Top considerations in implementing industrial network security
Industrial control networks help facilitate efficient and safe operations in vital sectors, including utilities, oil and gas, water, transportation, and manufacturing. A major concern of multi-purpose networks is a new class of threats that targets industrial automation systems. Legacy networks are particularly vulnerable to malicious network attacks or unintended operations since they tend to lack proper security measures. Once compromised, these legacy networks can become back doors that allow attackers and unauthorized personnel to gain access to corporate networks. Here are the top 7 considerations when you plan the security firewall on your industrial network.
- No network change required. Deploying a new firewall can be a complicated process for your industrial control networks. The first consideration is to determine the right firewall type for your network.
- A routed firewall is deployed between the plant network and the enterprise network and at the perimeter of the different network zones. Although a routed firewall provides the most capability and flexibility, substantial network configuration may be required.
- A transparent firewall is suitable for protecting critical devices or equipment inside a control network where network traffic is exchanged within a single subnet. A transparent firewall does not participate in the routing process and can be installed in the network without having to reconfigure IP subnets.
- Filtering performance and latency. In general automation applications, a response time in milliseconds is required to enable realtime applications. Although many vendors claim maximum performance for their firewalls based on the benchmark, in the real world, hundreds of firewall rules may be activated to filter traffic in a control network, placing doubts on the actual firewall performance.
- Industrial protocol filtering. General firewalls can filter data at the IP or MAC layer to prevent any unauthorized access to critical equipment, which is not enough for the industrial control networks. What is needed are well-designed firewalls that can allow or deny traffic based on protocols to enable checks on control data commands at the application layer. One such solution is Modbus TCP deep packet inspection.
- Industrial-grade design for harsh environments. In industrial applications, firewalls are often located in cabinets under harsh conditions. A firewall for industrial applications should comply with industry standards, which could include C1D2 (oil and gas), NEMA TS2 (transportation), EN 50121-4 (trackside), and UL (factory automations).
- Firewall event logging and notification. Event logging is critical to ensure that the firewall rules are implemented and functioning properly. In addition, a good log file maintenance plan allows the review of any security events or issues.
- Easy mass deployment of firewall rules. There are two ways to mass deploy firewall rules: batch command (through the command line interface) and centralized firewall management software.
- Intuitive configuration interface. An industrial firewall should include a command line interface, a
graphical user interface, and, preferably, a firewall setup wizard to allow administrators to get firewalls up and running in the field within minutes.
With effective and reliable industrial firewalls, deploying industrial firewalls in the field to secure control networks and ensure maximum system uptime has never been easier.
For more industrial firewall product information, click here.