This article was updated and published on Automation World on June 28, 2021. Click here to see the updated article.
Do you have a perimeter firewall connecting your business to the public Internet? The number of devices below firewalls connected to the Internet is increasing at an alarming pace. The frightening fact is that this device count increase doesn't include systems with vulnerabilities that affect standard computer operating systems running Industrial Control Systems (ICS) software products on our ICS networks. There are multiple things that can be done to help secure your ICS environment utilizing hardware, software, and your internal ICS network policies.
ICS firewalls and firewalls, in general, are not a new concept. In fact, you'll probably see the same technology being used between your internal network and the public Internet today. The firewall's purpose is to keep malicious traffic outside of your environment and keep your highly-secured data and workflow process information inside. And so, we introduce the ICS firewalls.
There is a new market for "hardened" firewalls in ICS environments, but any IT firewall will operate the same way, albeit with a few unique exceptions. However, they may not be hardened for harsh industrial environments or compact enough to fit inside a control panel. They may not have specific data-handling features meant for unique manufacturing protocols such as EthernetIP or Modbus. However, the critical thing they do have is a way to filter inbound and outbound traffic to and from your ICS network and your standard office network.
ICS Edge Firewalls
Similar to Core ICS firewalls, Edge Firewalls are made to further secure your industrial networks. However, unlike ICS firewalls, Edge Firewalls are a relatively new concept in ICS environments. Edge Firewalls are designed to be closer to your individual equipment, allowing you to configure micro-segmentation in your network and further isolate devices and layer two traffic. The placement of Edge Firewalls enables you to implement concepts such as Defense in Depths and Secure Zones and Conduits.
Securing Your ICS Network
There are a few standard rules to follow when securing your ICS network. Never place end-user, third-party contractor, smart, or non-industrial IoT devices on the ICS network. Unless they are temporarily approved or have a specific task that your ICS network policy allows. Devices on the ICS network typically do not need to access the public Internet. If you can't control where they are getting their data, it is far easier for them to be compromised. The most important rule to follow is restricting any unnecessary traffic from crossing the firewall. This last rule requires you fully understand and interpret the traffic you are seeing within your environment.
There are many ways to secure your ICS networks, from hardware to software. However, the most important step is the first one you take and every successive step after that.
Adam Jongewaard, System Analyst
David Smit, System Analyst