Modern Industrial Control System Firewalls

June 28, 2021
Do you have a perimeter firewall connecting your business to the public internet? Learn how to protect your Industrial Control Systems (ICS) software products on ICS networks.

Do you have a perimeter firewall connecting your business to the public internet? With the Industrial Internet of Things (IIoT) and digital transformation efforts, the number of devices below firewalls connected to the internet is increasing at an alarming pace. The frightening fact is that this device count increase doesn’t include systems with vulnerabilities that affect standard computer operating systems running Industrial Control Systems (ICS) software products on our ICS networks. Multiple steps can be taken to help secure your ICS environment, including utilizing hardware, software and your internal ICS network policies. Understanding your firewall options will help you make the right decision for your networks

ICS Firewalls
ICS firewalls, and firewalls in general, are not a new concept. In fact, you’ll probably see the same technology being used between your internal network and the public internet today. The firewall’s purpose is to keep malicious traffic outside your environment and keep your highly secured data and workflow process information inside. This is where ICS firewalls come into play.

There is a new market for “hardened” firewalls in ICS environments that may be Industrial PC (IPC) form factors. These firewalls may be fanless or have specific temperature and dust ratings, but they operate the same way as any IT firewall, albeit with a few unique exceptions. Some may not be hardened for harsh industrial environments or compact enough to fit inside a control panel, and others may not have some of the specific data-handling features meant for unique manufacturing protocols such as EthernetIP or Modbus. However, the critical thing they do have is a way to filter inbound and outbound traffic to and from your ICS network and your standard office network.

ICS Edge Firewalls
Similar in function to Core ICS firewalls, Edge Firewalls are made to secure your industrial networks further. However, unlike ICS firewalls, Edge Firewalls are a relatively new concept in ICS environments. Edge Firewalls are designed to be closer to your individual equipment, allowing you to configure micro-segmentation in your network and further isolate devices and layer 2 traffic.

Edge Firewalls are typically placed near the top of a line or piece of equipment. This placement allows you to implement IEC 62443 concepts such as Defense in Depths and Secure Zones and Conduits.

Securing Your ICS Network
There are a few standard rules to follow when securing your ICS network:

  • Never place end-user, third-party contractor, smart, or non-industrial IoT devices on the ICS network unless they are temporarily approved or have a specific task that your ICS network policy allows.
  • Devices on the ICS network typically do not need to access the public internet. If you can’t control where they are getting their data, it is far easier for them to be compromised.
  • The most important rule to follow is to restrict any unnecessary traffic from crossing the firewall. This restriction requires you to fully understand and interpret the traffic you see within your environment.

There are many ways to secure your ICS networks, from hardware to software. Finding a trusted systems integrator like Interstates will help you navigate changing firewall technology and keep your industrial networks safe.

Adam Jongewaard and David Smit are Systems Analysts who work in Operational Technology at Interstates, Inc., a certified member of the Control System Integrators Association (CSIA). For more information about Interstates, Inc., visit its profile on the Industrial Automation Exchange.