Firewalls for ICS/SCADA environments
Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) environments are facing increasing exposure to the internet, giving nefarious parties and malicious hackers opportunity to enter previously isolated systems. Firewalls appear at first glance to be the natural choice in first-line information security but adopting a “one size fits all” mentality isn’t appropriate when working with ICS/SCADA.
This article explores firewall use in ICS/SCADA environments, including how it differs from enterprise firewalls, vendors/brands, stateless, stateful or deep packet inspection (DPI) firewalls with ICS/SCADA environments.
Learn ICS/SCADA Security
Firewall use in ICS/SCADA environments
Firewalls are a ubiquitous part of information technology and information security, especially in situations where only one security measure is chosen. Firewalls secure information by monitoring and controlling the flow of traffic between and within networks, referencing access control lists (ACL), a table of permissions, to filter traffic appropriately. This is true for both enterprise and industrial firewalls, which are normally used alongside ICS/SCADA environments.
Industrial versus enterprise firewalls
Enterprise firewalls are traditionally used in organization environments and in conventional IT environments. Industrial firewalls are the type used in both ICS and SCADA environments, and for good reason. They differ from enterprise firewalls in that they have been hardened for industrial environments. These environments can be quite harsh, and industrial firewalls rise to the occasion by having higher operating temperature thresholds.
Just like enterprise firewalls, Next-Generation Firewalls (NGFW) are available for industrial use. Industrial NGFWs come with all the nice extras that enterprise NGFWs come with, including:
- Encryption capabilities
- Whitelisting
- VPN
- Intrusion detection
- Deep Packet Inspection (more on this later)
ICS/SCADA environments may contain large and complex systems which include aging industrial machinery and networks spread out over several locations. Implementing firewalls for ICS/SCADA environments requires an analysis of the environment’s needs and its complexity in order to create a solution that is appropriate.
Common vendors/brands of industrial firewalls
There are some common vendors and brands of industrial firewalls that you will find alongside ICS and SCADA environments. Some of them offer standalone industrial firewalls and NGFWs, and others offer full security solutions that include an industrial firewall. They include:
- Belden
- Hirschmann
- Fortinet
- Tofino
- Moxa
Stateless versus stateful firewalls
Stateful firewalls are the preferred type of industrial firewall to use alongside ICS and SCADA environments, but why is this?
Stateless firewalls
A stateless firewall, also known as a packet filter, analyzes packets of information in isolation of historical and other information about the communication session. Stateless firewalls base the decision to deny or allow packets on simple filtering criteria. Common criteria are:
- Source IP
- Destination IP
- Source protocol
- Destination protocol
The downside with stateless firewalls is that they are easy for attackers to spoof, which is when attackers change their IP address to match an internal application server with a commonly used destination port number. This works because stateless firewalls cannot block inbound communication that does not result from outbound requests.
Stateful firewalls
Stateful firewalls state understand the relationship between messages received in relation to previous messages. What this does is put the communication in context of other communication received, which leads to a fuller, more accurate understanding of whether the communication is a threat.
With stateful firewalls, the inbound traffic needs to match outbound requests. This is also known as blocking out-of-sequence packets. Stateful firewalls can also place a limit on the number of new connections that can be made, further stopping attackers.
Deep Packet Inspection (DPI)
ICS/SCADA environments rely heavily on the Modbus/TCP protocol but ACLs either allow Modbus messages or deny them with no finer grain control being possible. It is easy to let programming messages through with this protocol when, for example, an HMI is communicating with a PLC — which is a security no-no.
With DPI, the firewall inspects message content and applies more detailed rules than those in its ACL. This capability to inspect messages can make the difference in whether a malware attack is successful, such as when Dragonfly’s Havex exploited the fact that its victims did not use DPI. The fine-grained control that DPI offers ICS/SCADA systems improves both the security and reliability of these systems.
Conclusion
ICS/SCADA environments benefit from firewall implementation. Careful consideration of the complexity of the networked ICS/SCADA systems and the environments they exist in is required, though.
