ea OT Recovery Handover Document $62 21 789-1661 MMuamar 1. Objective of this document ‘This document's purpose is to r ‘and identity possible risks after the team leaves the site. It needs to be signed for final confirmation by both the Plant Manager or deputy, as well as the OT Recovery team, 2. Status Checklist ‘Requested Firewall rules have F ee No request raised = Network Chenges to connectal | Cioseg Windows devices to the frewall Physical Connectivity Closed Endpoints ForieOR Closed Rules establishes Closed writelising EDR Tag submitted o Network team for analysis Protection mace applied Open | oe vetting 3. Devices ad Total number of devices ForfiEDR Is installed and device visible in the | FortiEDR console “Agreed exception/ outstanding work, please state in Total number of unprotected devices . tam ‘Total number of protacted devices 57 Recovers Honaoves Rept 3 ‘4. Outstanding Work ‘The outstanding work described below must be completed before this site can be considered “hardened”. Note that no firewall rules and no remote access can be approved until the site is hardened. rrr} Del od Cea ry 5. Further commitments In addition to any work described in the Outstanding Work section, the Plant Manager commits to the following actions. 1, No Linux desktop or Windows device will be connected to the OT Network without FortiEDR installed. Note that this includes visiting engineers and support staff, who must NOT connect their own laptops to the OT network without FortiEDR installed. {fin doubt, please contact Knauf PNE. 2. Any new Linux desktop or Windows device added to the OT network, or any device that is changed on the OT network, must have FortiEDR installed immediately itis connected. 3. Any OT device which is intermittently connected to the OT network (for example, a laptop that is occasionally connected to programme other devices) must be connected to the OT network at least once per month. This will ensure that it receives updates, and that it registers with the FortiEDR Manager as stil being active, 4, FortiEDR MUST NOT be removed from any device without consultation with the SOC first. 5. Any devices that have been left isolated from the OT network must remain isolated and NEVER be connected to the OT or any other network. This includes connection vvia any WiFi or modem link. Any device that needs to be connected to the isolated device must have ForliEDR installed BEFORE connecting. Avoid connecting USB sticks to the isolated device — where this is unavoidable, the USB stick must be newly formatted and scanned for malware before use. 6. Identified Risks Table of risks identified at the site, including problems with devices and other relevant information gathered at the siR-001 | windows cient and windows serverinstaled | Muamar | Make a diferent Username {ort er have the same usemame and Password for the each password | Windows Cient And | Windows Server R-002 | Username and password used on the Wuamar Creale a new Usemame windows Client and Server are easy fo quess Password that are hard to LL 5 es | guess and must be complex R-003 | the new OT Segment connection that wil Muamar ‘Add the Lan Converter on be installed on the client is different from the device and add the existing segment / Office segment, segment Office on the which makes devices installed forti EDR device tunable to connect to the Office network ‘and do nol get service from the Segment office | | “The risk must be reviewed and accepted by the Plant Manager and the OT Project team before the project can be closed for this site. + Acceptance of this document means that the business owner acknowledges and accepts the increased risk and the actions decksed to reduce that risk. 7. Signatures I hereby accept the responsibility for the outstanding work within the plant and the further commitments. | have read and understood the content of this document. It will be made available to Regional Managers and Tech Directors, and that residual risks will be logged in a central risk register. Executive Approval Niko det Plent Manager bi $0 Nov 2622 ifietsile [* Recovery Project Team (OT Recovery tearmiead Signature Date‘soBueyD HOMION * o0z't¢'8r 01 Buuowuow seuens orvigcee:so\ssepccage3 or swopum = srearsuMpy s ; Ge eaudowa werazedvocoey — oF HeBrOL Zrot PENA O° oven etme | aaqempy ° esudiou3 uso f ccexpreacerozonogey SHE RYOL ——_ZhagL ANAGOL oWwor arudans— seensuupy g H bu sudo a wpososavetzwesoges OOF IEBYOL 2061 pina go: owvon. uaa sopesteusipy "6 : 6107 N05 cessoesiieseezoney ‘SHE BYOL «BALE PIRA.OOL Jowuon Le rca || icoenenanay) yososoiA ‘anoge uoqoes HOM BuIpUeIsINO OM erst $1 SNL .peuepieN, paveprsudD aq UeD ays SN €10}eq P=PROU S| 10M JAY LOU ,uoRdenx Psei6y, 40 ,uONDEIONd, OU S! SMIEIS YOM: Ou SION ‘2S SiMp Uo punoy seo|ap dapysep xnur] 30 SMOLIN II S351] UORDES SHU sootneg 403817 xipueddy -¢ er voobe anopuey siencoee 10SIA ays-Uo 4} Buunp apew Sebueyo OMEN Ie yo VoRdUOSeg en vod oncpuey Kensoees 10‘eanj2en4o1y ONION