Building a Resilient World:

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

All Posts

Common ICS Cybersecurity Myth #3: The Unbreachable Firewall

Misconceptions about ICS/OT cybersecurity are stubborn. This "mythbusting" blog series dispels five common myths related to ICS cybersecurity. Catch up on the series if you're interested:

Now, let's dive in.

ICS Cybersecurity Myth #3

ICS is protected from cyberattacks because there is a firewall between the ICS network and other networks

ICS security is largely dependent on the effectiveness of the network design and firewall to prevent unauthorized access. To provide defense in depth, a firewall can be used to separate different layers of an ICS network (i.e., the HMI-level LAN from the ICS DMZ from the enterprise network).

Busting ICS Cybersecurity Myth #3

No doubt that a firewall and a demilitarized zone (DMZ) network architecture are a must to protect ICS networks from unauthorized access. However, this protection is only as good as the firewall policy (rules) and the security of the firewall itself.

A good firewall policy requires precise planning, accurate workflow, and continuous monitoring of any changes to the policy, network design, and firewall configurations. Any misconfiguration of the firewall/rules will result in a false sense of security and allow unauthorized access to the ICS network.

Gartner predicted that 99 percent of firewall breaches would be caused by firewall misconfigurations in 2020. Another study reported that open firewall rules ("Any-Any" rule that allows any traffic) are a major problem, and one out of five firewalls has one or more configuration issues.

While the firewall is an important ICS protection, it can only defend against attacks initiated outside the protected ICS network. Also, a simple firewall cannot protect against attacks that use already-allowed protocols/access. To defend against these attacks, an intrusion detection system (IDS) capability is required.

To combat malware introduced from USB devices, transient systems (mobile laptop), dialup, and other control network components, ICS must incorporate other system-level measures such as whitelisting, hardening, or host-based controls.

Next Steps

  1. Periodically review firewall rules/policies and fix any misconfigurations and remove unnecessary rules. If possible, automate detection of changes to firewall rules and  configurations.
  2. Access rules should be based on zero trust/least access and should be necessary for system functionality and/or business needs.
  3. Route all connections to the ICS networkincluding vendor remote access and dialupthrough the firewall, with no connections circumventing it.
  4. Where feasible, the ICS network should be segmented into security zones for granular access and defense in depth strategy.
  5. Multiple DMZs, or security zones, should be created for separate functionalities and access privileges, such as peer connections, the data historian, the OPC server or ICCP server in SCADA systems, the security servers, replicated servers, and development servers.

Stay tuned for the next part in this series, in which we break down Myth #4: the belief that serial communication (non-routable) between the control center and remote sites provides immunity from cyberattacks.

Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.

Sanjay Chhillar
Sanjay Chhillar
Sanjay Chhillar is the head of OT/ICS Cybersecurity Practice at Siemens UK & Ireland.

Related Posts

White Paper Excerpt: Implementing an IACS Cybersecurity Program

ISA/IEC 62443 provides a powerful tool to reduce the risk of financial, reputational, human, and environm...
Gary Rathwell Jan 11, 2022 5:30:00 AM

LOGIIC Endorses ISA Industrial Control Systems Cybersecurity Training

ICS Cybersecurity Training for Remote Staff In late 2019, LOGIIC (Linking the Oil and Gas Industry to Imp...
Brian Peterson Jan 4, 2022 5:30:00 AM

Automation Systems Cybersecurity: From Standards to Practices

From first steps to a sustained response. Improving the state of cybersecurity in critical infrastructure...
Eric Cosman Dec 28, 2021 5:30:00 AM