Network topologies, VLANs, and baseline hardening.
Reliability now includes cybersecurity. Choose simple, robust topologies/media, segment with VLANs, and manage credentials, patching, and firmware across controllers and HMIs (522, 524). Define remote access rules, logging/SIEM feeds, and backups/recovery so incidents don’t halt HVM bollard operation. Physical security for panels (348) and pen-test readiness keep crash rated bollard systems defensible through audits and submittals (938). This page sits within this section and the broader chapter hub. Where UAE approvals apply, see SIRA Bollards (UAE) for authority context.
Important: This is a general guide. For live projects we develop a tailored
Method Statement & Risk Assessment (MS/RA) and align with authority approvals (e.g., SIRA) where in scope.
535.1 Topology & media
Star/ring with fiber where noisy; document paths. Topology keeps HVM bollard comms resilient.
Favor a simple star for small sites and a managed ring (rapid re-convergence) for larger estates. Use fiber on long or EMI-noisy runs; copper is acceptable for short, shielded inter-panel hops inside the plant room. Document primary/alternate paths and termination points in the drawing standards (915) so maintenance teams can trace faults quickly.
Clock all devices to an NTP (Network Time Protocol) source; time alignment makes cross-system forensics viable. Keep control traffic separate from viewing/analytics (see 535.2) and define a specification clause (433) that fixes topology, media, and failover behavior.
| Aspect | What matters | Where to verify |
|---|---|---|
| Media | Fiber for distance/EMI; shielded copper locally | Control Architecture |
| Time sync | Single trusted NTP source | Operational Dashboards |
535.2 Addressing & VLANs
Segment safety, control, and viewing. Segmentation protects crash rated bollard traffic.
Use deterministic IP addressing (documented blocks) and segment by function using ACLs and VLANs (virtual LANs) to isolate (a) controller/HMI control, (b) safety/status signalling, and (c) viewing/analytics. Apply “default deny” between segments; open only the minimum ports/protocols required (e.g., Modbus/TCP to SCADA; BMS read-only tags).
Reserve management subnets for switches/firewalls and restrict access to engineering laptops via jump hosts. Document addressing and rules in the Integration Documentation pack (539) and keep it under Change Control & Versioning (537).
535.3 Credential management
Unique credentials and rotation. Hygiene secures HVM bollard HMIs (524).
Prohibit shared admin accounts on PLCs/HMIs. Enforce unique users, strong passphrases, and periodic rotation aligned with the site’s authorization hierarchy. For day-to-day operation, use operator-role accounts with limited rights; elevate only via a documented process and audit trail.
Disable unused services, remove vendor defaults, and lock configuration exports. Where supported, pair logins with a local hardware token or at least a one-time code (MFA) on remote sessions. Reflect the policy on the HMI & Local Controls page (524) so on-screen prompts match the rules.
535.4 Patch/firmware policy
Test, back up, then patch (537). Policy avoids crash rated bollard regressions.
Define a quarterly (or vendor-driven) patch window. Before any update, export configs and images, then run a staging test using spare hardware or a lab controller. Document results and sign-off in Change Control & Versioning (537) with a rollback plan.
For safety-critical interlocks, treat firmware as a controlled item: record version, checksum, affected tags, and re-execute a subset of the SAT / Witness Procedure (638) relevant to movement timeouts and fail-state philosophy.
535.5 Remote access rules
VPN, MFA, and time-bound access. Rules protect HVM bollard control (521).
Permit remote access only via a site VPN with MFA and device posture checks. Use a jump server to reach the controls VLAN; block direct inbound access to PLCs/HMIs. Grant time-bound, ticketed access with session logging and screen recording for vendors during fault support.
Record remote sessions as part of the Remote Fault Logging, Counters, Health Pings (541) evidence chain; include change notes and uploaded artifacts in the Submission-Pack Guidance (938) when handing over.
535.6 Logging & SIEM feed
Ship key events for audit (541, 544). Logs expose crash rated bollard anomalies.
Define a minimal, high-value event set: mode changes, EFO initiations, interlock inhibits, controller restarts, comms loss, authentication failures, and configuration changes. Forward summaries to the site SIEM while storing detailed logs locally for a rolling period (e.g., 90 days).
Ensure time sync (NTP) and tag naming match the I/O List Template (523) so dashboards (544) and incident reviews correlate alarms with operator actions.
535.7 Physical security
Lock panels and control rooms (348). Physical controls protect HVM bollard assets.
Cyber rules fail if panels are propped open. Specify tamper switches on doors, anti-pick locks with door-open tamper, and secure siting per Panel Siting & Access (348). Record key control in the asset register (732) and limit plant-room access using site PACS.
For street furniture, specify shrouds and anti-tamper fixings; segregate low-voltage control from public-facing junctions. Capture measures in the O&M Manuals (733) so guards and technicians know expectations.
535.8 Backups & recovery
Automate configs and images (522). Recovery shortens crash rated bollard outages.
Automate nightly exports of PLC/HMI projects and switch/firewall configs to a secure repository with versioning. Keep a tested “golden image” for HMIs and a spare, pre-licensed PLC/CPU where feasible (see PLC/Relay Selection, 522).
Document recovery steps as a concise runbook, including who authorizes “safe local mode”, what to verify on re-energization, and which SAT checks (638) must be repeated after a restore.
535.9 Pen-test readiness
Document scope and remediation flow. Readiness proves HVM bollard cyber maturity.
Agree the test window, in-scope IP ranges/VLANs, and out-of-bounds actions (e.g., no forced EFO). Provide a read-only account for dashboards (544) and ensure backups (535.8) are current. Nominate an accountable owner to triage findings and drive remediation through 537 Change Control.
Close the loop by updating specs (433) with hardened defaults and by refreshing operator training (737) so lessons persist beyond the audit.
Related
External resources
535 Networks & Cyber Basics — FAQ
What’s the simplest network design that still resists failures?
A star topology is simplest; for larger sites use a managed ring so a single cable or switch failure doesn’t cut control. Keep control, safety/status, and viewing on separate VLANs, and sync time via NTP so logs line up during incident reviews.
How should remote vendor support be set up?
Only through a site VPN with MFA into a jump server that can reach the controls VLAN. Grant time-bound access per ticket, record the session, and require a short change note. Block direct inbound access to PLCs/HMIs.
Do firmware updates risk breaking safety interlocks?
They can. Always back up first, test on a lab unit, and re-run a targeted SAT subset that proves interlocks, timeouts, and fail-state behavior. Keep a rollback plan and record versions/checksums under Change Control.
What should we log to a SIEM from bollard controls?
Mode changes, EFO initiations, inhibits, controller restarts, comms loss, auth failures, and config changes. Use consistent tag names and NTP so entries correlate with dashboard events and CCTV/ACS timelines.