Security incidents rise at an alarming rate each year. As the complexity of the threats increases, so do the security measures required to protect industrial networks. Plant operations personnel need to understand security basics as plant processes integrate with outside networks. This paper reviews network security fundamentals, with an emphasis on firewalls specific to industry applications. The variety of firewalls is defined, explained, and compared.
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Are your industrial networks protected...Ethernet Security Firewalls
1. Fundamental Principles of
Ethernet Security Firewalls in
Industrial Environments
by Joseph Benedetto
Executive summary
Security incidents rise at an alarming rate each year.
As the complexity of the threats increases, so do the
security measures required to protect industrial
networks. Plant operations personnel need to
understand security basics as plant processes integrate
with outside networks. This paper reviews network
security fundamentals, with an emphasis on firewalls
specific to industry applications. The variety of firewalls
is defined, explained, and compared.
998-2095-02-13-14AR0
2. Fundamental Principles of Ethernet Security in Industrial Environments
Introduction
If hackers can download a medical formula from a pharmaceutical firm, they could alter that
medication by making a slight variation in the formula. In the automotive industry a hacker
might alter a robotics program and cause it to make a defective part or to dump material
where it should not belong or alter the timing of a particular process. In an oil industry control
application, hacker meddling could result in a damaging spill.
As manufacturing processes and factories become more “wired”, vulnerabilities in network
devices can become targets for individuals writing worms and viruses. These threats are
disruptive to the ultimate goal of protecting the industrial environment from any business loss
including network failure and process line inefficiency.
One of the measures that can be taken to lower the level of risk is the deployment of proper
“firewalls”. A firewall is hardware and / or software used to protect network-connected devices
or network segments from unauthorized access. In an industrial Ethernet application, a
firewall can provide the physical separation between the control network and the plant or
corporate networks. It can also be used to create secure control zones within the control
network.
In a typical firewall installation, the connection coming from the plant network to the firewall is
referred as the “untrusted” port or connection. The port that will connect to the control
network is referred to as the “trusted” connection (see Figure 1).
Outside of Plant
Figure 1
The firewall serves as a
barrier to unwanted outside
intrusion while allowing
legitimate data to
communicate with key
equipment components
Internet
Internet
Untrusted
Connection
Trusted
Connection
Firewall
Automation System
The firewall’s basic function is to control message transmission. It is designed to block
unauthorized access while permitting authorized communication to the devices connected on
the “trusted” side of the firewall. It can be configured by the user to permit, deny, encrypt,
decrypt or act as an intermediary device (proxy) for all (in and out) traffic between different
security domains based upon a set of rules.
The first step in determining a system’s security requirements is to conduct a survey. The
survey identifies all the possible points of access and assists in determining the number and
location of firewalls needed in the system.
The firewall plays an important role in the overall protection of an industrial control network.
The control system requires fast data throughput so that it can provide a rapid response to
changes in the operation. At the same time, the control system needs the protection of the
Schneider Electric White Paper
Revision 0
Page 2
3. Fundamental Principles of Ethernet Security in Industrial Environments
firewall to block all unwanted and unauthorized traffic to devices, to ensure that the data they
receive is correct.
Firewall
categories
Three general categories of firewalls exist to protect industrial Ethernet applications. Each
provides a different level of protection. The choice of firewall should be based on the
application requirements, the level of risk that can be tolerated, and impact on a system
should that system be targeted for attack. Below are descriptions of the three firewall
categories:
• Packet Filtering Firewalls: These firewalls check each incoming or outgoing message
packet for its source address, destination address, and function. The firewall accepts or
rejects the message based on a comparison to a number of predefined rules called
Access Control Lists (ACLs). This is a low cost solution that examines the message
packet headers only and not the overall packet content. This type of firewall is easy to
circumvent by a skilled attacker. Packet filtering firewalls are not recommended for high
risk areas due to lack of authentication and their inability to conceal the protected
network’s architecture.
