Firewalls For ICS/SCADA Environments

Introduction

Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) environments are facing increasing exposure to the internet, giving nefarious parties and malicious hackers opportunity to enter previously isolated systems. Firewalls appear at first glance to be the natural choice in first-line information security but adopting a “one size fits all” mentality isn’t appropriate when working with ICS/SCADA. 

This article explores firewall use in ICS/SCADA environments, including how it differs from enterprise firewalls, vendors/brands, stateless, stateful or deep packet inspection (DPI) firewalls with ICS/SCADA environments.

Firewall use in ICS/SCADA environments

Firewalls are a ubiquitous part of information technology and information security, especially in situations where only one security measure is chosen. Firewalls secure information by monitoring and controlling the flow of traffic between and within networks, referencing access control lists (ACL), a table of permissions, to filter traffic appropriately. This is true for both enterprise and industrial firewalls, which are normally used alongside ICS/SCADA environments. 

Industrial versus enterprise firewalls

Enterprise firewalls are traditionally used in organization environments and in conventional IT environments. Industrial firewalls are the type used in both ICS and SCADA environments, and for good reason. They differ from enterprise firewalls in that they have been hardened for industrial environments. These environments can be quite harsh, and industrial firewalls rise to the occasion by having higher operating temperature thresholds.

Just like enterprise firewalls, Next-Generation Firewalls (NGFW) are available for industrial use. Industrial NGFWs come with all the nice extras that enterprise NGFWs come with, including:

• Encryption capabilities
• Whitelisting
• VPN
• Intrusion detection
• Deep Packet Inspection (more on this later)

ICS/SCADA environments may contain large and complex systems which include aging industrial machinery and networks spread out over several locations. Implementing firewalls for ICS/SCADA environments requires an analysis of the environment’s needs and its complexity in (Read more...)