Operational Technology (OT) Networks are quite different in nature from ordinary enterprise networks resulting in unique requirements, priorities and security needs. This article will focus on the security aspect and in particular the type of Firewalls needed to satisfy the requirements. Let’s dig into the details…
A good place to start would be to explain the fundamental difference between a Stateful Firewall and a Stateless Firewall. Although it might be obvious and you already know it, I want to make sure we are on the same page before we get into more details. The main difference in function is the ability to identifying within a transaction between two parties, who has initiated the transaction and keep track of some history to that. Why would that matter? let’s take an example (a very simplified example):
An employee in a company HQ, using Google to search a topic, the request goes out to the google servers and the response comes back through the firewall. A stateful firewall is aware of a secure zone (The company HQ, in this case) and a non-secure zone (The Internet, in this example). It is also aware that the request for information has been intiated from the secure zone and seems safe to process, it keep track of and allow the response back when it arrives. Keep in mind that we have a two way conversation, with a request and response that is allowed as a result of passing the state test, the request was initiated from the secure zone. Now lets imagine the reverse process happening, google is trying to open an unsolicited session with your computer to grab a file. A stateful firewall would in such a case identify the communication request has been initiated from the non-secure zone and immediately block the transaction. Although the same two parties are involved, one transaction was allowed and the other was blocked, based on the state of the transaction. Quick conclusion, Stateful Firewalls are very powerful when you are communicating between secure and non-secure zones and care about the state
Lets take this example a step further and imagine three actors, HQ, a Branch Office and the Internet. In such case HQ communication to the Internet is same as above, Branch Office to the Internet is same as above as well. What is new here is Branch Office to HQ and/or HQ to Branch Office, this communication does not require stateful monitoring in a way because it is from a secure zone to a secure zone, regardless of who initiates the communications its safe to allow from a network perspective (in most cases). For this to function, we will either need to have a direct dedicated link between the offices or a carrier based Virtual Private Network (VPN) or a site-to-site tunnel (VPN) of a kind. What the dedicated or VPN connection will provide is an extension of the secure zone over a non-secure media so we can afford to care less about the state of communication (who initiated it) across company sites.
Lets now head back to the OT world and assume a Power Utility Network as an example. Same would go for a transportation network, water treatment network but for the sake of simplicity let’s pick one. A Power Transmission Network with 100 power substations and two control rooms. Typically the 100 substations network is totally isolated from the Internet, connecting to the control rooms, in most cases via direct fiber. Any communications to substations from the outside world, if at all allowed, will have to go through the control rooms.
Since control rooms have a connection to the enterprise network and/or, in some cases, the Internet, a stateful firewall would be required at this level as we have communication between secure (control room) and non-secure (the enterprise network and/or Internet) zones. Please note that the enterprise network is consider non-secure zone to the OT network. Now looking at the communication between the distributed substations (substation to substation if needed) and/or between any substation and control Rooms. In both of the two cases, it is a secure zone to secure zone communication where the state does not matter as we have learned, so no stateful firewall is needed or required at the substation level. Generally you would want to limit communications to the IP ranges used and protocols required including SCADA , Protection and Control protocols, yet its safe zone to safe zone so no stateful case can be made. Think of your substations and control room as HQ and Branch Offices, the difference here is that your substations don’t need to have a connection to the internet unless through the control room, again, if at all needed, but your branch offices do require a connection to the internet. In the odd case where your branch offices are connected to HQ through dark fiber and your branch offices connection to the internet is going through your HQ, the only place you would require a stateful firewall would be your HQ. In which case your IT network is converging to an OT like network in architecture! Unless this is the case, your branch offices will need a stateful firewall as you have communications to both secure and non-secure zones. Going back to our substation, we don’t need a connection to the Internet and we only need to talk to the control room and some other substation so we are happy to stay stateless!
Are there requirements that would make using standard stateful firewalls completely not feasible at a critical infrastructure site level? The answer to this is yes, there are industrial protocols that are not routable and mandate continuity of L2 across critical sites within the utility, which can’t be accommodated using standard stateful firewalls. A good example of this is the use of L2 GOOSE a component of the IEC-61850 standard. L2 GOOSE is a L2 multicast protocol in nature and can’t be routed. Being time sensitive also makes tunneling it over L3 not an option.
Is that it? No, there are cases where you will need a sateful firewall in the substation. A good example is if your infrastructure site has no direct dedicated fiber or microwave connection back to the control room. In such a case you may need to use cellular, carrier VPN or some other form of an Internet connection to connect the site back to the control room. This setup is pretty common with small remote sites, for which you would need a stateful firewall with VPN capabilities and you would build a secure VPN tunnel back to your control room.
Besides this all, there are other security requirements critical infrastructure sites mandate that you don’t necessary see in an enterprise world. Some of them is due to regulatory compliance requirements, which vary from industry to another, and others are just because of the critical nature of the sites and its high public health & safety impact which increases the sites security requirements. Those requirements are not the subject of this article and will be addressed in other articles to come. Some of those requirements need to be integrated into what I will take the liberty to so call Next Generation Industrial Firewall. Some of those requirements, as an example, is rule based dual factor authentication within the secure zone between individuals and assets at an IP/Port number level, a requirement generally currently existing stateful enterprise firewalls fail to address, as they are designed to operate between secure and non-secure zones while Industrial Firewalls are designed to enhance security within the same security zone, a total different animal!
What is next? There are already a number of versions of Industrial Firewalls out there. They vary in feature sets and their ability to facilitate compliance within certain environments and standards, yet there is plenty of room for improvement. InProgress Research Inc. is putting a significant amount of effort to specify what this new generation of firewalls should look like with the goal of identifying a complete feature set and specifications of a true Next Generation Industrial Firewall and working with our Network Partners and Security Partners to realize the concept for our critical infrastructure industries to enjoy.
OT network are quite different in architecture and hence security requirements. At the control room level you need a stateful firewall facing the enterprise and/or outside world with a DMZ for applications that need to be accessed by the outside world, metering is an example. At the infrastructure site level, a stateful firewall is mostly not required, a stateless Industrial firewall is what you would need with special futures that would help comply with strict critical infrastructure security requirements.
There are some exceptions to the general rule, an example would be if you don’t have direct dedicated fiber or microwave to the infrastructure site, in such a case you may be forced to use cellular or other form of an Internet connection, in which scenario, you would need to run a stateful firewall on the Internet connection with a VPN tunnel back to your control room. Another example is when you are using direct fiber yet part of it is not owned by your organization. In such a case, to avoid wiretapping, you would need to encrypt your traffic somehow before putting it on the fiber, I would look for a L2 encryption solution yet, a stateful firewall may not be either required or recommended.
Although there are a number of existing industrial firewalls and solutions out there, there is still quite a bit to be improved before we get to a version that would truly do the job.