Stateless firewalls aren’t typically for used for ICS/SCADA because its filtering system is too simple, and the Purdue Model, though widely used, isn’t able to properly block attacks. This leaves the more robust stateful and DPI firewalls. Both are useful options, but making the decision to use one but not the other comes back to the continual question when discussing ICS/SCADA security: “What security measures are best for your specific environment?”
Learn ICS/SCADA Security Fundamentals
Sources
- Essential ICS Firewall Concepts, ISS Source
- SCADA Security & Deep Packet Inspection – Part 1 of 2, Tofino Security
- Why SCADA Firewalls Need to be Stateful – Part 1 of 3, Tofino Security
- Why SCADA Firewalls Need to be Stateful – Part 2 of 3, Tofino Security
- Why SCADA Firewalls Need to be Stateful – Part 3 of 3, Tofino Security
- Guide to Industrial Control Systems (ICS) Security, NIST
- Cybersecurity Questions Answered: What Is an Industrial Firewall?, Ultra Electronics 3eTI
Learn ICS/SCADA Security
Build your critical infrastructure security skills with hands-on training in Infosec Skills. Train how you learn best:- Practice realistic scenarios
- Build hands-on skills
- Learn live or on-demand
- Get certified
In this Series
- Firewalls for ICS/SCADA environments
- Securing operational technology: Safeguard infrastructure from cyberattack
- Operation technology sees rise in targeted remote access Trojans and ransomware
- Vehicle hacking: A history of connected car vulnerabilities and exploits
- Operational technology compromises: Low sophistication, high-frequency
- ICS/SCADA threats and threat actors
- Incident response and recovery best practices for industrial control systems
- BPCS & SIS
- Security Technologies for ICS/SCADA environments
- Data Loss Protection (DLP) for ICS/SCADA
- ICS/SCADA Wireless Attacks
- Security controls for ICS/SCADA environments
- SCADA & security of critical infrastructures [updated 2020]
- CIP (Common Industrial Protocol): CIP messages, device types, implementation and security in CIP
- Open vs proprietary protocols
- Critical security concerns facing the energy & utility industry
- ICS/SCADA Social Engineering Attacks
- ICS/SCADA Malware Threats
- Biggest threats to ICS/SCADA systems
- SIEM for ICS/SCADA environments
- Intrusion Detection and Prevention for ICS/SCADA Environments
- ICS/SCADA Security Technologies and Tools
- The state of threats to electric entities: 4 key findings from the 2020 Dragos report
- Modbus, DNP3 and HART
- RS-232 and RS-485
- BACnet
- TASE 2.0 and ICCP
- FOUNDATION Fieldbus
- Account Management Concepts for ICS/SCADA environments
- PROFIBUS and PROFINET
- ICS Strengths and Weaknesses (from security perspective)
- Access Control Implementation in ICS
- ICS Components
- Access Control Models for ICS/SCADA environments
- ICS/SCADA Security Specialist/Technician Role
- Credential Management and Enforcement for ICS/SCADA environments
- IT vs ICS
- Process control network (PCN) evolution
- ICS protocols
- Saving lives with ICS and critical infrastructure security
- ICS/SCADA Access Controls
- Types of ICS
- Physical security for ICS/SCADA environments
- Introduction to SCADA security
- ICS/SCADA security overview
- Who Is Targeting Industrial Facilities and ICS Equipment, and How?
- Configuration of Anti-Virus and Anti-Malware Software within an ICS Environment
- MyPublicWiFi – A Windows Utility to manage ICS
- Situational awareness and ICS Using GRASS MARLIN
- Cyber risks for Industrial environments continue to increase
- Advice to a New SCADA Engineer
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Critical infrastructure
Securing operational technology: Safeguard infrastructure from cyberattack
Critical infrastructure
Operation technology sees rise in targeted remote access Trojans and ransomware
Critical infrastructure
Vehicle hacking: A history of connected car vulnerabilities and exploits
Critical infrastructure
Operational technology compromises: Low sophistication, high-frequency