Cybersecurity is all the rage now with everyone wondering if someone is peeking under their petticoats or will hack their control system and take over their process, a la Stuxnet, leading to a disaster. This is an important issue that requires a careful approach of engineering analysis and design to keep the barbarians at the gate and out of our kingdom. IT networks are being subjected to an increased level of cyber threats, and all the pundits are predicting that industrial control systems (ICS) are next, with a good dose of doom and gloom. When the corporate or enterprise IT network is connected (directly or indirectly through the plant network) to ICS network and/or potential sneak-path connections to the Internet, cyber threats have doorways to attempt to open and possibly penetrate the ICS to do no good.
Firewalls play an important role in blocking and containing external and internal cyber threats that could impact process control system availability, reliability and productivity, and potentially impact safety. The selection of firewalls, their locations and the protection they provide should be part of a holistic cybersecurity assessment and protection plan based on a risk-based assessment and good engineering practice.
The topic of firewalls is surprisingly complex, and requires a good amount of study to be competent in their application and support. The intent of this article is to discuss some of the basics of applying firewalls in ICS systems by looking at them from the perspective of the functional data flow in the industrial control system, without too much technical IT geek-speak.
The world of the industrial control system is a substantially different world than your standard IT environment, and has given birth to a brand-new buzzword and acronym—operational technology (OT). ICS and firewalls fall into the OT realm. The types of digital transactions in an ICS are substantially limited when compared to general-purpose IT computer networks. The ICS is purpose-built to transfer a limited range of data types and functions, such as measurements, setpoints, status, alarms, calculated values, control signals, etc. Some configuration and programming is also done across the ICS network via engineering workstations. While there is typically an Internet connection to the plant network, or possibly indirectly through the enterprise network, there should not be any direct, continuous connection of the ICS network to the Internet, even through a firewall. However, there may have to be temporary connections to the Internet to download software updates and patches, which should be always be done through a firewall, and special care must be taken when doing so to control the transfer to ensure that a cyber threat does not sneak in.
Standards and layers
ISA is aware of the issues and hazards of cyber threats to ICSs, and commissioned the ISA 99 committee in 2002 to address the issue of cybersecurity in industrial automation and control systems (IACS/ICS). This committee’s goal was to develop a series of standards and technical reports to address the issue of cybersecurity in IACSs/ICSs. This standard committee’s work later became known as the ANSI/ISA-99 standards, and in 2010 was harmonized with the International Electrotechnical Commission and became ISA/IEC-62443, “Network and system security for industrial-process measurement and control.”
One of the methods in the technical report ANSI/ISA/TR99-2007 to fight cybersecurity intrusions is through the use of zones and conduits. The basic idea is to divide the ICS and connected systems into smaller functional chunks, e.g. zones, to provide isolation from each other, and to provide defense-in-depth capability. A communication “conduit” would be provided between zones, which allows a zone to communicate to another connected zone. At each conduit, there is essentially a doorway that controls the digital transactions in and out of a zone. This transaction control is commonly performed by a firewall or a data diode (hardware-enforced unidirectional gateway). The concept of protection by zones and conduits is illustrated in Figure 1 for a chemical plant-type environment. Also note that the ICS in Level 2 is divided into the basic process control system (BPCS), which includes the human-machine interface (HMI), and the safety instrumented system (SIS). Level 1 consists of the field instruments for the SIS and BPCS.
From Figure 1, we can see that the enterprise or corporate system zone (Level 4) is connected to the plant computer network system (called the plant DMZ, Level 3), which is usually a general-purpose computer network, and is typically connected through a stateful-type IT firewall to the enterprise system. The plant DMZ (Level 3) is connected to the ICS (BPCS, Level 2) typically through a specialized firewall or security appliance (a term used by some manufacturers to differentiate their product), which is later connected to the SIS (Level 2), again through a specialized firewall or security appliance. If the ICS is large enough or has separate functional areas (e.g. PLCs or process areas), there may be more defined zones with specialized firewall or security appliances.
SCADA systems can have different zones and conduits due to their geographical distribution of components and control functions. It's typical to have a stateful firewall at the central control center connection to the enterprise network. A specialized firewall or security appliance should be in place between the central control center and distributed control locations (typically RTU sites), and a specialized firewall or security appliance firewall at each control location. Firewalls are required at both ends because of the geographical distribution; a cyber threat attack may backdoor into the control center from one of the control locations. Depending on the design, there may or may not be separate SIS zones.
IT vs. ICS networks
Computers in networks perform digital transactions to accomplish tasks. Plant networks are typically Ethernet-based over fiber, and commonly connected to the outside world via a connection to the Internet. They are the realm of the IT department, but there's an overlap where they connect to the ICS. While it may go against the grain of many control engineers to associate with IT personnel, for the sake of cybersecurity, making a friend with your local (hopefully friendly) IT guy is a good idea. Maintaining these networks against cyber threats requires quite a bit of work and skill, so all the help you can get will be good in the long run.
The enterprise network (Level 4) and the plant DMZ network (Level 3) are typically IT networks, and they'll have a firewall at the system connection to the Internet as well as to each other and any other connected network. General-purpose IT firewalls are unsuitable for ICSs because they're essentially packet filters with some smarts. They generally can't distinguish at the application level which ICS data transactions/traffic packets to explicitly allow, and can let packets through without knowing if what they contain may be hazardous to our ICS. Smart hackers are always looking for and finding vulnerabilities to access these networks, which can lead to a cyber threat penetration into the ICS.
IT isn't typically the recommended department to control ICS firewalls because they typically don’t understand what goes on in the ICS. IT personnel should be knowledgeable about IT firewalls, and the control engineer can define the allowable control system transactions that should pass through the IT firewalls, but control of the ICS firewalls should be in the control engineering department with the assistance of the IT department. Physical access to the ICS firewalls should be controlled, all firewall passwords should be changed from their default, and each firewall should have a different password.