Beyond the network firewall

Since many industrial devices are soft targets for hackers, placing smaller firewalls deeper in networks near PLCs or embedding them in such controllers is a practical way to add a higher level of protection.


Small Internet-connected devices control our factories, manage the power grid, dispense medicine via insulin pumps, and affect our everyday lives in countless ways. Yet many embedded device developers do not include a firewall to protect their devices from cyber attacks, believing their devices are somehow immune from attacks and that a firewall is not needed.

Some of the PLCs shown above are better protected than others. PLC 1 is wide open to attacks via the Internet, but PLC 2 and 3 have local defenses against invasion. PLC 4, 5, and 6 are behind the enterprise firewall, but attacks can come through other dev

The majority of control system devices, conventional and embedded, developed in the last few years have an Ethernet network interface that can connect to the Internet. Some include password protection and perhaps encrypted protocols such as SSH or SSL, but these are not enough. Some devices don’t even include these simple protections and are supplied with user names or passwords that cannot be changed. If these approaches provided sufficient protection, we would not be reading about security breaches in the media. Older systems are even more vulnerable. Their original designs often assumed they were part of a closed or isolated network and omitted security, but many are now connected to a more open network with no protection. The perception of what represents sufficient security for small, embedded devices is outdated and needs to change. 

Real-world threats and solutions

Frequently engineers assume hackers will not target devices deep within industrial networks, claiming criminals are only interested in attacking PCs and enterprise networks. However, you don’t have to look very hard to find recent reports of attacks against control devices in industrial applications that prove this is simply not true. Many industrial PLCs, PACs, and other control devices are very soft targets, and if they can be reached from the outside through their networks, a hacker can cause all sorts of trouble.

Industrial networking and embedded device engineers can take a page from IT security’s playbook and employ a multilayered security strategy using strategically placed firewalls and encryption protocols. A firewall provides a critical layer of security for such devices, along with authentication and security, blocking attacks that authentication and encryption can’t. A firewall must be efficient, consuming minimal system resources, and scalable to a wide range of devices from small 8-bit systems running a minimal or no operating system, to a sophisticated multicore system running a commercial RTOS (real-time operating system). Desktop firewalls used with office IT systems do not meet the needs of these devices. Windows- and Linux-based firewalls, while effective, are large and not easily portable to embedded devices or those distributed around an industrial environment. They also typically include filtering that is not relevant for such devices. 

Network firewalls help, but—

Network or enterprise firewalls are used to isolate private networks from the Internet. All traffic between computers inside the network and the Internet must pass through the firewall. It is configured with communication policies to protect the machines inside the network from attacks originating from the Internet. Firewall policies control the protocols, ports, and IP addresses allowed to pass through. Network firewalls may also perform deep packet inspection to block viruses and malware targeting Windows systems. Properly configured, they can provide an effective layer of defense against hackers, DoS (denial of service) attacks, viruses, and malware.

However, network firewalls are designed to provide protection for the entire network. As such, they are configured with policies that make sense for the network as a whole. The communication requirements for an individual controller or other embedded device farther down in a network are frequently very specific, with only a few protocols and ports supported and often with a limited number of IP addresses communicating with the device. A firewall embedded in the device or adjacent to it provides protection at the device level with policies specifically configured for that device, allowing much tighter control. 

Attacks can also originate from within a network. These attacks are not blocked by the network firewall, and without an embedded firewall, devices on the network are vulnerable to these attacks. These attacks can be launched by insiders, or from communications that were not blocked by the network firewall or from communications that bypassed the firewall. Stuxnet, for example, attacked machines on a private network after infiltrating the network via USB flash drives.

To go a step farther, the assumption that a controller or other embedded device will always be deployed behind a network firewall should also be carefully examined (see diagram). Networks evolve over time, firewalls can be compromised by hackers, and the manner in which these devices are deployed changes. Is it really possible to be absolutely certain that an embedded device will always be deployed behind a network firewall? And even if the device is behind a network firewall, do you want to trust the firewall as the main and perhaps only line of defense?

Device-level firewalls

A firewall embedded in a control device or separate firewall appliance connected to the controller enforces a set of policies designed to create a safe zone where the device may operate. Embedded firewalls are becoming more common as growing numbers of manufacturers understand the need for this type of protection. Firewall policies govern allowable protocols and ports, which may communicate with the device and may initiate communication with the device. Such firewalls are integrated directly with the TCP/IP stack of the device and filter packets at the IP protocol layer. They block unwanted packets, unfriendly login attempts, and DoS attacks before authentication is allowed to begin.

