Using Industrial Firewalls For Defense In Depth
An important best practice for industrial security is to implement a Defense-in-Depth (DID) strategy. With this approach multiple layers of defense are implemented, in contrast to just one defense mechanism, such as a single firewall. A complementary best practice is Zones and Conduits, as defined in the ISA IEC 62443 standard. This involves segmenting the network into zones of devices with similar security requirements and using conduits to restrict the communication between zones.
Using Zones and Conduits as part of a Defense in Depth strategy is not a new concept. If you look at castle construction for any culture, you will see that layers of security were built into the castle design –moats, multiple walls, turrets. Individual zones of the castle are separated from each other by controlled conduits - gates, drawbridges and iron bars – to contain attackers and make their movements more difficult.
Industrial firewalls play an important role in implementing both Defense in Depth and Zones and Conduits. Let's look at three examples of how they do it.
Industrial Firewalls Establish Network or Zone Boundaries
Firewalls are devices that protect networks or network devices, such as industrial PCs, control systems and other devices from unauthorized access by preventing traffic to or from these systems.
The fundamental technical function of any network firewall is to filter packets. The firewall inspects each packet it receives to determine whether the packet corresponds to a desired template for traffic patterns. The firewall then filters (drops or discards) or forwards packets that match these templates.
These templates are modeled in the form of rules. A firewall at the boundary of a network can, for example, include rules in the form of "A communication link within the network can only take place with a specified server" or "Only the PCs for remote maintenance can be reached outside the network, not any other devices."
There are many types of firewalls built for different use cases. They differ not only in their form factors, certifications, and physical specifications but also in the type of filtering they provide. For example, a firewall designed to protect an operational zone of a plant floor with a sophisticated Deep Packet Inspection filtering capability might contain rules for industrial protocols such as:'Write-commands for the Modbus/TCP protocol, coil 56, are permitted only from the maintenance terminal. However, where are these firewalls used in today's security models?
NOTE: A detailed discussion of 3 different types of filtering done by industrial switches, routers and firewalls is available in a previous article.
Using Firewalls for Industrial Security
Firewalls play various roles in partitioning networks. Here are three common examples:
These firewalls are generally placed in the data center and typically work in tandem with industrial hardened firewalls such as the EAGLE 20/30 in the production area to isolate the critical control networks and the more exposed enterprise networks from one another.
Industrial firewalls with router functions are also perfect for smaller external sites. Because such a firewall represents the border between the company's own network (the external site) and an external network (a provider network or the Internet), the firewall must possess full capabilities for packet filtering and filtering traffic between various networks. Such a firewall is called an IP firewall since it processes Internet Protocol (IP) traffic.
These firewalls are often installed very near the actual facility, requiring industrial hardening of the firewall device. For example, the ability to function at high or low temperature ranges and/or approval for use in special areas (e.g. energy supply, hazardous location or transportation) may be critical.
Firewall in a WLAN
Wireless networks represent another network border, and communication from wireless to wired networks should also be protected by firewalls. If a client is connected to a WLAN, it is possible, in principle, to communicate directly with all other devices in the same network. Thus, a successful attack on a WLAN client could be extended to any other device on the Ethernet network.
Special firewalls that can also filter the direct traffic between wireless clients are required for this task. Normal edge firewalls are not up to this task. This problem can be solved by restricting the forwarding of messages between WLAN clients with a firewall at the WLAN access point. For example, the communication of a tablet that is connected to a device via a WLAN can be limited so that it only accesses data through the user interface but not additional subsystems or other devices connected to it.
This is the reason why Belden industrial wireless LAN access points, for example the OpenBAT products from Hirschmann, are all equipped with firewall functionality. Devices designed for industrial environments are important here as well.
Firewalls at the Field Level
A key tenet of Defense in Depth is that the protection of external network boundaries against attackers is insufficient security. Multiple layers of protection are required to provide safety against external threats. In addition, many cyber incidents actually originate inside a network. Industry studies have shown that most cyber incidents are not due to intentional external attacks but from software or device failures and human error.
In a networked control system, errors and mistakes can quickly propagate within the system unless proper design steps are undertaken to isolate and contain failures. Thus, an effective cybersecurity strategy is not just about security but is also an important component of ensuring the safety, resiliency and reliability of your system. This is exactly what ISA IEC 62443 and Zones and Conduits are targeted to address.
Firewalls can be used as the tool to implement the conduits that police the communication conduits. They contribute to the overall resiliency against unintentional errors by limiting communication between different zones of the local network.
This requires a firewall that is tailored to fit a particular use case. If communication from outside the facility is only supposed to be possible with a single device, the firewall should specifically permit this connection while it prevents other attempts at communication. To ensure only proper messages flow between zones and to critical assets, these firewalls must understand the origin and destination of the messages.
In addition, particularly for critical control systems, the firewall should also support detailed analysis of industrial protocol traffic (Deep Packet Inspection) so it can ensure the content of the messages is valid and reasonable. An example is the Tofino Xenon security appliance.
Simplified network diagram showing the use of firewalls to contribute to Defense in Depth by acting as conduits between the zones of a well segmented network.
A word of caution about deploying firewalls. While effective in preventing unauthorized communication traffic on the network, these devices can also add latency or delays. Where rapid filtering must take place, high-quality network switches using hardware accelerated access control lists, can be an effective means to achieving both security and effective communications flow.