Essential ICS Firewall Concepts

Thursday, May 14, 2015 @ 04:05 PM gHale

By Heather MacKenzie
When it comes to securing ICS and SCADA networks, firewalls (also called security appliances) play an important role. That may be stating the obvious, but are you familiar with the essential concepts that distinguish the types of industrial firewalls on the market?

A switch with Access Control Lists provides a different type of security than a stateful firewall, which in turn offers different benefits than a Deep Packet Inspection (DPI) firewall.

Realize IIoT Benefits
Connecting, Securing Substations to Smart Grid
Security Plan for Electric Substations
Securing Network Access

These differences are critically important for industrial networks. Most of them use specialized communication protocols not designed with security in mind. Indeed, many of them were created to run equipment built before the Internet was born.

With the long life spans of industrial equipment (20 years and more) it means that today’s security technology needs to take into account the communication limitations of equipment built in another era. Even devices built not that long ago face limitations in terms of memory and CPU horsepower that seem unbelievable to anyone with a smart phone in their pocket today.

Let’s take a look then at the essential concepts you need to know in order to make informed choices for firewalls on your automation network.

Firewall Basics
To understand “stateful” and “DPI” it is first important to understand how the traditional IT firewall works.

A firewall is simply a device that monitors and controls traffic flowing within or between networks. It starts by capturing traffic passing through it and comparing that traffic to a predefined set of rules (called Access Control Lists or ACLs). Any messages that do not match the ACLs are then discarded.

The traditional IT firewall allows the ACLs to check three primary fields in a message:
• The IP address of the computer sending the message (AKA the source IP)
• The IP address of the computer receiving the message (AKA the destination IP)
• The upper layer protocol contained in the IP frame as defined in the field “TCP Destination Port Number”

The TCP Destination Port Number needs a bit more explanation. These ports are not physical ports like an Ethernet port, but instead are special numbers embedded in every TCP or UDP message to identify the application protocol carried in the message.

For example, Modbus/TCP uses port 502 and HTTP uses port 80. These numbers are registered under the Internet Assigned Numbers Authority (IANA) and rarely ever change.

So to put this all together, imagine you only want to allow web traffic (i.e. HTTP traffic) from a client at IP address to a web server with an address of Then you would write an ACL rule something like:

“Allow Src= Dst= Port=HTTP”

You would load this ACL in the firewall and as long as all three criteria were met, the message would be allowed through.

Or say you want to block all Modbus traffic from passing through the firewall. You would simply define a rule that blocks all packets containing 502 in the destination port field.

Seems simple, doesn’t it?

Stateful Way to Go
Let’s take a closer look at the ACL rule shown above. One aspect of it is the rule is applied to individual messages. However, just like communication between people, communication on a network rarely involves just a single message.

Instead, there is a constant exchange of packets (messages), where each is in some way dependent on previous packets. This understanding of the previous traffic is what we call “state.” State involves information such as which device started the session, who last sent a message, was the last message rejected because of errors and so on. Without this, communication quickly breaks down.

A “stateless” or “packet filter” appliance only analyzes each packet in isolation of other information relating to the communication session. It has a series of static rules and uses them to take action upon received packets on an individual basis.

The limitation of a firewall/security appliance that can only analyze this limited data is it is not possible to block “inbound” communication not the direct result of an “outbound” request. Because of this, hackers can get into the control system by changing their IP address to match that of an application server and using a common destination port number. This is known as “spoofing.”

A stateful firewall, on the other hand, looks at other parameters and keeps an internal record that tracks the details of the session state. This information makes it possible to analyze the reasonableness of each packet. Stateful inspection means that inbound traffic to the client device will only be allowed if it is in response to an outbound request.

Stateless firewalls allow denial-of-service attacks on PLCs because the flood of inbound requests that come with such attacks are not matched to outbound requests. Stateful firewalls, on the other hand, map each request and reply to a state. They then drop all data not adhering to the proper sequence of events.

With this information you won’t make the mistake of thinking that a layer 2 switch with ACL rules is a firewall. It is not. It will not block out-of-sequence packets, nor prevent denial-of-service attacks to a PLC.

Enter Deep Packet Inspection
Let’s go back to the example ACL. Besides state, another problem with its simple scheme is it is very black and white. Consider the Modbus/TCP protocol which uses port 502. With an ACL you either allow Modbus messages through or you block them. Fine-grained control of the protocol is impossible.

Thus if you allow data read messages, from an HMI to a PLC, to pass through a traditional firewall you are also allowing programming messages to pass through. This is a serious security issue. If you do the reverse, and block all messages, then the messages necessary for running the control network are blocked.

Clearly the firewall needs to dig deeper into the protocols to understand exactly what the protocol is being used for. And that is exactly what Deep Packet Inspection does. After the traditional firewall rules are applied, the firewall inspects the content of the contained messages and applies more detailed rules.

For example, a Modbus DPI firewall determines if the Modbus message is a read or a write message and then drops all write messages. Good DPI firewalls can also “sanity check” traffic for strangely formatted messages or unusual behaviors (such as 10,000 reply messages in response to a single request message). These sorts of abnormal messages can indicate traffic created by a hacker trying to crash a PLC and need to be blocked.

Be aware the Deep Packet Inspection is sometimes known by other terms, such as content inspection or protocol whitelisting. It is not a widely available capability.

SCADA security expert Eric Byres believes true DPI (i.e., inspection and filtering of the protocol fields at all layers) is critical if industry is going to take control of its ICS and SCADA networks. Recent high profile malware, like Dragonfly’s Havex, took advantage of a lack of content inspection to spread within its targeted networks.

By understanding the concepts of “stateful” and “Deep Packet Inspection” you can assess the importance of these capabilities for mitigation against a specific risk. If protecting key PLCs on the plant floor is important, a DPI firewall might be the way to go.
Heather MacKenzie is with Tofino Security, a Belden company. Click here to view Heather’s blog.

Leave a Reply

You must be logged in to post a comment.