Understanding Firewalls and Their Role in Industrial

Networks
A firewall is a device placed between an organization's internal network and external networks to control traffic flow.
It selectively forwards or blocks packets based on rules, protecting specific hosts or services from unauthorized
access.

Firewalls monitor network traffic at the network level, working with routers to filter packets and ensure security. This
presentation explores the differences between traditional IT firewalls and specialized industrial firewalls, their
architecture, and their critical role in protecting operational technology environments.

Presented by Deepak Kumar

NIIT University
MT24GCS704
Industrial/ICS/OT Firewall
Specialized Protection Designed for Harsh Key Functions
Conditions
Industrial firewalls secure Include stateful inspection,
industrial control systems (ICS) Built to withstand extreme intrusion detection/prevention,
and SCADA systems, defending temperatures, vibrations, and VPN support, access controls, and
against cyber threats unique to electromagnetic interference application layer filtering.
industrial environments. common in industrial settings.

OT vs. IT Firewalls: Key Differences

IT Firewalls OT Firewalls
Protect enterprise networks and data centers from malware, Designed for operational technology systems like ICS and
unauthorized access, and intrusions. Typically deployed at SCADA. Prioritize uptime, optimized for low latency, real-time
network perimeters using traditional security measures. communication, and built to endure industrial conditions.
OT Firewall Architecture – Perdue Model
Firewall Between Level 5 (Internet DMZ) and Level 4
(Enterprise Admin)

 Purpose: Blocks direct access from the internet to internal business systems.
 Protection:
o Prevents external attackers from reaching enterprise services (e.g., file
servers, databases).
o Enables VPN or proxy-based controlled access.
 Typical Features: IDS/IPS, geo-IP filtering, SSL inspection, application-layer
filtering.
Firewall Between Level 4 (Enterprise Admin) and Level
3 (Operations Admin)

 Purpose: Acts as a critical segmentation layer between the IT domain (Level 4) and OT
domain (Level 3).
 Protection:
o Prevents unauthorized enterprise devices from accessing OT systems.
o Mitigates risks from phishing-compromised desktops in Level 4.
 Important Rule: Only allow whitelisted traffic (e.g., OPC UA, Modbus, or historian
traffic) using conduits defined in IEC 62443.
Firewalls Within Level 3: Segmentation Between
Operational Subdomains
 Purpose: Isolate components like:
o Historian
o Domain Controller
o Monitoring systems
o 3rd-party integration points
 Protection:
o Prevents compromise of one Level 3 asset from spreading.
o Protects monitoring systems from misconfigured or malicious devices.
Example: Even if a 3rd-party system is compromised, it cannot access the domain controller or historian
without passing through another firewall.
 Firewalls Between Level 3 and Level 2 (Supervisory
Control)
 Purpose: Enforces the boundary between administrative OT systems and real-time
control systems.
 Protection:
o Blocks rogue traffic (e.g., unauthorized software updates or lateral scanning).
o Allows only necessary command/monitoring traffic (e.g., read-only historian
traffic).
This is the most critical control point—attacks that breach beyond this level may
directly influence the physical process.
Edge Firewalls Within Level 2: Micro-Segmentation

 Purpose: Optional but increasingly recommended.

 Protection:
o Micro-segmentation between work cells, PLCs, or HMIs.
o Enforce granular policies: e.g., “HMI A can talk to PLC A but not PLC B.”
This reflects modern ICS designs which adopt distributed firewalls or zoned
architectures for resilience.
ICS Edge Firewalls: Enhancing Security

Closer to Equipment New Concept

Edge firewalls are placed near Unlike core ICS firewalls, edge
individual equipment to enable firewalls are a relatively recent
micro-segmentation and isolate addition to ICS security
devices effectively. architectures.

Defense in Depth
They support IEC 62443 principles
like Defense in Depth and Secure
Zones and Conduits for layered
protection.
Firewall Policy and Misconfiguration Risks
Policy Importance Misconfiguration Dangers

No doubt that a firewall and a demilitarized zone (DMZ) Any misconfiguration of the firewall/rules will result in a false
network architecture are a must to protect ICS networks sense of security and allow unauthorized access to the ICS
from unauthorized access. However, this protection is network.
only as good as the firewall policy (rules) and the
security of the firewall itself. Gartner predicted 99% of firewall breaches in 2020 were due
to misconfigurations.
A good firewall policy requires precise planning, accurate Another study reported that open firewall rules ("Any-Any"
workflow, and continuous monitoring of any changes to rule that allows any traffic) are a major problem, and one out
the policy, network design, and firewall configurations of five firewalls has one or more configuration issues.
Limitations of Firewalls and Additional Measures

Firewall Limits
Firewalls only block external attacks; they cannot stop attacks using allowed protocols
or internal threats.

