Where Is Your Industrial Control Systems Firewall?

Do you have a perimeter firewall connecting your business to the public Internet? Did you know that the number of connected TCP/IP endpoints in industrial controls systems rose approximately 97% globally between 2011 to 2015? Even more surprising, the number of vulnerabilities for industrial controls systems increased almost ten times between 2010 and 2015. The frightening fact is that these numbers don’t include the systems or vulnerabilities that affect standard computer operating systems running Industrial Control Systems (ICS) software products on our ICS networks. There are multiple things that can be done to help secure your ICS environment utilizing hardware, software, and your internal ICS network policies. The specific item I’ll be covering in this post is your ICS firewall.

ICS Firewalls

ICS firewalls and firewalls in general are not a new concept. In fact, you’ll probably see the same technology being used between your internal network and the public Internet today. The purpose of the firewall is to keep malicious traffic outside of your environment and to keep your highly-secured data and workflow process information inside. And so, we introduce the ICS firewalls.

There is a new market for “hardened” firewalls in ICS environments, but any IT firewall will operate the same way, albeit with a few unique exceptions. Though they may not be hardened for harsh industrial environments or compact enough to fit inside a control panel. They may not have some of the specific data-handling features meant for unique manufacturing protocols such as EthernetIP or Modbus. However, the critical thing they do have is a way to filter inbound and outbound traffic to and from your ICS network and your standard office network.

Securing Your ICS Network

There are a few standard rules to follow when securing your ICS network. Never place end-user, third-party contractor, smart, or non-industrial IoT devices on the ICS network. Unless they are temporarily approved or have a specific task that your ICS network policy allows. Devices on the ICS network typically have no need to access the public Internet. If you can’t control where they are getting their data from, it is far easier for them to be compromised. The most important rule to follow is to restrict any unnecessary traffic from crossing the firewall. This last rule requires you fully understand and interpret the traffic you are seeing within your environment.

There are many ways to secure your ICS networks, from hardware to software. However, the most important step is the first one you take and every successive step after that.


Adam Jongewaard, Interstates MIT Senior Analyst