One or more strategies are used to enforce firewall policies. Common filtering methods are:

  • Rules-based filtering: Compares each packet to a set of preset static rules determining if the packet is blocked or allowed. All decisions are made based on the information in the packet.
  • Stateful packet inspection (SPI): Maintains information regarding the state of each connection and uses that information when making filtering decisions.
  • Threshold-based filtering: Maintains statistics on received packets and monitors threshold crossings to detect packet floods and DoS attacks.

Rules-based filtering enforces policies by blocking unused protocols, closing unused ports, and enforcing IP address whitelists and blacklists. For some devices, rules-based filtering is all that’s required. Consider a hacker trying to reach and manipulate a pump controller from outside via the Internet. In normal operation, that pump controller would only have reason to communicate with a small set of known IP addresses. A rules-based firewall configured with a trusted list of IP addresses would block this attack.

Other devices require more open communication. A printer typically needs to accept print jobs from any IP address. Rules-based filtering can still be used to block unused ports and protocols, but SPI or threshold-based filtering are desirable for additional protection.

SPI provides protection against packets received with invalid TCP state information, a common web-based attack. SPI can also be used to create a lockdown mode where all connections must originate from the embedded device.

Threshold-based filtering is more complex and requires significant system processing time and memory, but provides a powerful tool for detecting packet floods and DoS attacks.

Devices such as Icon Labs’ Floodgate are available that make it easy and affordable to add an embedded firewall to virtually any controller or embedded device. These are designed for the specific requirements of device-level applications and can provide static filtering, threshold-based filtering, and SPI to protect embedded devices from Internet-based threats. Floodgate has a small footprint, low CPU processing requirements, and is easily integrated with any embedded IP stack.

Hackers are actively targeting embedded devices.  News articles recently reported attacks against thermostats, car computer systems, medical devices, and SCADA systems. The question really should be, “Why wouldn’t I include a firewall?”

David West is vice president of engineering at Icon Labs. Reach him at 

Key concepts:

  • Many industrial devices buried deep within industrial networks have become targets for hackers.
  • Expectations that these devices are safe thanks to obscurity have proven to be false.
  • Small device-level firewalls can be configured to provide protection specifically for these devices. 

ONLINE extra

No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Sister act: Building on their father's legacy, a new generation moves Bales Metal Surface Solutions forward; Meet the 2015 Engineering Leaders Under 40
2015 Mid-Year Report: Manufacturing's newest tool: In a digital age, digits will play a key role in the plant of the future; Ethernet certification; Mitigate harmonics; World class maintenance
2015 Lubrication Guide: Green and gold in lubrication: Environmentally friendly fluids and sealing systems offer a new perspective
Drilling for Big Data: Managing the flow of information; Big data drilldown series: Challenge and opportunity; OT to IT: Creating a circle of improvement; Industry loses best workers, again
Pipeline vulnerabilities? Securing hydrocarbon transit; Predictive analytics hit the mainstream; Dirty pipelines decrease flow, production—pig your line; Ensuring pipeline physical and cyber security
Cyber security attack: The threat is real; Hacking O&G control systems: Understanding the cyber risk; The active cyber defense cycle
Designing positive-energy buildings; Ensuring power quality; Complying with NFPA 110; Minimizing arc flash hazards
Building high availability into industrial computers; Of key metrics and myth busting; The truth about five common VFD myths
New industrial buildings: Greener, cleaner, leaner; New building designs for industry; Take a new look at absorption cooling; Offshored jobs start to come back

Annual Salary Survey

After almost a decade of uncertainty, the confidence of plant floor managers is soaring. Even with a number of challenges and while implementing new technologies, there is a renewed sense of optimism among plant managers about their business and their future.

The respondents to the 2014 Plant Engineering Salary Survey come from throughout the U.S. and serve a variety of industries, but they are uniform in their optimism about manufacturing. This year’s survey found 79% consider manufacturing a secure career. That’s up from 75% in 2013 and significantly higher than the 63% figure when Plant Engineering first started asking that question a decade ago.

Read more: 2014 Salary Survey: Confidence rises amid the challenges

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.