Beyond the network firewall

Since many industrial devices are soft targets for hackers, placing smaller firewalls deeper in networks near PLCs or embedding them in such controllers is a practical way to add a higher level of protection.


Small Internet-connected devices control our factories, manage the power grid, dispense medicine via insulin pumps, and affect our everyday lives in countless ways. Yet many embedded device developers do not include a firewall to protect their devices from cyber attacks, believing their devices are somehow immune from attacks and that a firewall is not needed.

Some of the PLCs shown above are better protected than others. PLC 1 is wide open to attacks via the Internet, but PLC 2 and 3 have local defenses against invasion. PLC 4, 5, and 6 are behind the enterprise firewall, but attacks can come through other dev

The majority of control system devices, conventional and embedded, developed in the last few years have an Ethernet network interface that can connect to the Internet. Some include password protection and perhaps encrypted protocols such as SSH or SSL, but these are not enough. Some devices don’t even include these simple protections and are supplied with user names or passwords that cannot be changed. If these approaches provided sufficient protection, we would not be reading about security breaches in the media. Older systems are even more vulnerable. Their original designs often assumed they were part of a closed or isolated network and omitted security, but many are now connected to a more open network with no protection. The perception of what represents sufficient security for small, embedded devices is outdated and needs to change. 

Real-world threats and solutions

Frequently engineers assume hackers will not target devices deep within industrial networks, claiming criminals are only interested in attacking PCs and enterprise networks. However, you don’t have to look very hard to find recent reports of attacks against control devices in industrial applications that prove this is simply not true. Many industrial PLCs, PACs, and other control devices are very soft targets, and if they can be reached from the outside through their networks, a hacker can cause all sorts of trouble.

Industrial networking and embedded device engineers can take a page from IT security’s playbook and employ a multilayered security strategy using strategically placed firewalls and encryption protocols. A firewall provides a critical layer of security for such devices, along with authentication and security, blocking attacks that authentication and encryption can’t. A firewall must be efficient, consuming minimal system resources, and scalable to a wide range of devices from small 8-bit systems running a minimal or no operating system, to a sophisticated multicore system running a commercial RTOS (real-time operating system). Desktop firewalls used with office IT systems do not meet the needs of these devices. Windows- and Linux-based firewalls, while effective, are large and not easily portable to embedded devices or those distributed around an industrial environment. They also typically include filtering that is not relevant for such devices. 

Network firewalls help, but—

Network or enterprise firewalls are used to isolate private networks from the Internet. All traffic between computers inside the network and the Internet must pass through the firewall. It is configured with communication policies to protect the machines inside the network from attacks originating from the Internet. Firewall policies control the protocols, ports, and IP addresses allowed to pass through. Network firewalls may also perform deep packet inspection to block viruses and malware targeting Windows systems. Properly configured, they can provide an effective layer of defense against hackers, DoS (denial of service) attacks, viruses, and malware.

However, network firewalls are designed to provide protection for the entire network. As such, they are configured with policies that make sense for the network as a whole. The communication requirements for an individual controller or other embedded device farther down in a network are frequently very specific, with only a few protocols and ports supported and often with a limited number of IP addresses communicating with the device. A firewall embedded in the device or adjacent to it provides protection at the device level with policies specifically configured for that device, allowing much tighter control. 

Attacks can also originate from within a network. These attacks are not blocked by the network firewall, and without an embedded firewall, devices on the network are vulnerable to these attacks. These attacks can be launched by insiders, or from communications that were not blocked by the network firewall or from communications that bypassed the firewall. Stuxnet, for example, attacked machines on a private network after infiltrating the network via USB flash drives.

To go a step farther, the assumption that a controller or other embedded device will always be deployed behind a network firewall should also be carefully examined (see diagram). Networks evolve over time, firewalls can be compromised by hackers, and the manner in which these devices are deployed changes. Is it really possible to be absolutely certain that an embedded device will always be deployed behind a network firewall? And even if the device is behind a network firewall, do you want to trust the firewall as the main and perhaps only line of defense?

Device-level firewalls

A firewall embedded in a control device or separate firewall appliance connected to the controller enforces a set of policies designed to create a safe zone where the device may operate. Embedded firewalls are becoming more common as growing numbers of manufacturers understand the need for this type of protection. Firewall policies govern allowable protocols and ports, which may communicate with the device and may initiate communication with the device. Such firewalls are integrated directly with the TCP/IP stack of the device and filter packets at the IP protocol layer. They block unwanted packets, unfriendly login attempts, and DoS attacks before authentication is allowed to begin.

One or more strategies are used to enforce firewall policies. Common filtering methods are:

  • Rules-based filtering: Compares each packet to a set of preset static rules determining if the packet is blocked or allowed. All decisions are made based on the information in the packet.
  • Stateful packet inspection (SPI): Maintains information regarding the state of each connection and uses that information when making filtering decisions.
  • Threshold-based filtering: Maintains statistics on received packets and monitors threshold crossings to detect packet floods and DoS attacks.

Rules-based filtering enforces policies by blocking unused protocols, closing unused ports, and enforcing IP address whitelists and blacklists. For some devices, rules-based filtering is all that’s required. Consider a hacker trying to reach and manipulate a pump controller from outside via the Internet. In normal operation, that pump controller would only have reason to communicate with a small set of known IP addresses. A rules-based firewall configured with a trusted list of IP addresses would block this attack.

Other devices require more open communication. A printer typically needs to accept print jobs from any IP address. Rules-based filtering can still be used to block unused ports and protocols, but SPI or threshold-based filtering are desirable for additional protection.

SPI provides protection against packets received with invalid TCP state information, a common web-based attack. SPI can also be used to create a lockdown mode where all connections must originate from the embedded device.

Threshold-based filtering is more complex and requires significant system processing time and memory, but provides a powerful tool for detecting packet floods and DoS attacks.

Devices such as Icon Labs’ Floodgate are available that make it easy and affordable to add an embedded firewall to virtually any controller or embedded device. These are designed for the specific requirements of device-level applications and can provide static filtering, threshold-based filtering, and SPI to protect embedded devices from Internet-based threats. Floodgate has a small footprint, low CPU processing requirements, and is easily integrated with any embedded IP stack.

Hackers are actively targeting embedded devices.  News articles recently reported attacks against thermostats, car computer systems, medical devices, and SCADA systems. The question really should be, “Why wouldn’t I include a firewall?”

David West is vice president of engineering at Icon Labs. Reach him at 

Key concepts:

  • Many industrial devices buried deep within industrial networks have become targets for hackers.
  • Expectations that these devices are safe thanks to obscurity have proven to be false.
  • Small device-level firewalls can be configured to provide protection specifically for these devices. 

ONLINE extra

The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Doubling down on digital manufacturing; Data driving predictive maintenance; Electric motors and generators; Rewarding operational improvement
2017 Lubrication Guide; Software tools; Microgrids and energy strategies; Use robots effectively
Prescriptive maintenance; Hannover Messe 2017 recap; Reduce welding errors
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Research team developing Tesla coil designs; Implementing wireless process sensing
Commissioning electrical systems; Designing emergency and standby generator systems; Paralleling switchgear generator systems
Natural gas engines; New applications for fuel cells; Large engines become more efficient; Extending boiler life

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me