Industrial cybersecurity requires playing defence

A firewall is an access control device that looks at data and compares it with preconfigured policy rules to decide whether to allow, deny, or take some other action on the information. Moxa

In the Industrial Internet of Things (IIoT) era, previously unconnected systems now are connected by private and public networks so we can gain more insights into operations and improve productivity. The downside of this greater connectivity, however, is that industrial networks are no longer immune to cyberthreats.

Generally speaking, two methods are available for implementing industrial cybersecurity:

• Secure the foundation of the network infrastructure and allow only authorized traffic to flow to the designated areas.
• Identify critical assets and apply layered protection.

Secure industrial routers and firewalls are essential to both of these methodologies because they are deployed at the front lines to prevent unauthorized access and traffic to industrial networks.

Choosing Secure Routers and Firewalls

Industrial control systems can apply a defence-in-depth approach to protect critical equipment and secure various locations, device cells, function zones, and factory sites on an automation network.

Defence-in-depth cybersecurity includes three types of controls: physical, technical, and administrative.

First, implement physical controls by segmenting the network and creating boundaries between each segment. Next, apply technical controls by securing network traffic and filtering data packets. Last, enhance administrative security by managing IP addresses and adopting strong security policies.

Secure routers and firewalls provide an excellent way to achieve defence-in-depth cybersecurity on your network, but how do you choose the right router or firewall for your industrial application? Consider the following three criteria.

1. Add firewalls without changing your network. Network segmentation involves breaking down the network into physical or logical zones with industrial firewalls. A firewall is an access control device that looks at the IP packet; compares the packet with preconfigured policy rules; and decides whether to allow, deny, or take some other action on the packet.

Firewalls typically are either routed or transparent, and the type that you need depends on the requirements of your application. Unlike routed firewalls, transparent firewalls allow you to keep the same subnet so that you can easily add firewalls to an existing network.

With transparent firewalls, you also do not need to change network topology. Transparent firewalls are suitable for protecting critical devices and equipment inside a control network where network traffic is exchanged within a single subnet. Furthermore, you do not need to reconfigure IP subnets, because transparent firewalls do not participate in the routing process.

To secure the transmission of confidential data, consider using a virtual private network (VPN). Moxa

2. Detect threats and protect critical data. Firewalls are akin to gatekeepers. Unfortunately, determined intruders may still be able to get through the gates on a segmented network. That’s why you need to constantly check the traffic that passes through the gates you have established.

One way to achieve this is to filter out unwanted commands such as write and configure commands that could cause industrial processes to fail when needed and unnecessarily trigger a safe state during production.

It is important for secure industrial routers and firewalls to support industrial protocol filtering at the command level (read, write) for more fine-grained whitelisting control. To secure the transmission of confidential data, consider building secure tunnels for site-to-site communications. In some scenarios, communications over public and untrusted networks definitely require secure encrypted data transmissions. Under such circumstances, consider VPN capability when choosing secure industrial routers and firewalls.

3. Get firewalls and networks under control. In industrial applications, hundreds or thousands of firewalls can be installed to control data traffic and protect equipment from malicious attacks.

As networks continue to expand, managing all of the devices, firewall rules, and IP addresses becomes more complicated. Network address translation (NAT) provides a very important function when deploying secure industrial routers and firewalls. NAT allows the reuse of machine IP address schemes on the same network and the connection of multiple devices to the internet, using a smaller number of IP addresses.

This not only significantly reduces maintenance efforts and administrative overhead, but also provides simple network segmentation. In addition, it enhances security for private networks by keeping internal addressing private from the external network.

Finding the right secure router and firewall for an application brings you to the halfway mark in successfully beefing up industrial network security. A highly integrated, industrial, multiport secure router with firewall/NAT/VPN and managed Layer 2 switch functions provides everything that is needed. Nevertheless, whatever system you ultimately choose, it should fit your specific application requirements.

Alvis Chen is global marketing, integrated marketing project manager for Moxa, 601 Valencia Ave., Suite 100, Brea, Calif. 92823, 714-528-6777, www.moxa.com.