Cybersecurity incidents are increasing and escalating in complexity, making sophisticated security measures essential for protecting industrial networks.
How can a network intrusion harm an industrial enterprise? A hacker could download and alter a medical formula from a pharmaceutical firm, rendering the medication life-threatening. An automotive plant’s robotics program may be vulnerable to a process change, resulting in a defective part. Such threats are a reality today, and can endanger people and cause business loss through network failure and process line inefficiency.
Industrial versus IT firewalls
Why not just depend upon the IT group to manage firewalls? Industrial-grade firewalls are different from IT-grade firewalls, since many process control applications cannot tolerate interruptions in operation. The engineers who implement and maintain control systems should understand and select the industrial-grade firewalls.
Firewalls are fundamental to industrial security
In computing, a firewall is a software- or hardware-based network security system that controls network traffic to protect networks and devices from unauthorized access. A firewall monitors online traffic and manages transmissions by examining message “packets,” acting as a barrier to outside intrusion while passing along legitimate data communication. Based upon a set of access control rules, a firewall can permit, deny, encrypt, decrypt, or act as a proxy for all traffic between different security domains.
Choosing the appropriate industrial-grade firewall type or combination of types depends on application requirements, the level of tolerable risk, and the potential impact of an attack upon a system.
• A packet filtering firewall is a low-cost solution that checks packet headers, but it’s easy for a skilled hacker to circumvent and is more suitable for low-risk network areas.
• A stateful inspection firewall provides a high level of security and good performance by inspecting packets and their contents, but it can be expensive and complex to configure.
• An application-proxy gateway examines and filters every incoming packet at the application level; however, this firewall type has overhead delays that impact control network performance and is not recommended for an industrial environment.
Constructing a firewall system
Separation and isolation are essential to structuring firewalls. For example, installing a single firewall device to separate the control network from plant and corporate networks is a simple solution, but it doesn’t isolate the programmable logic controller (PLC) system from the human machine interface (HMI) system, which runs on a PC-based standard operation system. An attacker may target such a system for entry and breach the PLC system that controls an operation or process, or an internal user may introduce malware by downloading or updating a PC software program.
Critical control applications such as emergency shutdown systems may require tighter security. The solution is to create a network architecture that can communicate to both the plant network and the PLC control system, but uses two firewalls to isolate the HMI and SCADA devices from the PLC system.
An industrial-grade firewall must be properly configured and located at the control network access points. Design factors that can enhance effectiveness include segmenting control networks into security zones; configuring a control network structure that’s invisible to the outside world to obscure device types; using stateful packet inspection to ensure all inbound data packets result from an outbound request; and providing security alarm and event logging information to indicate an in-progress attack or device failure.
But even with proper configuration, a firewall cannot protect against unauthorized access through connections not linked to the firewall; internal attacks that bypass the firewall; out-of-date software; user error; or a virus or malware that enters through an unprotected connection.
No firewall system is impenetrable, but a robust firewall will deter hackers and encourage them to look elsewhere for easier targets to exploit.