Cyber security incidents are escalating in number and complexity. As industrial processes integrate with outside networks, plants are at risk. For that reason, operations teams need to know about security and firewalls.
Industrial versus IT firewalls
Why not just depend upon the IT group to manage firewalls? Industrial-grade firewalls are different from IT-grade firewalls, since many process control applications cannot tolerate interruptions in operation, and Industrial grade firewalls can be located with the control system on the plant floor. The engineers who implement and maintain control systems should understand and select the firewalls that protect production line networks.
Firewalls are fundamental to industrial network security
Firewalls are part of a total security solution for your control system. You can think of a firewall as a protective barrier guarding your wired-in production line from an intruder, whether it’s a hacker or a co-worker who just upgraded his PC software and introduced malware to the plant network.
A firewall monitors online traffic to protect networks and devices from unauthorized access. It manages transmissions by examining message “packets,” preventing intrusion and passing along legitimate data communications.
Types of firewalls
Choosing the appropriate industrial-grade firewall type or combination of types depends on application requirements, the level of tolerable risk, and the potential impact of an attack upon a system.
- A packet filtering firewall checks each incoming or outgoing message packet for its source address, destination address, and function. The firewall accepts or rejects the message based on a comparison to a number of predefined rules called Access Control Lists (ACLs)
- A stateful inspection firewall provides a higher level of security and good performance by inspecting packets and their contents, but it can be expensive and complex to configure.
- An application-proxy gateway provides the highest level of security by examining and filtering traffic based on specific application rules, and then reissues it to the target device. This firewall type has overhead delays that could impact control network performance of the control system.
Constructing a firewall system
Separation and isolation are essential to structuring firewalls. Critical control applications such as emergency shutdown systems may require tighter security, for instance, which you can address by using two firewalls to isolate a process system from the plant network. An industrial-grade firewall must be properly configured and located at the control network access points.
But even with proper configuration, a firewall cannot protect against:
- Unauthorized access through connections not linked to the firewall
- A virus or malware that enters through an unprotected connection
- Internal attacks that bypass the firewall
- Outdated software
- User error
No firewall system is impenetrable, but a robust firewall will deter hackers and encourage them to look elsewhere for easier targets to exploit.
You’ll find further discussion of industrial security in my white paper, “Fundamental Principles of Ethernet Security Firewalls in Industrial Environments.”