Ultra Electronics 3eTi

Cybersecurity Questions Answered:
What Is an Industrial Firewall?

May 31st, 2017 / By

Text: Cybersecurity questions answered: What is an Industrial Firewall? over blue abstract industrial landscape

My colleagues and I are fortunate to attend and address audiences from numerous industry events each year. We’ve found that many attendees, while passionate about cybersecurity, sometimes are not familiar with the unique terms and standards that set industrial networks apart relative to cybersecurity.

So, what is an industrial firewall?

An industrial firewall is a network firewall that has been hardened for use in industrial environments such as power plants, utility facilities, refineries, and the like. These hardware firewalls are purpose-built to work alongside SCADA (supervisory control and data acquisition) equipment in sometimes harsh surroundings. Industrial firewalls often have wider operating temperature thresholds and can have industry-approved certifications, like Class 1, Division 2 from American National Standards Institute (ANSI), that help assure their effective operation in hazardous locations.

What’s different about an industrial firewall?

While the familiar PC or Windows-type firewall traditionally protects your network from the dangers of the Internet, or maintains segregation on your internal network, an industrial firewall is positioned in front of SCADA systems to provide security to the control network.

Using these devices to protect SCADA networks helps provide layered defense should the perimeter of the external network be breached. It also helps protect against malicious insiders and malware that has infected the system.

Many of today’s firewalls marketed to enterprises in a wide range of industries offer advanced features beyond basic malware protection. These features can include VPN security, layer-2 encryption, packet inspection stateful firewall, and authentication. These next-generation firewalls (NGFWs) are also available in industrial versions.

Having an industrial NGFW can provide even deeper layers of protection. For example:

  • Encrypting connections prevent eavesdropping and help ensure nonrepudiation, a service that provides proof of data integrity.
  • VPN technology enables secure connections to remote sites and often is a less expensive alternative to costly leased lines.
  • Whitelisting:  NGFWs by nature are white list devices; allowing only traffic through that has a specific rule defined to allow it.  All other network traffic is blocked.
  • Deep Packet Inspection (DPI), an emerging technology within industrial firewalls, allows a user to monitor and/or filter network traffic based on the specific commands and values embedded within the respective industrial protocol being used. Many of these protocols cannot be recognized by standard IT firewall technology and therefore represent a juicy hacking target for malware and/or insiders proficient in industrial protocols. Safety systems are often the most vulnerable devices to protocol manipulation and are usually prime targets for implementing DPI protection.
  • Intrusion Detection:  Network and device intrusion can be detected through firewall rule violation or by DPI inspection.  All rule violations can be selectively logged.  A SIEM system can then be actively used to review the logs (cyber forensic data analytics) and/or alarm for preventative action.

How do I choose an industrial firewall?

There are some important things to consider when choosing an industrial firewall for your SCADA network. Key considerations include where to put the device, is it feasible, what advanced (NGFW) features are needed, how will it impact the network overall, and whether the vendor supplying it is reputable.

Identifying a good location for the industrial firewall often is difficult. The determination can best be made in most cases through a thorough risk assessment. In performing the assessment, owners can identify priority systems and categorized them based on risk calculations. Once this is accomplished, they can decide which network elements or components need the most protection. These are usually systems that, if rendered inoperable, would cause the greatest loss.

Another consideration is the size of the asset pool the industrial firewall is guarding. The more devices behind the firewall, the larger the attack surface of the “protected” network should an adversary somehow penetrate the firewall. Some industrial firewalls, like 3eTI’s CyberFence, offer 802.1x port authentication to mitigate this concern.

Advanced features — port authentication, encryption, and packet inspection — can help provide additional layers of protection to communications. They help ensure security in the face of a malicious insider or self-propagating malware. Systems that provide anomaly or rule-based protection lock down SCADA networks, even against new threats or zero-day exploits, as they do not rely on updated signatures or definitions to identify malware. Such systems enforce strict adherence to known good behaviors/commands while alerting to or block on deviations. The risk in these systems is false-positives that can be corrected by signature-based detection when confronted with known malicious traffic.

How will an industrial firewall impact the network?

The impact on the network is a very important consideration when investigating an industrial firewall. It should not impede operation of the SCADA network. It should instead work seamlessly without inducing disruptive latency, particularly when installed in critical systems. With such networks, system safety and optimization cannot be compromised in any way by latency associated with security devices.

In vetting vendors and products for factors such as assured performance, owner should look for vendors that have earned best-in-class certifications. Hardware and environmental certifications are important for installations, but owners should also consider security certifications. Credentials like Common Criteria can help validate a product’s security features and establish that a device will do what a vendor says it will do.

What now?

It’s established: Industrial firewalls provide additional, invaluable layers of security to automation and control networks. At the same time, they can improve the performance and reliability of industrial electronics equipment. To learn more, contact an Ultra Electronics, 3eTI representative for a comprehensive briefing and complimentary demonstration.