• Stateful Inspection Firewalls: These firewalls inspect message packets for each
transmission at the network layer and validate that the packets and their contents at the
application layer are legitimate. Stateful inspection ensures that all inbound packets are
the result of an outbound request. Stateful inspection firewalls provide a high level of
security and good performance but can be expensive and complex to configure.
• Application-Proxy Gateway: The application-proxy gateway examines every incoming
packet at the application layer, filters the traffic based on specific application rules, and
then reissues it to the target device. Application proxy gateways provide a high level of
security, but have overhead delays that impact the network performance of the control
system. Their use is therefore not recommended.
Firewall
application
The security goal of a factory or other industrial site is to protect the control network and all of
its devices from any attacks. One consideration when implementing firewalls is the nature of
devices to be protected and how these devices are accessed as part of normal operation.
When applying a firewall to create a physical separation between the control network and the
plant and corporate networks, the simple solution would be to install a single firewall device
at the connection point between the plant floor’s control network and the remainder of the
plant and company networks. This approach is illustrated in Figure 2 on page 4.
In the Figure 2 system configuration, the firewall provides protection between the plant
network and the control network. However this configuration does not isolate the
Programmable Logic Controller (PLC) system from the Human Machine Interface (HMI) and
Historian system. These types of devices are often located on PC-based systems that run
standard operating systems. This makes them easier targets for attackers seeking to enter
the system. These systems are accessed by devices on the plant network as well as by the
PLC systems, increasing the risk that an attack reaches the PLC system that controls an
operation or process. In addition, since these devices are PC-based, they can be accessed
by multiple users who could intentionally or unintentionally introduce malware or corrupt the
system. The simple act of loading a new version of a software package or using another
software package that is also running on the PC can introduce a risk to the PLC system.
The PLC system is traditionally based on a custom hardware design and utilizes a
manufacturer-specific operating system. This makes the PLC system more difficult for an
attacker to access, but in no way is the system 100% safe. If a PC-based device such as an
HMI or Supervisory Control and Data Acquisition (SCADA) system is on the same ‘trusted’
Schneider Electric White Paper
Revision 0
Page 3
4. Fundamental Principles of Ethernet Security in Industrial Environments
side of the firewall as the PLC, then there is a risk that an attack to the SCADA system will
affect the PLC.
To Corporate Network
and Internet
Figure 2
Untrusted Port
This illustration features a
single firewall device at the
connection point between the
plant floor’s control network
and the remainder of the
plant and company networks
Firewall
Trusted Port
Plant Network
Control Network
HMI
Historian
PLC System w/ Ethernet I/O
The solution is to create a network architecture that includes a separate isolated area for
network devices such as HMI, SCADA systems and Historians, and that is capable of
communicating to both the plant network and the PLC control system. This isolation is
accomplished by using two firewalls, one connecting the plant network to the HMI, SCADA
systems and Historians, and a second connecting these devices to the PLC control system.
This isolated area, referred to as the demilitarized zone (DMZ), provides a safe and secure
means for sharing data betweens zones. Figure 3 illustrates this more secure configuration.
To Plant and Corporate
Network and Internet
Figure 3
In this configuration, two
firewalls are present in order
to create a separate and
isolated area to protect
important assets
Firewall
Device accessed by
Control and Plant
Networks
DMZ
Local Server
Firewall
Control Network
PLC System w/ Ethernet I/O
Schneider Electric White Paper
Revision 0
Page 4
5. Fundamental Principles of Ethernet Security in Industrial Environments
For critical control applications where it is necessary to isolate a particular control system
from the other controls systems on the control network, a firewall can be used to create an
isolated zone. In control applications such as emergency shutdown systems or the control of
a critical process, the security provided by the additional firewall can easily justify its cost.
