_4: Firewalls for OT/ICS

Generally, firewalls are used to restrict incoming traffic to a network and outgoing connections from a network.  Nowadays, firewalls have advanced tremendously and the technology is constantly evolving.  Traditionally, firewalls have been used at the borders of private network/s facing untrusted network/s.  With today's advancement in firewall/networking technology, it's becoming more popular to have a distributed firewall system to control even the most minutiae of network traffic.  Today, there are network products on the market that can run as a virtual firewall container on layer 2 switches, while stitched with management software for configuration and control from single pane of glass.  Heck, there products with these features built into the switches and firewalls with control from a single pane of glass management.  In addition, they have the capability to do deep packet inspection and control on OT/ICS protocols.  How cool is that?

In OT environments, it has become critical to utilize an distributed firewall methodology through out the OT network to protect different areas of the plant, especially critical systems like safety control systems, chlorine gas control systems and the like. The firewall's duty is to inspect and control at the lower layer of a network packet like traditional IT firewalls, but also at the application layer where most if not all OT/ICS protocols reside in for a modern network.  The main goal is to prevent device communication where it is unwanted and only allow device communication where needed.  That's very important to understand here, "ONLY ALLOW DEVICE COMMUNICATION WHERE NEEDED".  We want to take a whitelisting approach to OT/ICS Cybersecurity because we should already have a clear understanding of our plant's OT/ICS network communication.  This really comes down to understanding what assets are talking to what on the plant floor and the communication must evaluated if they're really needed or if it's just a good to have.

After procuring and installing your firewalls, don't make the mistake thinking that security policies are just suppose to magically appear after turning on the power switch.  You also need to program (or configure) the proper Access Control Lists (ACLs) and policies to get the results that you had planned for. This is why its a good idea to have an understanding of the devices that are on your network, what devices are communicating, and what protocols are utilized to properly build these ACLs and policies.

There are also things that you should consider like disabling ICMP packets to flow between different area or security zones within your network, creating a blacklist ACL on the public port of your firewall to drop VPN connection, enabling MFA for all VPN connections just to name a few.  The list goes on and on and on.  To take a defense-in-depth approach, VPN should only be utilized on IT Firewalls.  Cybersecurity is a team effort so it's best to partner with the IT Team and have VPN administered and monitoring by them.  OT Firewall internet connections should be eliminated or limited as per IEC62443 - restricting communication conduits.  Imagine you're trying to close the holes in your defense during a breach and you don't know which spider-web communication conduit the breach is coming from.  You must take a phased approach to cybersecurity initiatives and ensure you have the company's best interest at heart.  Consult with professionals in the community for guidance whenever needed so we all can better protect critical infrastructures and manufacturers.  

From OT/ICS Firewalls to home use, below is a firewall by Firewalla that I use for my home network.  Want to learn how FIrewalls works and how to apply these concepts to OT/ICS environments?  Get your hands on a Firewalla.  Firewalla products are created by previous Cisco engineers with quick and easy setup.  Firewalla configurations are done through an app where policies and rules are setup by the swipe of your fingers.  I'm able to restrict internet traffic and control which apps my kids are able to access.  I'm able to review dropped traffic whenever I'm troubleshooting my kids' internet connection and come to a realization that I created ACLs to drop all internet communication last Sunday night when they wouldn't finish their homework.  Definitely a great tool to secure your home or small business network, and a great tool to leverage to ensure your kids are completing their homework on time/fulfilling house chores.  If interested in purchasing,  please support my page by using my affiliate link below.

Firewalla Affiliate Link

Photo Courtesy of Firewalla