Firewalls for ICS/SCADA environments
Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) environments are facing increasing exposure to the internet, giving nefarious parties and malicious hackers opportunity to enter previously isolated systems. Firewalls appear at first glance to be the natural choice in first-line information security but adopting a “one size fits all” mentality isn’t appropriate when working with ICS/SCADA.
This article explores firewall use in ICS/SCADA environments, including how it differs from enterprise firewalls, vendors/brands, stateless, stateful or deep packet inspection (DPI) firewalls with ICS/SCADA environments.
Firewall use in ICS/SCADA environments
Firewalls are a ubiquitous part of information technology and information security, especially in situations where only one security measure is chosen. Firewalls secure information by monitoring and controlling the flow of traffic between and within networks, referencing access control lists (ACL), a table of permissions, to filter traffic appropriately. This is true for both enterprise and industrial firewalls, which are normally used alongside ICS/SCADA environments.
Industrial versus enterprise firewalls
Enterprise firewalls are traditionally used in organization environments and in conventional IT environments. Industrial firewalls are the type used in both ICS and SCADA environments, and for good reason. They differ from enterprise firewalls in that they have been hardened for industrial environments. These environments can be quite harsh, and industrial firewalls rise to the occasion by having higher operating temperature thresholds.
Just like enterprise firewalls, Next-Generation Firewalls (NGFW) are available for industrial use. Industrial NGFWs come with all the nice extras that enterprise NGFWs come with, including:
- Encryption capabilities
- Intrusion detection
- Deep Packet Inspection (more on this later)
ICS/SCADA environments may contain large and complex systems which include aging industrial machinery and networks spread out over several locations. Implementing firewalls for ICS/SCADA environments requires an analysis of the environment’s needs and its complexity in order to create a solution that is appropriate.
Common vendors/brands of industrial firewalls
There are some common vendors and brands of industrial firewalls that you will find alongside ICS and SCADA environments. Some of them offer standalone industrial firewalls and NGFWs, and others offer full security solutions that include an industrial firewall. They include:
Stateless versus stateful firewalls
Stateful firewalls are the preferred type of industrial firewall to use alongside ICS and SCADA environments, but why is this?
A stateless firewall, also known as a packet filter, analyzes packets of information in isolation of historical and other information about the communication session. Stateless firewalls base the decision to deny or allow packets on simple filtering criteria. Common criteria are:
- Source IP
- Destination IP
- Source protocol
- Destination protocol
The downside with stateless firewalls is that they are easy for attackers to spoof, which is when attackers change their IP address to match an internal application server with a commonly used destination port number. This works because stateless firewalls cannot block inbound communication that does not result from outbound requests.
Stateful firewalls state understand the relationship between messages received in relation to previous messages. What this does is put the communication in context of other communication received, which leads to a fuller, more accurate understanding of whether the communication is a threat.
With stateful firewalls, the inbound traffic needs to match outbound requests. This is also known as blocking out-of-sequence packets. Stateful firewalls can also place a limit on the number of new connections that can be made, further stopping attackers.
Deep Packet Inspection (DPI)
ICS/SCADA environments rely heavily on the Modbus/TCP protocol but ACLs either allow Modbus messages or deny them with no finer grain control being possible. It is easy to let programming messages through with this protocol when, for example, an HMI is communicating with a PLC — which is a security no-no.
With DPI, the firewall inspects message content and applies more detailed rules than those in its ACL. This capability to inspect messages can make the difference in whether a malware attack is successful, such as when Dragonfly’s Havex exploited the fact that its victims did not use DPI. The fine-grained control that DPI offers ICS/SCADA systems improves both the security and reliability of these systems.
ICS/SCADA environments benefit from firewall implementation. Careful consideration of the complexity of the networked ICS/SCADA systems and the environments they exist in is required, though.
Stateless firewalls aren’t typically for used for ICS/SCADA because its filtering system is too simple, and the Purdue Model, though widely used, isn’t able to properly block attacks. This leaves the more robust stateful and DPI firewalls. Both are useful options, but making the decision to use one but not the other comes back to the continual question when discussing ICS/SCADA security: “What security measures are best for your specific environment?”
- Essential ICS Firewall Concepts, ISS Source
- SCADA Security & Deep Packet Inspection – Part 1 of 2, Tofino Security
- Why SCADA Firewalls Need to be Stateful – Part 1 of 3, Tofino Security
- Why SCADA Firewalls Need to be Stateful – Part 2 of 3, Tofino Security
- Why SCADA Firewalls Need to be Stateful – Part 3 of 3, Tofino Security
- Guide to Industrial Control Systems (ICS) Security, NIST
- Cybersecurity Questions Answered: What Is an Industrial Firewall?, Ultra Electronics 3eTI