Industrial Controls Firewalls: Process and Line Isolation

In the past, we’ve talked about the importance of utilizing an Industrial Controls System (ICS) firewall to protect the manufacturing process from outside influences. The additional boundary between the office (Information Technology or IT) network and the manufacturing (Operational Technology or OT) network is an important protection which ensures that the production environment is safeguarded by multiple layers of security. However, it is not the only boundary that you should depend on.

One of the biggest shifts in manufacturing in the last 10 years has been the push to use data to increase process and raw material efficiency as well as increasing production output. The requirement of this data for all aspects of production necessitates connectivity. Gone are the days where complete physical process isolation or manual processing is feasible. This need gives way to the next step of network protection: process or line isolation.

Line isolation is implemented further down in the access or process layer, for those familiar with the Purdue Enterprise reference architecture. The term “isolation” does not explicitly mean that the line is physically isolated. Isolation refers to the restriction of communication with the line from external sources except for explicitly allowed network communications. This method places a security device between each line and the greater OT network. Additionally, if the line can operate independently of the greater OT network, it will likely not be directly affected by other issues that can impact production in OT networks.

The line isolation concept can be implemented in multiple ways. The cheapest, but sometimes most difficult to correctly deploy, is utilizing Access Control Lists (ACLs). ACLs restrict inbound and outbound traffic based on explicit criteria provided for stateless traffic filtering. Most ACL implementations include only very basic capabilities. Firewalls provide more granular control of the traffic into and out of the line. They can be deployed as physical or virtual devices and provide traffic filtering and in-depth traffic inspection, including blocking traffic based on known bad patterns. Firewalls also provide full feature logging and reporting capabilities for root cause analysis and troubleshooting when issues arise.

Interstates has implemented various levels of this isolation concept. This includes logical network segregation where multiple network segments use the same physical hardware but are unable to communicate across set boundaries or even full physical segregation where networks use completely separate physical hardware.

To learn more about some of the options that we can provide our customers, engage a member of the OT Infrastructure & Security team for further review of your customer’s use case. Give us a call at 712.722.1662 and ask to speak to a member of our OT Infrastructure & Security team.

Adam Jongewaard, Senior Systems Analyst & Travis Noteboom, Team Lead