Intrusion Detection
Intrusion Detection Systems (IDS) are needed to detect attacks that bypass firewall rules.

System-Level Controls
Whitelisting, hardening, and host-based controls help prevent malware from USBs, mobile devices, and
dialup connections.
Best Practices for ICS Firewall Security
Review and Fix Rules
Periodically audit firewall policies to fix misconfigurations and remove unnecessary rules, ideally automating
change detection.

Zero Trust Access

Access rules should follow zero trust and least privilege principles, allowing only necessary connections.

Route All Connections

Ensure all ICS network connections, including vendor remote access, pass through the firewall
with no bypass.

Network Segmentation
Segment ICS networks into security zones for granular access control and defense in depth.
Case Study: Triton/Trisis Malware Attack
In 2017, the Triton/Trisis malware targeted Schneider Electric’s Triconex safety controllers, targeted to disable critical
safety controllers. The attack was stopped before causing damage but highlighted the evolving threats to ICS
environments. This incident underscores the need for robust ICS firewall protections and layered security measures to
defend against sophisticated cyberattacks targeting safety systems.
Case Study: Maroochy Shire Sewage Spill
1 Incident Overview
A disgruntled ex-contractor remotely accessed a Queensland sewage plant’s SCADA system,
releasing over 800,000 liters of raw sewage into public areas.

2 Firewall Misconfiguration
Lack of proper firewall and access control allowed direct PLC command access via remote wireless link.

3 Impact
Environmental damage, marine life deaths, public health risks, and over $170,000 in damages and reputational
harm.
Purdue Quiz: Firewall Edition
Core Differences Between OT and IT Firewal
OT Firewalls IT Firewalls

Designed for securing Industrial Control Systems (ICS), SCADA, Designed for protecting enterprise IT networks and data centers
and other OT environments

Built to operate in harsh industrial conditions (e.g., heat, Operate in standard office/data center environments
vibration, EMI)

Optimized for low-latency, real-time communication critical to Can tolerate higher latency; optimized for data throughput and
industrial processes encryption

Understands and inspects OT-specific protocols (e.g., Modbus, Supports general IT protocols (e.g., HTTP, HTTPS, FTP, SMTP)
DNP3, IEC 60870-5-104)

Integrates with PLCs, RTUs, HMIs, and industrial SIEMs Integrates with enterprise servers, cloud services, and IT SIEMs

Defends against threats to physical operations and safety Protects data from loss, theft, or unauthorized access

Deployed deep within industrial networks (e.g., between control Deployed at network perimeter or between network segments
and field levels)
Which Firewall is used in OT
environment Stateless or Stateful?
Stateless vs Stateful Firewalls in Industrial Settings
Stateless Firewalls Stateful Firewalls

• Analyze packets independently without session • Track communication sessions for context-aware
context. filtering.

• Filter based on source/destination IP and protocol. • Allow inbound traffic only if matching outbound
requests.

• Vulnerable to spoofing and cannot block • Limit new connections to prevent attacks and
unsolicited inbound traffic. provide more accurate threat detection.
Can we use an IT Firewall in our
OT environment?
Using IT Firewalls in OT Environments

Feasibility
IT firewalls can be used in OT settings but require careful configuration to meet OT-specific needs.

Challenges
Firewall doesn’t interfere with the communication between devices and control systems, and that it
doesn’t negatively impact the performance or reliability of the OT environment.

Maintenance
Regular updates and proper management are essential to ensure ongoing effectiveness in OT
environments.
Benefits of Using OT Firewalls

Enhanced Security Improved Reliability

Protect critical infrastructure from cyber-physical Designed for low latency and high availability in real-
attacks and industrial espionage. time industrial control systems.

Compliance Ease of Use

Help meet regulatory standards like NIST SP 800-82 User-friendly interfaces simplify security policy
and 800-53. management and threat detection.
Key Features of Effective OT Firewalls

Deep Packet Inspection Intrusion Detection and Prevention

Analyze industrial protocols for detailed traffic Identify and block malicious activities within OT
understanding. networks.

