Featured Topic

Choosing the Right Industrial Firewall: The Top 7 Considerations

Industrial control networks help facilitate efficient and safe operations in vital sectors, including utilities, oil and gas, water, transportation, and manufacturing. A major concern of multi-purpose networks is a new class of threats that targets industrial automation systems. Legacy networks are particularly vulnerable to malicious network attacks or unintended operations since they tend to lack proper security measures. Once compromised, these legacy networks can become back doors that allow attackers and unauthorized personnel to gain access to corporate networks. In this article, we explain how to choose a right industrial firewall to ensure the safety and reliability of industrial networks.

Top considerations in implementing industrial network security

1. Changes in network topology

Deploying a new firewall on an industrial control networks can be a complicated process that involves IP address reconfiguration, network topology changes, and solving compatibility issues with existing firewalls. The first challenge is to determine the right firewall type for your network.

• A routed firewall acts as an L3 node that protects the networks connected to its two logical interfaces. A routed firewall is deployed between the plant network and the enterprise network and at the perimeter of the different network zones. A routed firewall participates in the IP process and can perform tasks such as network address translation (NAT) and port forwarding. Although a routed firewall provides the greatest capability and flexibility, substantial network configuration may be required.

• A transparent firewall is suitable for protecting critical devices or equipment inside a control network for which network traffic is exchanged within a single subnet. A transparent firewall does not participate in the routing process and can be installed in the network without reconfiguring IP subnets.

Using a transparent firewall allows you to protect critical devices inside a control network without subnet reconfiguration.

2. Filtering performance and latency

In most industrial control applications, response time is a critical factor. When firewalls are deployed in a control network, the data filtering processes that are performed create latency. Although many vendors claim maximum performance for their firewalls based on the benchmark of filtering data using one firewall rule, in the real world, hundreds of firewall rules may be activated to filter traffic in a control network, placing doubts on the actual firewall performance.

Performance test of different industrial firewalls (YouTube)

Moxa industrial firewall throughput test @ 256 firewalls, in transparent mode

An industrial firewall should minimize control data interruption and allow as much throughput as possible between controllers and I/O devices. In addition, the data filtering performance must be consistent for various types and sizes of control traffic packets. In general automation applications, a response time in milliseconds is required to enable real-time applications such as process control, DCS, and data data acquisition.

3. Industrial protocol filtering

As network complexity increases, whitelisting is inadequate to provide effective network security for industrial applications. While whitelisting of traffic prevents unauthorized access to industrial devices, it is not effective in dealing with the data commands. What is needed are well-designed firewalls that can allow or deny traffic based on protocols to enable checks on control data in the network. One such solution is Modbus TCP deep packet inspection.

Watch how PacketGuard security filters unsafe Modbus TCP packets (YouTube)

4. Industrial-grade design for harsh environments

In industrial applications, firewalls are often located in cabinets subjected to harsh environmental conditions, such as high temperatures and vibration. In this case, the firewall’s rugged design is as important as its performance. A firewall for industrial applications should comply with industry standards, which could include C1D2 (oil and gas), NEMA TS2 (transportation), EN 50121-4 (trackside), and UL (factory automations).

5. Firewall event logging and notification

Regardless of which type of industrial firewall is implemented, event logging is critical to ensure that the firewall rules are implemented and functioning properly. Logs allow administrators to monitor what is happening on the control network, and a good log file maintenance plan allows administrators to review security events and issues long after they’ve occurred. Administrators can also review these logs to evaluate the strength of current firewall policies, leading to continuous security enhancements.

6. Mass deployment of firewall rules

In industrial applications, there could be up to hundreds or thousands of firewalls installed to control data traffic and protect field equipment from malicious attacks. As the most widely used method, a firewall whitelist allows only specific traffic on a network. This raises the question of how easy it is to change the firewall rules for the many firewalls in the field once a new service is introduced into a control network.

There are two ways to mass deploy firewall rules: a batch command (through the command line interface) and centralized firewall management software. Both are easy to use and are effective mass deployment methods. The use of one or the other depends on the preference of the network administrator. An industrial firewall solution should include both options.

7. Intuitive configuration interface

Configuring and deploying firewalls on an industrial control network requires trained administrators who are capable of designing effective firewall rules, and it is important for firewall vendors to provide intuitive and easy-to-use configuration interfaces to automate the configuration process. An industrial firewall should include a command line interface, a graphical user interface, and preferably, a firewall setup wizard to allow administrators to get the firewalls up and running in the field within a few minutes.

Firewalls Tailored for Industrial Cybersecurity

With effective and reliable industrial firewalls, deploying industrial firewalls in the field to improve the security of control networks and ensure maximum system uptime has never been easier.

Click here to learn more about Moxa's industrial firewalls.

Click here to learn more about defense-in-depth cyber security.

Back to index