ea
OT Recovery Handover Document
$62 21 789-1661
MMuamar
1. Objective of this document
‘This document's purpose is to r
‘and identity possible risks after the team leaves the site. It needs to be signed for final confirmation
by both the Plant Manager or deputy, as well as the OT Recovery team,
2. Status Checklist
‘Requested Firewall rules have
F ee No request raised
= Network Chenges to connectal | Cioseg
Windows devices to the frewall
Physical Connectivity Closed
Endpoints
ForieOR Closed
Rules establishes Closed
writelising
EDR Tag submitted o Network team for analysis
Protection mace applied Open | oe vetting
3. Devices
ad
Total number of devices
ForfiEDR Is installed and device visible in the
| FortiEDR console
“Agreed exception/ outstanding work, please state in
Total number of unprotected devices . tam
‘Total number of protacted devices 57 Recovers Honaoves Rept 3
‘4. Outstanding Work
‘The outstanding work described below must be completed before this site can be considered
“hardened”. Note that no firewall rules and no remote access can be approved until the site is
hardened.
rrr} Del
od Cea ry
5. Further commitments
In addition to any work described in the Outstanding Work section, the Plant Manager commits to
the following actions.
1, No Linux desktop or Windows device will be connected to the OT Network without
FortiEDR installed. Note that this includes visiting engineers and support staff, who
must NOT connect their own laptops to the OT network without FortiEDR installed.
{fin doubt, please contact Knauf PNE.
2. Any new Linux desktop or Windows device added to the OT network, or any device
that is changed on the OT network, must have FortiEDR installed immediately itis
connected.
3. Any OT device which is intermittently connected to the OT network (for example, a
laptop that is occasionally connected to programme other devices) must be
connected to the OT network at least once per month. This will ensure that it
receives updates, and that it registers with the FortiEDR Manager as stil being
active,
4, FortiEDR MUST NOT be removed from any device without consultation with the
SOC first.
5. Any devices that have been left isolated from the OT network must remain isolated
and NEVER be connected to the OT or any other network. This includes connection
vvia any WiFi or modem link. Any device that needs to be connected to the isolated
device must have ForliEDR installed BEFORE connecting. Avoid connecting USB
sticks to the isolated device — where this is unavoidable, the USB stick must be
newly formatted and scanned for malware before use.
6. Identified Risks
Table of risks identified at the site, including problems with devices and other relevant information
gathered at the siR-001 | windows cient and windows serverinstaled | Muamar | Make a diferent Username
{ort er have the same usemame and Password for the each
password | Windows Cient And
| Windows Server
R-002 | Username and password used on the Wuamar Creale a new Usemame
windows Client and Server are easy fo quess Password that are hard to
LL 5 es | guess and must be complex
R-003 | the new OT Segment connection that wil Muamar ‘Add the Lan Converter on
be installed on the client is different from the device and add
the existing segment / Office segment, segment Office on the
which makes devices installed forti EDR device
tunable to connect to the Office network
‘and do nol get service from the Segment
office | |
“The risk must be reviewed and accepted by the Plant Manager and the OT Project team before the project can
be closed for this site.
+ Acceptance of this document means that the business owner acknowledges and accepts the increased risk and
the actions decksed to reduce that risk.
7. Signatures
I hereby accept the responsibility for the outstanding work within the plant and the further
commitments. | have read and understood the content of this document. It will be made available to
Regional Managers and Tech Directors, and that residual risks will be logged in a central risk register.
Executive Approval
Niko det
Plent Manager
bi $0 Nov 2622
ifietsile
[* Recovery Project Team
(OT Recovery tearmiead
Signature Date‘soBueyD HOMION
* o0z't¢'8r 01 Buuowuow seuens
orvigcee:so\ssepccage3 or swopum = srearsuMpy
s ; Ge eaudowa
werazedvocoey — oF HeBrOL Zrot PENA O° oven etme | aaqempy
° esudiou3
uso f
ccexpreacerozonogey SHE RYOL ——_ZhagL ANAGOL oWwor arudans— seensuupy
g H bu sudo a
wpososavetzwesoges OOF IEBYOL 2061 pina go: owvon. uaa sopesteusipy
"6 : 6107 N05
cessoesiieseezoney ‘SHE BYOL «BALE PIRA.OOL Jowuon Le rca || icoenenanay)
yososoiA
‘anoge uoqoes HOM BuIpUeIsINO OM
erst $1 SNL .peuepieN, paveprsudD aq UeD ays SN €10}eq P=PROU S| 10M JAY LOU ,uoRdenx Psei6y, 40 ,uONDEIONd, OU S! SMIEIS YOM: Ou SION
‘2S SiMp Uo punoy seo|ap dapysep xnur] 30 SMOLIN II S351] UORDES SHU
sootneg 403817
xipueddy -¢
er voobe anopuey siencoee 10SIA ays-Uo 4} Buunp apew Sebueyo OMEN Ie yo VoRdUOSeg
en vod oncpuey Kensoees 10‘eanj2en4o1y ONION