Network Segmentation Centralized Monitoring

Limit access between different parts of the Manage and control traffic from a single location
industrial network. for efficiency.
Challenges in Implementing OT Firewalls

Network Mapping Legacy Compatibility

Identifying and understanding the industrial control Ensuring firewalls work with older systems without
network is complex. disruption.

Minimizing Downtime Training Personnel

Implementing firewalls without affecting critical Equipping staff to manage and maintain firewall
operations. systems effectively.
 Normal (Active) Operation:
Active-Standby Firewall  Client at [Link] sends traffic → switch → G0/0 on
Primary ASA.
 Firewall evaluates rules, NATs if needed → sends out via
G0/1 to router → Internet.
 Secondary ASA remains idle, continuously monitoring
the Primary via failover link.
Failure Detection:
 The Failover Link (G0/2) carries heartbeats and
state sync.
 If the Secondary ASA (Standby) doesn’t receive
heartbeats within a timeout, it promotes itself to
Active.
Failover Scenario:
 If the Primary ASA fails (hardware, link, or power), the
Secondary ASA becomes Active.
 Because IPs and MACs are replicated during failover,
traffic resumes without interruption.
This setup ensures high availability and continuous protection for industrial networks.
Security Monitoring and Logging in ICS
Security Monitoring: This is the continuous process of observing and analyzing the activities and
events occurring within an ICS environment to detect any signs of security incidents, anomalies, or
potential threats. It involves collecting data from various sources and looking for patterns or behaviors
that deviate from the established "normal."

Security Logging: This is the systematic recording of security-relevant events and activities within the
ICS. These logs serve as a historical record that can be used for various purposes, including:

Incident Analysis: Understanding what happened during a security incident, the scope of the
compromise, and the actions taken by attackers.
Forensics: Investigating security breaches to determine the root cause, timeline of events, and
the impact on the system.
Auditing: Reviewing system activity to ensure adherence to security policies and identify potential
vulnerabilities.
Troubleshooting: Diagnosing operational issues that might be related to security events or
misconfigurations
Key Aspects of Security Monitoring in ICS:
Network Monitoring: Analyzing network traffic for suspicious patterns, unauthorized
communication, and protocol anomalies specific to OT protocols (e.g., Modbus, DNP3, Profinet).

Endpoint Monitoring: Tracking activities on HMIs, engineering workstations, and other ICS
endpoints for malware, unauthorized software installations, and policy violations.

Security Device Monitoring: Collecting and analyzing logs from firewalls, intrusion
detection/prevention systems (IDS/IPS), and other security appliances deployed within the ICS
environment.

Physical Security Monitoring: Integrating data from physical access control systems and
surveillance to correlate cyber and physical security events.

Process Monitoring: Analyzing operational data and control system parameters for anomalies that
could indicate manipulation or disruption.
Key Aspects of Logging in ICS:
 Centralized Logging: Aggregating logs from various ICS components (e.g., PLCs, HMIs, servers,
network devices) into a secure, centralized repository for analysis and correlation.
 Timestamping and Synchronization: Ensuring accurate and synchronized timestamps across all log
sources for effective event correlation.
 Data Integrity: Protecting log data from tampering or unauthorized modification to maintain its
forensic value.
 Secure Storage: Storing logs in a secure location with appropriate access controls and retention
policies.
 Structured Logging: Implementing structured logging formats to facilitate efficient searching,
filtering, and analysis of log data.
 Contextual Information: Ensuring log messages include sufficient context (e.g., source/destination
IP addresses, usernames, process IDs) to aid in understanding events.
Network Packet Capturing and Event Logging in ICS/OT

Network packet capturing in Industrial Control Systems (ICS) is essential for security monitoring,
troubleshooting, and forensic analysis. It requires careful handling to avoid performance degradation or
system disruption in sensitive OT environments. Packet capturing intercepts and records network traffic,
providing detailed data such as IP addresses, protocols, port numbers, payloads, and timestamps.