In Figure 4, two firewalls are used to create a DMZ between the plant network and the
control network. The DMZ isolates the control network, and all of the control devices
connected to the network, from an attack coming from the plant or company networks. The
control system in work cell 3 is controlling a critical process that requires a higher level of
security. A firewall is applied between the PLC in work cell 3 and the switch that connects the
three work cells to the firewall in the DMZ. In this configuration, work cell 3 is protected from
unauthorized access by devices that are inside of the control network.
To Plant and Corporate
Network and Internet
Device accessed by
Control and Plant
Networks
DMZ
Local Server
Firewall
Figure 4
In this configuration, work
cell 3 is provided the highest
level of security
Control Network
Work Cell 1
Work Cell 2
Work Cell 3
PLC System w/ Remote I/O PLC System w/ Multi Rack I/O
PLC System w/ Ethernet I/O
Firewall
capabilities
An Industrial grade firewall provides protection from systems and devices that are connected
to the unsecured plant and / or corporate networks. The firewall must be properly configured
and located at the network access points to the control network. Listed below are some
capabilities which help to enhance the effectiveness of the firewall:
• Configuration of a physical separation between the control network and the plant and
corporate networks
• Segmentation of control networks into security zones
• Identification of an “untrusted” port for the connection of plant networks to corporate
networks that are unprotected by a firewall
• Configuration of a ”trusted“ port for connection to the control network and its devices
that are protected
Schneider Electric White Paper
Revision 0
Page 5
6. Fundamental Principles of Ethernet Security in Industrial Environments
• Configuration of a control network structure that is invisible to the outside so that
hackers cannot determine the types of devices on the network
• Restriction of network traffic and selected services only to authorized devices while still
allowing secure information to be viewed by authorized users
• Allowance of communication “handshaking” for port connections that include
autonegotiation, autopolarity, autocrossing and full or half duplex modes
• Control of communications messages based on IP addresses of source and destination
devices, categories of data that can be transmitted and received, and proper alignment
of device access to services provided
“No firewall system is
100% impenetrable, but a
robust firewall will deter
hackers and encourage
them to look elsewhere for
easier targets to exploit.”
• Stateful packet inspection for assurance that all inbound data packets are the result of
an outbound request
• Dynamic packet filter inspection of data packet source and destination addresses so
that undesired traffic can be blocked
• Virtual Private Network (VPN) connection so that secure transfer of data over public
networks to selected devices can be assured
• Protection from the flooding of devices with too much traffic or connections through use
of a Denial of Service Traffic Limiter
• Provision of security alarm and event logging information that can indicate when an
attack or device failure is occurring
• Determination of which protocols and services should run over which ports of a device
• Anti virus protection capability for HTTP, FTP, SMTP and POP3 protocols
• Encryption capabilities that include Data Encryption Standard (DES), 3DES, and
Advanced Encryption Standard (AES)
• Network Address Translation (1:1 NAT) with FTP, IRC protocol that permits chatting
and Port to Port Tunneling Protocol (PPTP) and pass through (in router modes)
Firewall limitations
A properly configured firewall will not protect against the following:
• Unauthorized access through connections that are not connected to the firewall (such
as a dial-up modem)
• Internal attacks where the attacker bypasses the firewall and connects to the control
system
• Software vulnerabilities where software packages used in the control system, such as
HMI or SCADA, do not have up-to-date patches
• User error and human engineering
• Virus or malware that enters the control system through an unprotected connection
Industrial vs.
IT grade
firewall
In most organizations, the IT group is often tasked with Ethernet security installation,
maintenance of firewalls, and other security measures. IT team members should be part of
the industrial system survey process, but the selection of firewall devices should be based on
the needs and capabilities of the control engineers who will be implementing and maintaining
the firewalls as part of the control systems. Industrial grade firewalls are different from
commercial / IT grade firewalls. In control applications where interruptions in operation cannot
be tolerated, an industrial grade firewall is the correct choice. Table 1 illustrates some of the
important differences between IT and Industrial firewalls.
Schneider Electric White Paper
Revision 0
Page 6