Designing For The Threat Vectors; Firewalls; Demilitarized Zones (Dmz) - Eaton Network-M2 User Manual

4.1.6 Designing for the threat vectors

Firewalls

Firewalls provide the capability to add stringent and multifaceted rules for communication between various
network segments and zones in an ICS network. They can be configured to block data from certain
segments, while allowing the relevant and necessary data through. A thorough understanding of the devices,
applications, and services that are in a network will guide the appropriate deployment and configuration of
firewalls in a network. Typical types of firewalls that can be deployed in a network include:
• Packet filter or boundary firewalls that work on the network layer
These firewalls mainly operate at the network layer, using preestablished rules based on port
numbers and protocols to analyze the packets going into or out of a separated network.
These firewalls either permit or deny passage based on these rules.
• Host firewalls
These firewalls are software firewall solutions that protect ports and services on devices. Host
firewalls can apply rules that track, allow, or deny incoming and outgoing traffic on the device and are
mainly found on mobile devices, laptops, and desktops that can be easily connected to an ICS.
• Application-level proxy firewalls
These firewalls are highly secure firewall protection methods that hide and protect individual devices
and computers in a control network. These firewalls communicate at the application layer and can
provide better inspection capabilities. Because they collect extensive log data, application-level proxy
firewalls can negatively impact the performance of an ICS network.
• Stateful inspection firewalls
These firewalls work at the network, session, and application layers of the open system
interconnection (OSI). Stateful inspection firewalls are more secure than packet filter firewalls
because they only allow packets belonging to allowed sessions.
These firewalls can authenticate users when a session is established and analyze a packet to
determine whether they contain the expected payload type or enforce constraints at the application
layer.
• SCADA hardware firewalls
These are hardware-based firewalls that provide defense for an ICS based on observing abnormal
behavior on a device within the control network. For example, if an operator station computer
suddenly attempts to program a PLC, this activity could be blocked and an alarm could be raised to
prevent serious risk to the system.

Demilitarized zones (DMZ)

Network segmentation is a key consideration in establishing secure control networks. Firewalls should be
used to create DMZ by grouping critical components and isolating them from the traditional business IT
network. A three-tier architecture should be employed at a minimum, with a DMZ between the organization's
core network and an isolated control system's network as shown in below figure.
Cybersecurity considerations for electrical distribution systems
Securing the Network Management Module – 73