls. Includes patch testing procedures and emergency response playbooks.
Validated Components
Data Diodes and Unidirectional Gateways
Specific hardware and configuration for ensuring data can only flow from OT to IT (monitoring, logs, alarms) and never the reverse without explicit human intervention.
Intrusion Detection for Industrial Protocols
IDS signatures and rules tuned for Modbus, DNP3, OPC, and other ICS protocols. Detects unauthorized commands, unusual traffic patterns, and known attack signatures.
Configuration Management Database (CMDB)
Asset inventory system integrated with CVE databases. Tracks every control system, its software versions, known vulnerabilities, and patch status.
Network Tap and Monitoring Infrastructure
Passive monitoring points that provide visibility into control network traffic without introducing points of failure.
Deployment Procedures
Assessment → Design → Implementation → Verification
Step-by-step playbooks for evaluating current state, designing hardening measures, deploying changes, and proving effectiveness.
Minimal Disruption Operations
Procedures designed to be deployed during normal maintenance windows without taking critical systems offline.
Testing and Validation
Methods for verifying that security controls work as designed and don’t interfere with operational requirements.
How It Works
Phase 1: Assessment (2-4 weeks)
Independent evaluation of current security posture using the Infrastructure Security Assessment methodology.
Phase 2: Design (1-2 weeks)
Selection and adaptation of Kit components to your specific environment. Includes architecture diagrams, implementation plan, and risk analysis.
Phase 3: Implementation (4-12 weeks)
Deployment of hardening measures according to validated procedures. Typically done in stages to minimize operational impact.
Phase 4: Verification (1-2 weeks)
Testing and validation that security controls are functioning as designed. Includes penetration testing, traffic analysis, and compliance verification.
Phase 5: Maintenance (ongoing, optional)
Continuous monitoring, CVE tracking, and periodic re-assessment to ensure controls remain effective.
Why a Kit Approach
Faster Deployment
Proven architectures and procedures reduce design time and eliminate trial-and-error implementation.
Lower Cost
Standardized components and deployment playbooks reduce consulting hours required.
Better Quality
Validated components that have been tested in production environments across multiple facilities.
Knowledge Transfer
Documented procedures enable your staff to maintain and extend security controls over time.
Compliance Ready
Kit components map directly to CISA requirements, NIST frameworks, and common state/local mandates.
Typical Engagement
Small Facility (single site, < 50 control systems)
– Assessment: $25k – $50k – Kit Implementation: $75k – $150k
– Timeline: 3-5 months – Ongoing maintenance: Optional
Medium Facility (multiple sites or complex systems)
– Assessment: $50k – $100k – Kit Implementation: $150k – $300k – Timeline: 4-8 months – Ongoing maintenance: Optional
Large or Distributed Systems
Custom scoping required. Kit approach scales to multiple facilities with shared architecture and centralized monitoring.
What You Get
At the end of a Kit implementation, you have:
- Eliminated internet exposure of critical control systems
- Enforced network segmentation between OT and IT
- Version-controlled configurations with change attribution and rollback capability
- Automated CVE tracking and vulnerability management
- Intrusion detection tuned for industrial protocols
- Audit trails sufficient for compliance and incident response
- Documentation and procedures for ongoing maintenance
All controls are provable, not aspirational.
Who This Is For
The Infrastructure Hardening Kit is designed for:
- Water and wastewater treatment operators
- Municipal power and utilities
- Industrial facilities with SCADA/ICS systems
- Organizations subject to CISA directives or state security mandates
- Operators who need proven security, not experimental custom solutions
If you’re comfortable with internet-exposed control systems, this is unnecessary.
Next Steps
Start with an assessment to understand current exposure and gaps.
Receive a fixed-fee proposal for Kit implementation tailored to your environment.
Deploy in stages to minimize operational disruption.
Prove security through testing and verification, not documentation.
Contact
For inquiries about the Infrastructure Hardening Kit: info@lexrosa.com
We respond to serious inquiries within 48 hours.