This presentation explores methods of packet capturing, its use cases, event logging in ICS/OT, and the
role of Security Information and Event Management (SIEM) systems in enhancing operational security
and reliability.
Methods of Network Packet Capturing in ICS
SPAN Ports (Switched Port Analyzer) Network TAPs (Test Access Points)
SPAN ports mirror traffic from one or more switch ports TAPs are hardware devices inserted inline to passively
to a designated port for capturing. They are non- copy traffic without altering signals or adding latency.
intrusive but can cause performance issues if Preferred for critical ICS environments, they require
overloaded, affecting real-time control operations. physical access and compatibility with network media.

Software-Based Tools Integrated Security Appliances

Tools like Wireshark or tcpdump capture traffic on Industrial firewalls and IDS/IPS devices may have built-
specific ICS endpoints. Use with caution due to in capturing features. These simplify deployment but
potential performance impacts and security risks; best may limit capture detail and affect device performance
suited for troubleshooting individual devices. or security functions.
Use Cases for Network Packet Capturing in ICS

Security Monitoring Troubleshooting

Detect malicious activities, protocol Identify network connectivity issues, latency,
anomalies, unauthorized commands, and and errors in OT protocol exchanges.
indicators of compromise.

Forensic Analysis Protocol Analysis

Investigate incidents to understand attack Analyze proprietary or uncommon OT
vectors and actions taken, providing protocols for better understanding and
irrefutable evidence. reverse engineering.
Event Logging in ICS/OT Environments
Event logging refers to the collection and storage of system-generated messages that report
activities, status changes, or alerts across various devices and systems in an OT environment.

In ICS/OT, logs are gathered from:

• PLCs (Programmable Logic Controllers)

• RTUs (Remote Terminal Units)
• SCADA (Supervisory Control and Data Acquisition) systems
• HMIs (Human-Machine Interfaces)
• Engineering workstations
• Firewalls and switches (e.g., ASA firewalls)
• Windows/Linux-based servers and historian databases
• Asset management and patching systems
Types of Events Typically Logged in ICS/OT
Category Example Log Events

System Logs OS start/stop, service failures, updates, hardware errors

Interface status changes, dropped packets, routing
Network Logs changes
Access Logs User logins, failed login attempts, privilege escalations

Control Events Operator actions like opening valves or stopping motors

PLC Program Changes Uploads/downloads of ladder logic, configuration changes

Alarm Logs Threshold breaches, equipment malfunctions,

communication losses

Firewall/IDS Logs Denied connections, protocol violation alerts, scanning

behavior
Application Logs SCADA errors, historian write failures, database rollbacks
Understanding SIEM in ICS/OT
Security Information and Event Management (SIEM)
SIEMs receive messages in formats like Syslog and
systems aggregate, parse, and analyze cyber and
Windows Event, enabling security teams to detect and
operational data for alerts, response, and reporting.
manage threats effectively through automated and
They correlate diverse data sources to reduce alert
manual processes.
fatigue and prioritize genuine threats.
Differences Between IT and OT SIEMs
While both IT and OT SIEMs aggregate and analyze data, their focus and priorities differ significantly.
In OT, the emphasis is on safety, reliability, and availability. This requires specialized data and analysis
capabilities

Data Analysis
OT SIEMs include process data for deeper IT focuses on Confidentiality-Integrity-
operational insights, unlike IT SIEMs. Availability; OT prioritizes Safety-Reliability-
Productivity, requiring immediate action on
process deviations.
Visibility ROI (Return on Investment)
IT SIEMs are centrally monitored; OT requires IT SIEMs reduce cyber risk; OT SIEMs predict
on-site visibility for fast incident response. equipment failures and reduce downtime,
saving operational costs.
Factors Driving the Need for OT SIEM

Process Complexity Process Criticality

Complex industrial processes require detailed OT OT processes are vital; downtime from attacks or
SIEM data for risk analysis and response by disruptions is costly, making monitoring essential.
experienced personnel.

Network Segmentation Compliance and Regulations

Greater OT network separation increases SIEM value Industries like power require detailed OT data for
by empowering local operations personnel. cybersecurity regulations such as NERC CIP.
OT SIEM Use Cases and Cyber Threats

Compliance
Security Alarms Meet regulatory
Asset Monitoring Identify cyber threats, requirements with
Predictive Detect offline or rogue unauthorized access,
Maintenance detailed OT data and
devices and monitor and unexpected system reporting.
Monitor vibration and resource usage. behaviors.
other data to detect
anomalies early and
schedule maintenance.
Quiz: ICS Firewall Faceoff
Thank you!