Loading ...
Loading ...
Loading ...
Cybersecurity considerations for electrical distribution systems
Securing the Network Management Module – 158
•
•
•
•
•
5.1.6 Designing for the threat vectors
5.1.6.1 Firewalls
Firewalls provide the capability to add stringent and multifaceted rules for communication between various network segments and
zones in an ICS network. They can be configured to block data from certain segments, while allowing the relevant and necessary
data through. A thorough understanding of the devices, applications, and services that are in a network will guide the appropriate
deployment and configuration of firewalls in a network. Typical types of firewalls that can be deployed in a network include:
Packet filter or boundary firewalls that work on the network layer
These firewalls mainly operate at the network layer, using pre-established rules based on port numbers and protocols to
analyze the packets going into or out of a separated network.
These firewalls either permit or deny passage based on these rules.
Host firewalls
These firewalls are software firewall solutions that protect ports and services on devices. Host firewalls can apply rules that
track, allow, or deny incoming and outgoing traffic on the device and are mainly found on mobile devices, laptops, and
desktops that can be easily connected to an ICS.
Application-level proxy firewalls
These firewalls are highly secure firewall protection methods that hide and protect individual devices and computers in a
control network. These firewalls communicate at the application layer and can provide better inspection capabilities. Because
they collect extensive log data, application-level proxy firewalls can negatively impact the performance of an ICS network.
Stateful inspection firewalls
These firewalls work at the network, session, and application layers of the open system interconnection (OSI). Stateful
inspection firewalls are more secure than packet filter firewalls because they only allow packets belonging to allowed
sessions.
These firewalls can authenticate users when a session is established and analyze a packet to determine whether they contain
the expected payload type or enforce constraints at the application layer.
SCADA hardware firewalls
These are hardware-based firewalls that provide defense for an ICS based on observing abnormal behavior on a device within
the control network. For example, if an operator station computer suddenly attempts to program a PLC, this activity could be
blocked and an alarm could be raised to prevent serious risk to the system.
5.1.6.2 Demilitarized zones (DMZ)
Network segmentation is a key consideration in establishing secure control networks. Firewalls should be used to create DMZ by
grouping critical components and isolating them from the traditional business IT network. A three-tier architecture should be
employed at a minimum, with a DMZ between the organization’s core network and an isolated control system’s network as shown
in below figure.
Loading ...
Loading ...
Loading ...