Firewalls a Boost for Defense in Depth

Wednesday, June 1, 2016 @ 12:06 PM gHale


By Oliver Kleineberg
An important best practice for industrial security is to implement a Defense in Depth strategy. With this approach, multiple layers of defense end up implemented, in contrast to just one defense mechanism, such as a single firewall.

A complementary best practice used as part of a Defense is Depth strategy is the zones and conduits model, as defined in the ISA IEC 62443 standard.

RELATED STORIES
How Firewalls Work
ICS Security: Essential Firewall Concepts
Security and Transportation Systems
Defining Deep Packet Inspection

This approach involves segmenting the network into zones of devices with similar security requirements and using conduits to restrict the communication between zones.

Using zones and conduits as part of a Defense in Depth strategy is not a new concept. If you look at castle construction for any culture, you will see that layers of security ended up built into the castle design – moats, multiple walls, turrets. Individual zones of the castle end up separated from each other by controlled conduits — gates, drawbridges and iron bars – to contain attackers and make their movements more difficult.

Industrial firewalls play an important role in implementing both Defense in Depth and zones and conduits. The following are three examples of how they do it.

Firewalls Establish Boundaries

Firewalls are devices that protect networks or network devices, such as industrial PCs, control systems and other devices from unauthorized access by preventing traffic to or from these systems.

The fundamental technical function of any network firewall is to filter packets. The firewall inspects each packet it receives to determine whether the packet corresponds to a desired template for traffic patterns. The firewall then filters (drops or discards) or forwards packets that match these templates.

These templates are modeled in the form of rules. A firewall at the boundary of a network can, for example, include rules in the form of “A communication link within the network can only take place with a specified server” or “Only the PCs for remote maintenance can be reached outside the network, not any other devices.”

There are multiple types of firewalls built for different use cases. They differ not only in their form factors, certifications, and physical specifications but also in the type of filtering they provide. For example, a firewall designed to protect an operational zone of a plant floor with a sophisticated Deep Packet Inspection filtering capability might contain rules for industrial protocols, e.g. Modbus/TCP, such as:

“Write-commands for the Modbus/TCP protocol, coil 56, are permitted only from the maintenance terminal.”

Industrial Firewalls
Firewalls play various roles in partitioning networks. Here are three common examples:

1. Boundary Firewalls: These firewalls are generally placed in the data center and typically work in tandem with industrial hardened firewalls in the production area to isolate the critical control networks and the more exposed enterprise networks from one another.

Industrial firewalls with router functions are also perfect for smaller external sites. Because such a firewall represents the border between the company’s own network (the external site) and an external network (a provider network or the Internet), the firewall must possess full capabilities for packet filtering and filtering traffic between various networks. Such a firewall is called an IP firewall since it processes Internet Protocol (IP) traffic.

These firewalls often end up installed very near the actual facility, requiring industrial hardening of the firewall device. For example, the ability to function at high or low temperature ranges and/or approval for use in special areas (e.g. energy supply, hazardous location or transportation) may be critical.

2. Firewall in a WLAN: Wireless networks represent another network border, and communication from wireless to wired networks should also be protected by firewalls. If a client is connected to a WLAN, it is possible, in principle, to communicate directly with all other devices in the same network. Thus, a successful attack on a WLAN client could extend to any other device on the Ethernet network.

Special firewalls that can also filter the direct traffic between wireless clients are required for this task. Normal edge firewalls are not up to this task. This problem can be solved by restricting the forwarding of messages between WLAN clients with a firewall at the WLAN access point. For example, the communication of a tablet connected to a device via a WLAN can be limited so it only accesses data through the user interface but not additional subsystems or other devices connected to it.

3. Firewalls at the Field Level: A key tenet of Defense in Depth is that the protection of external network boundaries against attackers is insufficient security. Multiple layers of protection are required to provide safety against external threats. In addition, cyber incidents actually originate inside a network. Industry studies have shown that most cyber incidents are not due to intentional external attacks but from software or device failures and human error.

In a networked control system, errors and mistakes can quickly propagate within the system unless proper design steps are undertaken to isolate and contain failures. Thus, an effective cyber security strategy is not just about security but is also an important component of ensuring the safety, resiliency and reliability of your system. This is exactly what ISA IEC 62443 and zones and conduits are targeted to address.

Firewalls can end up used as the tool to implement the conduits that police the communication conduits. They contribute to the overall resiliency against unintentional errors by limiting communication between different zones of the local network.

This requires a firewall tailored to fit a particular use case. If communication from outside the facility is only supposed to be possible with a single device, the firewall should specifically permit this connection while it prevents other attempts at communication. To ensure only proper messages flow between zones and to critical assets, these firewalls must understand the origin and destination of the messages.

In addition, particularly for critical control systems, the firewall should also support detailed analysis of industrial protocol traffic (Deep Packet Inspection) so it can ensure the content of the messages is valid and reasonable.

A word of caution about deploying firewalls: While effective in preventing unauthorized communication traffic on the network, these devices can also add latency or delays. Where rapid filtering must take place, high-quality network switches using hardware accelerated access control lists, can be an effective means to achieving both security and effective communications flow.

Importance of Industrial Firewalls
Firewalls are important components in today’s security strategies. Different types of firewalls are used in various locations within the network to provide different types of protection as part of both the Defense in Depth and zones and conduits best practices.
Dr. Oliver Kleineberg works in advanced development at Hirschmann Automation and Control GmbH. The column was an excerpt from a posting on the Belden website. Click here for the entire version.