Every day, engineers from grid operators or their vendors use engineering laptops in their work. They use the laptops to configure and maintain equipment in critical OT systems, such as distribution or substation automation systems, the SCADA system, or the smart metering system. If a laptop would get compromised or infected by malware, it can be used to gain access to any of these critical systems.
But the engineering laptops are also exposed to a wide range of threats. They can be infected by malware through the many network connections engineers need to make: to corporate IT systems to get configuration files or data from repositories, to the internet to get firmware, software and manuals from vendors, and to colleagues or contacts at vendors to get remote support. They can also be infected through the USB drives that are used to be transfer data to field equipment. Or the laptops can be stolen or physically tampered with, as engineers take them wherever they go for their work.
So, as the laptops are exposed to many threats and the impact of a compromise could be high, it is important to secure them well. This document presents a security architecture to protect engineering laptops. It is intended to be used together with an information security management system (ISMS) based on ISO/IEC 27001:2013 or similar.