However, it may depend on the project’s scope and the designer’s expertise. The main goal is to manage traffic entering and leaving the internal network. Aside from the business Internet access requirement, in rail, airport, and mining networks, most operational data traffic remains internal; only necessary services should exit. The design should also incorporate protection by implementing a demilitarized zone (DMZ) with proper physical and logical segmentation. Additionally, the design must connect to and establish links (e.g., within critical control rooms, dispatch centers, control towers), and ensure their perimeters are secured both physically and logically. E. HOST SECURITY Host security involves protecting individual computing devices—such as servers, workstations, controllers, cameras, kiosks, and other endpoints— so they resist being compromised and cannot be used to attack the rest of the network. It includes secure configuration, timely patching, vulnerability management, strong authentication, and device identity, among other measures. From an ICT design perspective, it requires selecting the appropriate equipment and connectivity that enable these controls, such as management access, proper power and cabling, and placement that minimizes tampering. For end devices used in environments such as mines, subways, airports, or educational campuses, a major risk is updating the OT systems that control critical processes. Updates, replacements, and new equipment must be tested in a non-production environment before deployment. To support this security effort, the ICT designer can specify the proper requirements for equipment procurement by detailing features that will help facilitate the implementation of security measures. F. SECURITY MONITORING Security monitoring usually extends beyond the ICT scope. However, the implementation of control rooms and devices that provide monitoring capacity might be part of the scope. Therefore, the design should include clear routes for monitoring signals, and
telecommunications rooms should have space for small collectors or aggregators. Designs should allocate rack U space, power outlets, and patching for monitoring gear, and coordinate with the client on which devices will require redundant power and network connections. Since path diversity (i.e., A/B routes) for critical monitoring is desirable but expensive, it should be prioritized.
chain of custody. Use the factory and site acceptance testing (FAT/SAT) to test equipment and confirm authenticity, and validate firmware/software and hardware integrity. It would be ideal to include in the contract clearly defined supply chain requirements (e.g., authenticity, traceability, secure updates, disclosure of country of origin), aligned with local laws and the project’s security plan.
from the beginning, risk assessments can subtly influence deliverables and specifications by determining equipment placement, cable routing, and necessary fallback links. Designers need to maintain focus on what works day-to-day, placing equipment where it will last, routing cables so a single failure does not stop critical services, and designating labeled space and cabling for monitoring to make issues easy to identify and fix. Additionally, providing clean inventories, diagrams, and runbooks so operations teams know what they have and how to recover it is vital. Designs that safeguard what the public can access and what operations cannot afford to lose, while making recovery straightforward, tend to be safer, more resilient, and easier to manage as these sites grow and evolve. REFERENCES 1. Crowdstrike. 2025. 2025 Global Threat Report. https:// go.crowdstrike.com/2025-global-threat-report.html 2. CISA “Recommended Cybersecurity Practices for Industrial Control Systems”, 2019, https://www.cisa.gov/ics 3. https://www.gao.gov/blog/ solarwinds-cyberattack-demands-significant-federal-and- private-sector-response-infographic 4. https://www.cisa.gov/news-events/alerts/2015/02/20/ lenovo-superfish-adware-vulnerable-https-spoofing 5. https://archives.fbi.gov/archives/news/pressrel/press- releases/ departments-of-justice-and-homeland-security-announce- 30-convictions-more-than-143-million-in-seizures-from- initiative-targeting-traffickers-in-counterfeit-network- hardware AUTHOR BIOGRAPHY : Javier Macias, CISSP, PMP, CCNA, is a Communication & Cybersecurity Engineer at Hatch. He leads and supports the design and implementation of ICT systems for major mining and rail projects, including CCTV, network infrastructure, and access control. Previously, Javier served nearly 23 years in the Chilean Army as a Signal Officer, retiring as a Major after roles in telecommunications, electronic warfare, and cyber operations. He holds an M.S. in Cybersecurity, an M.A. in Military History, and bachelor’s degrees in Communications and Military Science. He can be reached at Javier.macias@hatch.com
G. SUPPLY CHAIN MANAGEMENT Supply chain management is often overlooked, but it is vital for protecting systems. There have been large-scale attacks where the primary vector was the supply chain. While software is often the initial target, as seen in the SolarWinds incident 3 , there are also less-publicized cases where hardware, components, or embedded software are compromised before delivery. Examples include Lenovo’s “Superfish” adware issue 4 and “Operation Network Raider,” 5 a U.S. enforcement action that uncovered counterfeit and tampered networking equipment. An ICT designer can add value by suggesting the procurement process. Verify the authenticity of acquired equipment and consider product restrictions and the country of the manufacturer. Requirements for government systems may vary greatly from those for private enterprises. The country where the project is carried out may also enforce specific rules and standards, so local laws and regulations must be reviewed. Buying through authorized channels and avoiding gray-market brokers cannot always provide a clear
H. HUMAN ELEMENT The human element is fundamental to security. Even indirectly, design choices can help support efforts to protect systems, especially since a large number of breaches involve human error. While underground mines, subways, and educational institutions each have their particularities, recommendations for the human element tend to be similar because they are rooted in behavior rather than architecture. Practical steps include following recognized standards and frameworks. Deviating from them can lead personnel, especially those unfamiliar with a novel design, to take actions that undermine secure operation. Providing high-quality documentation is also essential. User manuals, procedures, and accurate as-built designs/diagrams help end users understand the system and operate it safely. CONCLUSION Integrating security into special-premises ICT designs early on, whether in mines, rail systems, airports, or campuses, is crucial. When security is considered
I
I
44
ICT TODAY
October/November/December 2025
45
Made with FlippingBook - Online catalogs