Security threats to industrial networks can originate either internally or externally and, if realized, cause significant damage to remote automation systems, compromise staff safety and lead to production
losses. An industrial firewall should be used to protect mission-critical infrastructures and
Layered Defense-in-Depth Cybersecurity for Automation
The IEC 62443 is an industrial security standard pushing by several national organizations. It will improve your network security by following this standard. The IEC 62443 standard is the “zone and conduit” security model, which is implemented with a defense-in-depth strategy.
- Factory Site: Protecting the entire local site and securing remote data transmissions from the control centers.
- Function Zone: Protecting data transmissions from multiple device cells and critical devices.
- Device Cell: Protecting the data collected from multiple field devices, such as I/Os, meters, or IP cameras.
While communications within a zone are less restricted, different zones are required to communicate with each other through a single point called a conduit, which is usually protected by a secure router or firewall. The conduits are robustly protected to only allow the specific data that is needed to coordinate the functions of the different zones. Any communications that are irrelevant to the function of a certain zone, such as http traffic to a Modbus TCP zone, will be blocked by the secure router.
Firewalls for Critical Infrastructure Protection
The industrial firewall protects all the critical network devices such as PLCs, RTUs, and DCSs, thereby enabling network isolation to avoid communications interruptions between devices. The high-performance firewall prevents unauthorized connections from connecting to critical devices without compromising the
network performance of legitimate traffic. In addition, the firewall can protect and isolate the network when broadcast storm packets accumulate from a malfunctioning device.
VPN for Secure Remote Access
The firewall should provide IPSec and L2TP functions to create secure, encrypted tunnels for secure remote access between industrial networks and remote locations, such as in water and wastewater, oil and gas, power, or intelligent transportation system networks.
Software with Security configuration and management
A centralized software will make the security configuration and management easy. A security wizard can assist the users to configure the security features with built-in security profiles. Furthermore, the software should notify users when secure routers and under attack. This can alert operators to pending attacks or probe of the network.