When you have a job to do, tools that are simple to use and designed for your industry go a long way towards helping you achieve results. In the area of ICS security the Belden philosophy is that industrial security needs to be simple in order to be effective.

Industrial facilities are staffed by engineers, technicians and maintenance people, not security experts, so complicated IT firewalls are just that - complicated.

That’s why our firewalls have graphical tools that help controls specialists build traffic rules using terms and concepts that are familiar to them. For example, most engineers who use Rockwell control products do not have any idea what CIP objects and services are flowing over their network. The system just works.

They might not even know what TCP and UDP port numbers their PLC to HMI traffic uses. But they do know that they want EtherNet/IP messages to go from a PLC to an HMI so they can read a set of analog values.

A capability of our devices, Firewall Learning Mode (FLM), removes a lot of the difficulty of configuring and testing firewalls. It also greatly reduces a traditional installation risk – network interruptions.

 ICS Security for MillThe odds of control specialists successfully implementing effective ICS security are greatly increased when they select industrial firewalls with Firewall Learning Mode.

1. Firewall Learning Mode Makes it Easy to Identify Network Traffic 

One of the most challenging things to do when setting up a firewall is collecting the required information about which devices need to communicate with each other and what protocol they are using for communication.

Remember, a firewall is simply a device that monitors and controls traffic flowing within or between networks. It starts by capturing traffic passing through it and comparing that traffic to a predefined set of rules. Any messages that do not match the rules are discarded.

Rather than having to start specifying communication rules from scratch, Belden firewall products have the ability to identify the existing traffic on a network and present it to the person configuring the device. The feature that does this is called FLM and its first key benefit is that it describes the traffic currently occurring on the live network.

To do this, it is as simple as selecting “Start learning,” letting the device run for a while, and then select “Stop learning.” All traffic that passes through the firewall is identified and shown in the graphical user interface. Firewall Learning ModeFirewall Learning Mode is turned on in the EAGLE One security router. (Click here for larger image)

An additional approach is the one our Tofino firewall takes. It provides pre-defined templates for over 25 families of popular industrial controllers, including rule definitions to protect devices with known vulnerabilities.

2. FLM Makes it Easy to Create Rules for Network Security

By default, FLM automatically creates rules that allow packets to pass through it in either direction. Using this captured data, the person configuring the firewall selects the rules for the traffic they want to allow. The “allow” rules are added to a temporary rule set.

Traffic that does match an “allow” rule will be blocked. Firewall Learning Mode 2Rules generated by Firewall Learning Mode are accepted. Interface shown is for the EAGLE One security router.  (Click here for larger image)

As the screen shot above shows, EAGLE One provides the IP address of the computer sending messages and the IP address of the computer/device receiving messages. It also shows the Source and Destination ports, which indicate the application protocol being carried in the message.

3. FLM Makes it Easy to Test Rules – Without Impacting Network Traffic or Production

Now, let’s think about this for a minute. A firewall has been installed in the network and is operating and has presented the traffic passing through it. Firewall rules have been selected. Wait! Once a rule is configured and active, isn’t the firewall using the rule to filter traffic? What about possible impacts on network traffic and production?

The good news is that FLM includes the capability of applying rules in a firewall operational mode called Test. In this state, all packets pass through the firewall filters, but the ones that would have been stopped are identified.

This allows the control engineer to study the blocked traffic and think through implications before activating the rule set. If the devices behind the firewall will work properly and if extraneous or malicious traffic would be stopped, then test rules can be saved into active configuration.

Today’s Technology Makes Implementing ICS Security Easy

While many industrial protocols are insecure by design, controls specialists can readily secure their networks using new industrial firewalls that are designed to make it simple. At Belden, both the EAGLE One security router and the Tofino Xenon security appliance include Firewall Learning / Test Modes. You can learn more about these products using the links provided below.

If you want hands-on experience with these firewalls, the upcoming Belden Design Seminar has labs where you will be able to do just that.

How do you secure industrial protocols and communications? I look forward to hearing from you.

Editor’s Note: This article was developed with expertise from Nils Buecker, a product manager in our Hirshmann group.

Related Links

Cyber Security Case Study
This article describes a project where test mode was a firewall purchase criteria:

Industrial Firewall Concepts

Belden Industrial Firewalls