Quality & Acceptance
Chapter 10 — Quality standards, acceptance testing procedures, and compliance verification for OT/IT network segmentation deployments
10.1 Quality Standards and Compliance Baseline
Quality assurance for OT/IT network segmentation deployments must address both the physical installation quality and the logical security configuration quality. Physical quality encompasses cable management, labeling, grounding, and environmental compliance. Logical quality encompasses firewall rule correctness, zone isolation verification, access control enforcement, and audit trail completeness. The comparison image below illustrates the stark difference between a non-compliant and a compliant installation, highlighting the key quality indicators that acceptance testing must verify.
Figure 10.1: Quality Comparison — Non-Compliant (left) vs. Compliant (right) industrial DMZ cabinet installation. Key differences: cable color coding and management, port labeling, zone identification, documentation, equipment selection, and physical security. The compliant installation demonstrates proper IT zone (blue cables), OT zone (orange cables), and management network (yellow cables) separation with clear zone labels and a laminated network diagram on the cabinet door.
| Quality Dimension | Non-Compliant Indicators | Compliant Requirements | Verification Method |
|---|---|---|---|
| Cable Management | Tangled cables, mixed colors, no routing plan | Color-coded by zone, routed in separate trays, labeled at both ends | Visual inspection, cable test |
| Port Labeling | Unlabeled or inconsistently labeled ports | All ports labeled with zone ID, device name, and VLAN | Visual inspection, documentation review |
| Zone Separation | IT and OT cables mixed in same tray | Physically separate cable paths for IT, OT, and management | Physical inspection |
| Credential Management | Shared credentials, passwords on sticky notes | Individual accounts, MFA, PAM-managed credentials | User account audit, PAM review |
| Equipment Selection | Consumer-grade or unmanaged switches | Industrial-grade, managed, certified equipment | Equipment inventory review |
| Documentation | No on-site documentation | Laminated network diagram in cabinet, equipment log book | Visual inspection |
| Physical Security | Cabinet unlocked, no access control | Cabinet locked, access log, camera coverage | Physical security audit |
10.2 Acceptance Testing Procedure
The acceptance testing procedure for an OT/IT segmentation deployment is structured as a series of test phases, each building on the previous. Testing must be conducted in a defined sequence to ensure that foundational requirements (physical installation, connectivity) are verified before higher-level requirements (security policy enforcement, monitoring). All test results must be documented in the acceptance test report and signed off by the project owner, OT security team, and plant operations representative.
| Test Phase | Test Cases | Pass Criteria | Tools Required | Responsible Party |
|---|---|---|---|---|
| Phase 1: Physical | Cable continuity, cable labeling, grounding, environmental (temp/humidity), power redundancy | 100% cable continuity, all cables labeled, grounding resistance <1Ω, temp 10–40°C, humidity 20–80% | Cable tester, multimeter, thermometer, hygrometer | Installation Team |
| Phase 2: Connectivity | Layer 2 connectivity per zone, VLAN isolation, routing table verification, firewall interface status | All intended paths UP, all unintended paths DOWN, correct VLAN assignments | Network analyzer, ping, traceroute | Network Engineer |
| Phase 3: Security Policy | Firewall rule enforcement (permit/deny), DMZ service reachability, zone-to-zone isolation test, DPI functionality | All permit rules pass, all deny rules block, DMZ services reachable from correct zones only | Nmap, Wireshark, firewall policy tester | OT Security Team |
| Phase 4: Authentication | MFA enforcement, PAM access control, session recording, certificate validation, emergency access | MFA required for all remote access, sessions recorded, certificates valid, emergency access documented | PAM audit tool, certificate checker | OT Security Team |
| Phase 5: Monitoring | IDS alert generation, syslog forwarding, SIEM correlation, NTP synchronization, backup verification | IDS generates alerts for test events, logs forwarded within 60s, SIEM receives events, time sync <1s | IDS test tool, log analyzer | SOC / OT Security |
| Phase 6: Performance | Firewall throughput under load, failover time (HA), latency impact on OT protocols | Throughput ≥ design spec, HA failover <30s, OT protocol latency increase <10ms | Traffic generator, protocol analyzer | Network Engineer |
10.3 Acceptance Checklist
The following acceptance checklist consolidates all mandatory verification items into a single reference document. Each item must be marked as Pass, Fail, or N/A with supporting evidence. Items marked Fail must have a documented remediation plan with a target completion date before the system is accepted for production use.
| # | Checklist Item | Category | Mandatory | Evidence Required |
|---|---|---|---|---|
| 1 | All cables color-coded by zone (Blue=IT, Orange=OT, Yellow=Mgmt) | Physical | Yes | Photograph |
| 2 | All cable ends labeled with source/destination and zone | Physical | Yes | Photograph |
| 3 | Cabinet grounding verified (<1Ω to building ground) | Physical | Yes | Multimeter reading |
| 4 | No direct IT-to-OT traffic path (verified by firewall rule audit + penetration test) | Security | Yes | Pen test report |
| 5 | DMZ services accessible only from authorized zones | Security | Yes | Firewall test results |
| 6 | All remote access requires MFA | Security | Yes | Access test log |
| 7 | All privileged sessions recorded by PAM | Security | Yes | PAM session log sample |
| 8 | OT IDS generating alerts for test attack scenarios | Monitoring | Yes | IDS alert log |
| 9 | All security events forwarded to SIEM within 60 seconds | Monitoring | Yes | SIEM event timestamp comparison |
| 10 | HA failover tested and completed within 30 seconds | Performance | Yes | Failover test log with timestamps |
| 11 | Network diagram posted inside cabinet door (laminated) | Documentation | Yes | Photograph |
| 12 | Equipment log book present and initial entries completed | Documentation | Yes | Photograph of log book |
| 13 | All default passwords changed; no shared credentials | Security | Yes | Account audit report |
| 14 | Patch management workflow tested (IT → DMZ → OT staging) | Operations | Yes | Patch transfer test log |
| 15 | Incident response runbooks reviewed and signed by plant manager | Operations | Yes | Signed runbook cover page |